NIST SPECIAL PUBLICATION 1800-12C


Derived Personal Identity Verification (PIV) Credentials


Volume C:

How-to Guides



William Newhouse

National Cybersecurity Center of Excellence

Information Technology Laboratory


Michael Bartock

Jeffrey Cichonski

Hildegard Ferraiolo

Murugiah Souppaya

National Cybersecurity Center of Excellence

Information Technology Laboratory


Christopher Brown

Spike E. Dog

Susan Prince

Julian Sexton

The MITRE Corporation

McLean, Virginia



August 2019



nccoenistlogos



DISCLAIMER

Certain commercial entities, equipment, products, or materials may be identified by name or company logo or other insignia in order to acknowledge their participation in this collaboration or to describe an experimental procedure or concept adequately. Such identification is not intended to imply special status or relationship with NIST or NCCoE; neither is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 1800-12C, Natl. Inst. Stand. Technol. Spec. Publ. 1800-12C, 151 pages, (August 2019), CODEN: NSPUE2

FEEDBACK

As a private-public partnership, we are always seeking feedback on our practice guides. We are particularly interested in seeing how businesses apply NCCoE reference designs in the real world. If you have implemented the reference designs, or have questions about applying them in your environment, please email us at piv-nccoe@nist.gov.

All comments are subject to release under the Freedom of Information Act.

National Cybersecurity Center of Excellence
National Institute of Standards and Technology
100 Bureau Drive
Mailstop 2002
Gaithersburg, MD 20899

NATIONAL CYBERSECURITY CENTER OF EXCELLENCE

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges. Through consortia under Cooperative Research and Development Agreements (CRADAs), including technology partners—from Fortune 50 market leaders to smaller companies specializing in information technology security—the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cybersecurity Framework and details the steps needed for another entity to re-create the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Maryland.

To learn more about the NCCoE, visit https://www.nccoe.nist.gov. To learn more about NIST, visit https://www.nist.gov.

NIST CYBERSECURITY PRACTICE GUIDES

NIST Cybersecurity Practice Guides (Special Publication 1800 series) target specific cybersecurity challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They show members of the information security community how to implement example solutions that help them align more easily with relevant standards and best practices, and provide users with the materials lists, configuration files, and other information they need to implement a similar approach.

The documents in this series describe example implementations of cybersecurity practices that businesses and other organizations may voluntarily adopt. These documents do not describe regulations or mandatory practices, nor do they carry statutory authority.

Acronyms used in figures can be found in the Acronyms appendix.

ABSTRACT

Federal Information Processing Standards (FIPS) Publication 201-2, “Personal Identity Verification (PIV) of Federal Employees and Contractors,” establishes a standard for a PIV system based on secure and reliable forms of identity credentials issued by the federal government to its employees and contractors. These credentials are intended to authenticate individuals to federally controlled facilities, information systems, and applications as part of access management. In 2005, when FIPS 201 was published, authentication of individuals was geared toward traditional computing devices (i.e., desktop and laptop computers) where the PIV Card provides common multifactor authentication mechanisms through integrated or external smart card readers, where available. With the emergence of computing devices, such as tablets, hybrid computers, and, in particular, mobile devices, the use of PIV Cards has proved to be challenging. Mobile devices lack the integrated smart card readers found in laptop and desktop computers and require separate card readers attached to devices to provide authentication services. To extend the value of PIV systems into mobile devices that do not have PIV Card readers, NIST developed technical guidelines on the implementation and life cycle of identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV Card. These NIST guidelines, published in 2014, describe Derived PIV Credentials (DPCs) that leverage identity proofing and vetting results of current and valid PIV credentials.

To demonstrate the DPC guidelines, the NCCoE at NIST built two security architectures using commercial technology to enable the issuance of a Derived PIV Credential to mobile devices that use Identity Credentialing and Access Management shared services. One option uses a software-only solution while the other leverages hardware built into many computing devices used today.

This project resulted in a freely available NIST Cybersecurity Practice Guide that demonstrates how an organization can continue to provide multifactor authentication for users with a mobile device that leverages the strengths of the PIV standard. Although this project is primarily aimed at the federal sector’s needs, it is also relevant to mobile device users with smart-card-based credentials in the private sector.

KEYWORDS

cybersecurity; Derived PIV Credential (DPC); enterprise mobility management (EMM); identity; mobile device; mobile threat; multifactor authentication; personal identity verification (PIV); PIV Card; smart card

ACKNOWLEDGMENTS

We are grateful to the following individuals for their generous contributions of expertise and time.

Name Organization
Walter Holda MobileIron
Loay Oweis MobileIron
Sean Frazier MobileIron
Dan Miller Entrust Datacard
Bryan Rosensteel Entrust Datacard
Dror Shilo Intel Corporation
Simy Cohen Intel Corporation
Abhilasha Bhargav-Spantzel Intel Corporation
Carlton Ashley Intel Corporation
Alfonso Villasenor Intel Corporation
Won Jun Intercede
Alan Parker Intercede
Allen Storey Intercede
Iain Wotherspoon Intercede
Andre Varacka Verizon
Russ Weiser Verizon
Emmanuel Bello-Ogunu The MITRE Corporation
Lorrayne Auld The MITRE Corporation
Sarah Kinling The MITRE Corporation
Poornima Koka The MITRE Corporation
Matthew Steele The MITRE Corporation

The Technology Partners/Collaborators who participated in this build submitted their capabilities in response to a notice in the Federal Register. Respondents with relevant capabilities or product components were invited to sign a Cooperative Research and Development Agreement (CRADA) with NIST, allowing them to participate in a consortium to build these example solutions. We worked with:

Technology Partner/Collaborator Build Involvement
Entrust Datacard Entrust IdentityGuard, Entrust Managed Services Public Key Infrastructure (PKI)
Intel Corporation Intel Authenticate Solution
Intercede MyID Credential Management System
MobileIron MobileIron Enterprise Mobility Management Platform
Verizon Verizon Shared Service Provider PKI

List of Figures

Figure 1-1 Lab Network Diagram

Figure 2-1 Architecture

Figure 2-2 MobileIron Registration Confirmation Page

Figure 2-3 Derived Mobile Smart Credential QR Code Activation Page

Figure 2-4 Mobile Device Hybrid Architecture for PIV Card and DPC Lifecycle Management (Software Keystore)

Figure 2-5 Mobile Device Hybrid Architecture for PIV Card and DPC Lifecycle Management (Intel Authenticate)

Figure 2-6 Certificate Profile Attributes

List of Tables

Table 2-1 Identity Management Profiles

Table 2-2 MobileIron Core Settings

Table 2-3 SQL Server Components

1. Introduction

The following volumes of this guide show information technology (IT) professionals and security engineers how we implemented these example solutions. We cover all of the products employed in these reference designs. We do not re-create the product manufacturers’ documentation, which is presumed to be widely available. Rather, these volumes show how we incorporated the products together in our environment.

Note: These are not comprehensive tutorials. There are many possible service and security configurations for these products that are out of scope for these reference designs.

1.1. Practice Guide Structure

This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide demonstrates two standards-based reference designs and provides users with the information they need to replicate a Derived Personal Identity Verification (PIV) Credential (DPC) life-cycle solution. These reference designs are modular and can be deployed in whole or in part.

This guide contains three volumes:

  • NIST SP 1800-12A: Executive Summary
  • NIST SP 1800-12B: Approach, Architecture, and Security Characteristics – what we built and why
  • NIST SP 1800-12C: How-To Guides – instructions for building the example solutions (you are here)

Depending on your role in your organization, you might use this guide in different ways:

Business decision makers, including chief security and technology officers, will be interested in the Executive Summary, NIST SP 1800-12A, which describes the following topics:

  • challenges that enterprises face in issuing strong, multifactor credentials to mobile devices
  • example solutions built at the NCCoE
  • benefits of adopting an example solution

Technology or security program managers who are concerned with how to identify, understand, assess, and mitigate risk will be interested in NIST SP 1800-12B, which describes what we did and why. The following sections will be of particular interest:

  • Section 3.5.3, Risk, provides a description of the risk analysis we performed.
  • Section 3.5.4, Security Control Map, maps the security characteristics of these example solutions to cybersecurity standards and best practices.

You might share the Executive Summary, NIST SP 1800-12A, with your leadership team members to help them understand the importance of adopting a standards-based DPC solution.

IT professionals who want to implement an approach like this will find this whole practice guide useful. You can use this How-To portion of the guide, NIST SP 1800-12C, to replicate all or parts of the build created in our lab. This How-To portion of the guide provides specific product installation, configuration, and integration instructions for implementing the example solutions. We do not recreate the product manufacturers’ documentation, which is generally widely available. Rather, we show how we incorporated the products together in our environment to create example solutions.

This guide assumes that IT professionals have experience implementing security products within the enterprise. While we have used a suite of commercial products to address this challenge, this guide does not endorse these particular products. Your organization can adopt one of these solutions or one that adheres to these guidelines in whole, or you can use this guide as a starting point for tailoring and implementing parts of a DPC example solution. Your organization’s security experts should identify the products that will best integrate with your existing tools and IT system infrastructure. We hope that you will seek products that are congruent with applicable standards and best practices. Volume B, Section 3.6, Technologies, lists the products that we used and maps them to the cybersecurity controls provided by these reference solutions.

1.2. Build Overview

Unlike desktop computers and laptops that have built-in readers to facilitate the use of PIV Cards, mobile devices pose usability and portability issues because they lack a smart card reader.

NIST sought to address this issue by introducing the general concept of DPCs in NIST Special Publication (SP) 800-63-2, which leverages identity proofing and vetting results of current and valid credentials. Published in 2014, NIST SP 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, defined requirements for initial issuance and maintenance of DPCs. NIST’s Applied Cybersecurity Division then created a National Cybersecurity Center of Excellence (NCCoE) project to provide an example implementation for federal agencies and private entities that follows the requirements in NIST SP 800-157.

In the NCCoE lab, the team built an environment that resembles an enterprise network by using commonplace components such as identity repositories, supporting certificate authorities (CA), and web servers. In addition, products and capabilities were identified that, when linked together, provide two example solutions that demonstrate life-cycle functions outlined in NIST SP 800-157. Figure 1-1 depicts the final lab environment.

Figure 1-1 Lab Network Diagram

The NCCoE lab network diagram.

1.3. Typographic Conventions

The following table presents typographic conventions used in this volume.

Typeface/Symbol Meaning Example
Italics filenames and pathnames, references to documents that are not hyperlinks, new terms, and placeholders For detailed definitions of terms, see the NCCoE Glossary.
Bold names of menus, options, command buttons and fields Choose File > Edit.
Monospace
command-line input, on-screen computer output, sample code examples, status codes
mkdir
Monospace Bold
command-line user input contrasted with computer output
service sshd start
blue text link to other parts of the document, a web URL, or an email address All publications from NIST’s National Cybersecurity Center of Excellence are available at https://www.nccoe.nist.gov.

2. Product Installation Guides

This section of the practice guide contains detailed instructions for installing and configuring key products used for the depicted architectures documented below, as well as demonstration of the DPC life-cycle management activities of initial issuance and termination.

In our lab environment, each example implementation was logically separated by a virtual local area network (VLAN), where each VLAN represented a mock enterprise environment. The network topology consists of an edge router connected to a demilitarized zone (DMZ). An internal firewall separates the DMZ from internal systems that support the enterprise. All routers and firewalls used in the example implementations were virtual pfSense appliances.

As a basis, the enterprise network had an instance of Active Directory (AD) to serve as a repository for identities to support DPC vendors.

2.1. Managed Service Architecture with Enterprise Mobility Management (EMM) Integration

Figure 2-1 Architecture

A pictorial view of the reference architecture, the elements of which are discussed in detail in this section (Section 2.1).

2.1.1. Entrust Datacard IdentityGuard (IDG)

Entrust Datacard contributed test instances of its managed public key infrastructure (PKI) service and IdentityGuard products, the latter of which directly integrate with MobileIron to support the use of DPC with MobileIron Mobile@Work applications. Contact Entrust Datacard (https://www.entrust.com/contact/) to establish service instances in support of DPC with MobileIron (https://www.mobileiron.com/).

2.1.1.1. Identity Management Profiles

To configure services and issue certificates for DPCs that will work with the organizationʼs user identity profiles, Entrust Datacard will need information on how identities are structured and which users will use PKI services. For this lab instance, Entrust Datacard issued PIV Authentication, Digital Signature, and Encryption certificates for PIV Cards and DPCs for two test identities, as represented in Table 2-1.

Table 2-1 Identity Management Profiles

Username Email Address User Principal Name (UPN)
Patel, Asha asha@entrust.dpc.nccoe.org asha@entrust.dpc.nccoe.org
Tucker, Matteo matteo@entrust.dpc.nccoe.org matteo@entrust.dpc.nccoe.org

2.1.2. MobileIron Core

MobileIron Core is the central product in the MobileIron suite. The following sections describe the steps for installation, configuration, and integration with Active Directory and the Entrust Datacard IdentityGuard managed service. Key configuration files used in this build are listed in Table 2-2 and are available from the NCCoE DPCs Project website.

Table 2-2 MobileIron Core Settings

File Name Description
core.dpc.nccoe.org-Default AppConnect Global Policy-2017-08-14 16-48-36.json Configures policies such as password strength for the container
core.dpc.nccoe.org-Default Privacy Policy-2017-08-14 16-52-33.json Configures privacy settings for each enrolled device
core.dpc.nccoe.org-DPC Security Policy-2017-08-14 16-51-07.json Configures device-level security management settings
shared_mdm_profile.mobileconfig iOS Mobile Device Management (MDM) profile used when issuing DPC to devices
2.1.2.1. Installation

Follow the steps below to install MobileIron Core:

  1. Obtain a copy of the On-Premise Installation Guide for MobileIron Core, Sentry, and Enterprise Connector from the MobileIron support portal.
  2. Follow the MobileIron Core predeployment and installation steps in Chapter 1 for the version of MobileIron being deployed in the organization’s environment. In our lab implementation, we deployed MobileIron Core 9.2.0.0 as a Virtual Core running on VMware 6.0.
2.1.2.2. General MobileIron Core Setup

The following steps are necessary for mobile device administrators or users to register devices with MobileIron, which is a prerequisite to issuing DPCs.

  1. Obtain a copy of MobileIron Core Device Management Guide for iOS Devices from the Mobile-Iron support portal.
  2. Complete all instructions provided in Chapter 1, Setup Tasks.
2.1.2.3. Configuration of MobileIron Core for DPC

The following steps will reproduce this configuration of MobileIron Core.

2.1.2.3.1. Integration with Active Directory

In our implementation, we chose to integrate MobileIron Core with Active Directory by using lightweight directory access protocol (LDAP). This is optional. General instructions for this process are covered in the Configuring LDAP Servers section in Chapter 2 of On-Premise Installation Guide for MobileIron Core, Sentry, and Enterprise Connector. The configuration details used during our completion of selected steps (retaining original numbering) from that guide are given below:

  1. From Step 4 in the MobileIron guide, in the New LDAP Server dialogue:

    1. Directory Connection:

      Details of our Directory Connection settings.

    2. Directory Configuration—Organizational Units (OUs):

      Details of our Directory Configuration - OUs settings.

    3. Directory Configuration—Users:

      Details of our Directory Configuration - Users settings.

    4. Directory Configuration—Groups:

      Details of our Directory Configuration - Groups settings.

    5. LDAP Groups:

    1. As a prerequisite step, we used Active Directory Users and Computers to create a new security group for DPC-authorized users on the Domain Controller for the entrust.dpc.local domain. In our example, this group is named DPC Users.

    2. In the search bar, enter the name of the LDAP group for DPC-authorized users, and click the magnifying glass button; the group name should be added to the Available list.

    3. In the Available list, select DPC Users, and click the right-arrow button to move it to the Selected list.

    4. In the Selected list, select the default Users group, and click the left-arrow button to move it to the Available list.

      Details of our LDAP Groups settings.

    1. Custom Settings: Custom settings were not specified.

    2. Advanced Options:

      Details of our Advanced Options settings.

    Note: In our lab environment, we did not enable stronger Quality of Protection or enable the Use Client TLS Certificate or Request Mutual Authentication features. However, we recommend that implementers consider using those additional security mechanisms to secure communications with the LDAP server.

  2. From Steps 19 to 21 from the MobileIron guide, we tested that MobileIron can successfully query LDAP for DPC Users.

    1. In the New LDAP Setting dialogue, click the Test button to open the LDAP Test dialogue.

    2. In the LDAP Test dialogue, enter a User ID for a member of the DPC Users group, then click the Submit button. A member of the DPC Users group in our environment is Matteo.

      Entry of a user ID to perform an LDAP connection test.

    3. The LDAP Test dialogue indicates the query was successful:

      Results of the LDAP test indicating the user ID was found.

2.1.2.3.2. Create a DPC Users Label

MobileIron uses labels to link policies and device configurations with users and mobile devices. Creating a unique label for DPC users allows mobile device administrators to apply controls relevant for mobile devices provisioned with a derived credential specifically to those devices. We recommend applying DPC-specific policies and configurations to this label, in addition to any others appropriate to an organization’s mobile device security policy.

  1. In the MobileIron Core Admin Portal, navigate to Devices & Users > Devices.

  2. Select Advanced Search (far right).

    Shows all pending and active device registrations in MobileIron Core.

  3. In the Advanced Search pane:

    1. In the blank rule:

      1. In the Field drop-down menu, select User > LDAP > Groups > Name.
      2. In the Value drop-down menu, select the Active Directory group created to support DPC-specific MobileIron policies (named DPC Users in this example).
    2. Select the plus sign icon to add a blank rule.

    3. In the newly created blank rule:

      1. In the Field drop-down menu, select Common > Platform.
      2. In the Value drop-down menu, select iOS.
    4. Optionally, select Search to view matching devices.

    5. Select Save to Label.

      Shows the creation of rules used to automatically associate MobileIron users synchronized with the DPC Users (per our example) security group with a registered iOS device.

    6. In the Save to Label dialogue:

      1. In the Name field, enter a descriptive name for this label (DPC Users in this example).
      2. In the Description field, provide additional information to convey the purpose of this label.
      3. Click Save.

      Shows the provisioning of a name and description for a new label used to apply MobileIron policies and configurations to users of Derived PIV Credentials.

  4. Navigate to Devices & Users > Labels to confirm that the label was successfully created. It can be applied to DPC-specific MobileIron policies and configurations in future steps.

    Shows all existing labels in MobileIron, confirming creation of the DPC Users label.

2.1.2.3.3. Implement MobileIron Guidance

The following provides the sections from the MobileIron Derived Credentials with Entrust Guide that were used in configuring this instance of MobileIron DPC. For sections for which there may be configuration items tailored to a given instance (e.g., local system host names), this configuration is provided only as a reference. We noted any sections in which the steps performed to configure our systems vary from those in the MobileIron Derived Credentials with Entrust Guide.

Complete these sections in Chapter 2 of the MobileIron Derived Credentials with Entrust Guide:

  1. Before beginning:

    1. Configure client certificate authentication to the user portal.

      Note: The root CA certificate or trust chain file can be obtained from Entrust Datacard.

    2. Configure the Entrust IdentityGuard Self-Service Module universal resource locator.

      Note: The URL will be specific to the organization’s instance of the IDG service and can be obtained from Entrust Datacard.

  2. Configure PIN-based registration.

  3. Configure user portal roles.

  4. Add the PIV-D Entrust application to the App Catalog and add Web@Work for iOS.

  5. Configure Apps@Work.

    1. Set authentication options.
    2. Send the Apps@Work web clip to devices.
  6. Configure AppConnect.

    1. Configure AppConnect licenses.
    2. Configure the AppConnect global policy. The AppConnect Passcode policy settings for our implementation are presented below.

    Form to change AppConnect Passcode settings within the AppConnect global policy. Minimum passcode length: 6. Maximum Number of Failed Attempts: 5. Passcode is require for iOS Devices: enabled. Allow iOS users to reset their passcode: enabled. Check for passcode strength: enabled. Passcode Strength: 61.

    Note: Based on our testing, a Passcode Strength of 61/100 or higher prevents easily guessable derived credential passcode combinations (e.g., abc123) from being set by a DPC Applicant.

  7. Configure the PIV-D Entrust application.

  8. Configure client-provided certificate enrollment settings. Note that the configuration items created by completing this section will be used in the following section. Replace Step 2 in this section of the MobileIron Derived Credentials with Entrust Guide with the following step:

    Select Add New > Certificate Enrollment > SCEP.

  9. Configure Web@Work to use DPC:

    1. Require a device password.

    2. Configure a Web@Work setting. The Custom Configurations key-value pairs set for our instance in Step 4 are presented below.

      Note: The value for idCertificate_1 is the descriptive name we applied to the Simple Certificate Enrollment Protocol (SCEP) certificate enrollment configuration for derived credential authentication created in the MobileIron Derived Credentials with Entrust Guide section referenced in Step 8.

      A screenshot of the key-value pairs set for our instance. Key: IdCertificate_1_host Value: Key: IdCertificate_1 Value: DC Authentication

2.1.3. DPC Life-Cycle Workflows

This section describes how to perform the DPC life-cycle activities of initial issuance, maintenance, and termination.

2.1.3.1. DPC Initial Issuance

This section provides the steps necessary to issue a DPC onto a target mobile device.

2.1.3.1.1. Register Target Device with MobileIron

The following steps will register the target mobile device with MobileIron, which will create the secure Mobile@Work container into which a DPC is later provisioned.

  1. Insert a valid PIV Card into the card reader attached to or integrated into your laptop or computer workstation.

  2. Using a web browser, visit the MobileIron Self-Service Portal URL provided by the administrator.

  3. In the MobileIron Self-Service Portal, click Sign in with certificate.

    image16

  4. In the certificate selection dialogue:

    1. If necessary, identify your PIV Authentication certificate:

      1. Highlight a certificate.

      2. Select Show Certificate.

        A screenshot of steps i. and ii. above.

      3. Navigate to the Details tab.

      4. The PIV Authentication certificate contains a Field named Certificate Policies with a Value that contains Policy Identifier=2.16.840.1.101.3.2.1.3.13.

      5. Repeat Steps i–iii above as necessary.

        A screenshot of the Certificate/Details tab showing the information listed in steps iv. and v. above.

    2. Select your PIV Authentication certificate in the list of available certificates.

    3. Click OK.

      User selects the PIV Authentication certificate stored on the inserted PIV card.

  5. In the authentication dialogue:

    1. In the PIN field, enter your PIV Card PIN.
    2. Click OK.

    Use enters PIV card password to unlock private keys.

  6. In the right-hand sidebar of the device summary screen, click Request Registration PIN.

    User sees registered devices summary and can request a new device registration PIN.

  7. In the Request Registration PIN page:

    1. Select iOS from the Platform drop-down menu.

    2. If your device does not have a phone number, check My device has no phone number.

    3. If your device has a phone number, enter it in the Phone Number field.

    4. Click Request PIN.

      User enters information about mobile device to register with MobileIron.

    5. The Confirmation page, shown in Figure 2-2, displays a unique device Registration PIN. Leave this page open while additional registration steps are performed on the target mobile device.

      Note: This page may also facilitate the workflow for initial DPC issuance, covered in Section 2.1.3.1.2.

Figure 2-2 MobileIron Registration Confirmation Page

Page displays a device registration PIN and a link to request a derived credential from Entrust.

  1. Using the target mobile device, launch the MobileIron Mobile@Work application.

  2. In the request to grant MobileIron permission to receive push notifications, tap Allow.

    When app is first opened it requests permission to receive push notifications; the user must Allow this for the app to work properly.

  3. In Mobile@Work:

    1. In the User Name field, enter your LDAP or MobileIron user ID.

    2. Tap Next.

      User enters LDAP or MobileIron local user ID.

    3. In the Server field, enter the URL for the organizationʼs instance of MobileIron Core as provided by a MobileIron Core administrator.

    4. Tap Next.

      User enters domain name for the local server hosting MobileIron core.

    5. In the PIN field, enter the Registration PIN displayed in the Confirmation page (see Figure 2-2) of the MobileIron Self-Service Portal at completion of Step 7e.

    6. Tap Go on keyboard or Register in Mobile@Work.

      User enters registration PIN as displayed in the MobileIron Self-Service Portal Confirmation page.

    7. In the Privacy screen, tap Continue.

    MobileIron displays a privacy notification to the user regarding actions a MobileIron administrator can take on the device (based on current policy) that may have privacy implications.

  4. In the Updating Configuration dialogue, tap OK; this will launch the built-in iOS Settings application.

    App notifies the user that a new device configuration needs to be installed using the built-in Settings app.

  5. In the Settings application, in the Install Profile dialogue:

    1. In the Signed by field, confirm that the originating server identity shows as Verified.

      Note: If verification of the originating server fails, contact your MobileIron administrator before resuming registration.

    2. Tap Install.

      User is shown MobileIron device profile summary.

  6. In the Enter Passcode dialogue:

    1. Enter your device unlock code.

    2. Tap Done.

      To install profile, user enters device unlock code.

  7. In the Install Profile dialogue, tap Install.

    Settings app prompts the user to confirm the intention to install the MobileIron profile.

  8. In the Warning dialogue, tap Install.

    Settings app warns the user that installing the MobileIron profile includes a Root Certificate and Mobile Device Management and summarizes potential hazards to the user.

  9. In the Remote Management dialogue, tap Trust.

    Note: The root certificate presented in this step may vary based on the CA used to sign the MDM profile. This build uses the Let’s Encrypt certificate authority.

    Settings app prompts the user to confirm an intent to grant trust to the MobileIron profile to remotely manage the device.

  10. In the Profile Installed dialogue, tap Done.

  11. In the App Management Change dialogue, tap Manage.

    MobileIron prompts the user to accept management of the MobileIron app by MobileIron Core.

  12. If additional Mobile@Work applications (e.g., Email+) are installed as part of the MobileIron management profile (based on your organizationʼs use case), an App Installation dialogue will appear for each application. To confirm, tap Install.

    MobileIron prompts the user to accept installation and management of the Tunnel app by MobileIron Core.

  13. In the Profile Installed dialogue, tap Done.

    Settings app notifies the user that the MobileIron profile has been installed.

  14. The Mobile@Work > Home screen should now display check marks for both status indicators of Connection established (with MobileIron Core) and Device in compliance (with the MobileIron policies that apply to your device).

    App indicates that the device is now connected to MobileIron Core and is in compliance with policy.

2.1.3.1.2. DPC Initial Issuance

The following steps demonstrate how a DPC is issued to an applicantʼs mobile device. It assumes the target mobile device is registered with MobileIron (see Register Target Device with MobileIron) and the MobileIron PIV-D Entrust application is installed (see Implement MobileIron Guidance). These steps are completed by the mobile device user who is receiving a DPC.

  1. Launch the MobileIron PIV-D Entrust application on the target mobile device.

  2. If a Mobile@Work Secure Apps passcode has not been set, you will be prompted to create one. In the Mobile@Work Secure Apps screen:

    1. In the Enter your new passcode field, enter a password consistent with your organizationʼs DPC password policy. This password will be used to activate your DPC (password-based subscriber authentication) for use by Mobile@Work secure applications.

      Note: NIST SP 800-63-3 increased the minimum DPC password length to eight characters.

      A screenshot of the Mobile@Work Secure Apps screen showing step a. above.

    2. In the Re-enter your new passcode field, reenter the password you entered in Step 2b.

    3. Tap Done.

      A screenshot of the Mobile@Work Secure Apps screen showing step b. above (re-entering your new passcode).

  3. Following registration with MobileIron Core and when no DPC is associated with Mobile@Work, PIV-D Entrust displays a screen for managing your DPC. You will return to this application in a later step.

    A screenshot of the PIV-D Entrust screen for managing your DPC that allows a user the option to select "Manage Existing Credential" or "Activate New Credential."

  4. Insert your valid PIV Card into the reader attached to your laptop or computer workstation.

  5. To request a DPC during the same session as registration with MobileIron:

    1. In the MobileIron Self-Service Portal Confirmation page (see Figure 2-2), click Request Derived Credential.

      Confirmation page displaying a link to request a derived credential from Entrust.

    2. In the certificate selection dialogue:

      1. Select your PIV Authentication certificate from the list of available certificates. See Step 4 of Section 2.1.3.1.1 for additional steps to identify this certificate, as necessary.

      2. Click OK.

      3. Continue with Step 6.

        MobileIron Self-Service Portal attempting to redirect the user to the Entrust Dataguard IDG Self-Service Portal generates a prompt to select a certificate for authentication.

  6. To request a DPC in a new session:

    1. Using a web browser, visit the Entrust IDG Self-Service Portal URL provided by an administrator.

    2. In the Entrust IDG Self-Service Portal, under Smart Credential Log In, click Log In.

      Note: The portal used in our test environment is branded as a fictitious company, AnyBank Self-Service.

      User is presented with authentication options.

    3. In the Select a certificate dialogue:

      1. Select your PIV Authentication certificate from the list of available certificates. See Step 4 of Section 2.1.3.1.1 for additional steps to identify this certificate, as necessary.

      2. Click OK.

        The user is prompted to select the PIV Authentication certificate from the list of available certificates.

    4. In the authentication dialogue:

      1. In the PIN field, enter the password to activate your PIV Card.

      2. Click OK.

        User enters the password to unlock the private key for the PIV Authentication certificate selected in the previous step.

  7. On the Self-Administration Actions page, follow the I’d like to enroll for a derived mobile smart credential link (displayed below as the last item; this may vary based on which self-administration actions your Entrust IDG administrator enabled).

    Service displays a list of actions the user can perform in the Entrust IDG Self-Service Portal.

  8. On the Smart Credential enabled Application page, select Option 2: I’ve successfully downloaded and installed the Smart Credential enabled application.

    A screenshot of the instructions shown in 8 above, with Option 2 selected.

  9. On the Derived Mobile Smart Credential page:

    1. In the Identity Name field, enter your LDAP or MobileIron user ID.

    2. Click OK.

      User enters the identity name for the derived credential to be issued.

  10. The Derived Mobile Smart Credential Quick Response (QR) Code Activation page displays information used in future steps; keep this page displayed. The workflow resumes using the MobileIron PIV-D Entrust application that is open on the target mobile device.

    Note: Steps 11–13 must be completed by using the target mobile device within approximately three minutes, otherwise Steps 7–10 must be repeated to generate new activation codes.

Figure 2-3 Derived Mobile Smart Credential QR Code Activation Page

The Entrust IDG Self-Service Portal displays a QR code and PIN used in future issuance steps performed using the target mobile device. Leave this page displayed.

  1. In the PIV-D Entrust application that is running on the target mobile device, tap Activate New Credential.

    The PIV-D Entrust Welcome screen.

  2. Use the device camera to capture the QR code displayed on the Derived Mobile Smart Credential QR Code Activation page as represented in Figure 2-3.

    A screenshot of the QR code used in the lab build.

  3. On the Activate Credential screen:

    1. Enter the password below the QR code that is displayed on the Derived Mobile Smart Credential QR Code Activation page (displayed by the same device used to perform Steps 4–10) as represented in Figure 2-3.

    2. Tap Activate.

      User enters the activation code displayed on the Entrust IDG Self-Service Portal.

  4. If issuance was successful, the PIV-D Entrust application should automatically launch Mobile-Iron. Go to Mobile@Work > Settings > Entrust Credential to view its details.

    The MobileIron app displays details on the provisioned DPC.

2.1.3.2. DPC Maintenance

Changes to a DPC subscriberʼs PIV Card that result in a rekey or reissuance (e.g., official name change) require the subscriber to repeat the initial issuance workflow as described in the previous section. The issued DPC will replace any existing DPC in the MobileIron Apps@Work container.

2.1.3.3. DPC Termination

Termination of a DPC can be initiated from the MobileIron Admin Console. Upon completion of this workflow, the DPC stored in the MobileIron Apps@Work container will be cryptographically wiped (destroyed). These steps are performed by a MobileIron Core administrator.

  1. In the MobileIron Admin Console, navigate to Devices & Users > Devices.

    Devices tab lists all of the managed mobile devices.

  2. Select the checkbox in the row identifying the mobile device to be retired.

    Selection of a specific mobile device in the Devices tab.

  3. Select Actions > Retire.

    Administrator selects Actions > Retire.

  4. In the Retire dialogue that appears:

    1. In the Note text box, enter the reason(s) the device is being retired from MobileIron.

    2. Select Retire.

      Administrator enters a reason the mobile device is to be retired from management by MobileIron.

  5. The Devices tab no longer displays the retired mobile device in the list of the devices.

    A screenshot of the details shown in the Devices tab confirming that the retired mobile device is no longer displayed.

The MobileIron PIV-D Entrust application now no longer reflects management by MobileIron. As a result, the DPC has been cryptographically wiped (destroyed) and its recovery is computationally infeasible.

2.2. Hybrid Architecture for PIV and DPC Life-Cycle Management

This section describes installation and configuration of key products for the architecture depicted in Figure 2-4 and Figure 2-5, as well as demonstration of the DPC life-cycle management activities of initial issuance and termination. Figure 2-4 focuses on the mobile device implementation. Here, the Identity Agent application is used to manage the DPC. The DPC authentication key is stored in a software keystore within the secure container. The supporting cloud and enterprise systems as described above are also shown. Figure 2-5 depicts the architecture when an Intel-based device that supports Intel Authenticate is used to store the DPC.

Figure 2-4 Mobile Device Hybrid Architecture for PIV Card and DPC Life-Cycle Management (Software Keystore)

A visual representation of the mobile device hybrid architecture for PIV card and DPC lifecycle management using Software Keystore.

Figure 2-5 Mobile Device Hybrid Architecture for PIV Card and DPC Life-Cycle Management (Intel Authenticate)

A visual representation of the mobile device hybrid architecture for PIV card and DPC lifecycle management using Intel Authenticate.

2.2.1. Intercede MyID CMS

Intercede offers its identity and credential management system (CMS) product, MyID, as a software solution that can be hosted in the cloud or deployed on premises. The MyID server platform is composed of an application server, database, and web server. It provides connectors to infrastructure components such as directories and PKIs, and application programming interfaces to enable integration with the organization’s identity and access management system. The MyID CMS is the core component for the architecture; as such, it should be fully configured and operational before other components.

2.2.1.1. Installation

Detailed instructions to install an instance of the MyID CMS are in the Intercede document MyID Version 10.8 Installation and Configuration Guide. Here, we document specific installation instructions for our environment.

The MyID system is modularly designed with web, application, and database tiers. In a production environment, it is likely that these tiers are separated onto multiple systems depending on performance and disaster recovery requirements. However, in our architecture, all tiers were installed on a Windows Server 2012 system due to resource constraints. Finally, role separation within the MyID system is not addressed here but should be considered before any deployment.

  1. Install a supported version of Microsoft Structured Query Language (SQL) Server on the target MyID server. Our environment uses SQL Server 2012 with the SQL Server Database Engine and SQL Server Management Tools. See Table 2-3 SQL Server Components for specific component versions. A full settings document (Exported-2017-07-27.vssettings) is available from the NCCoE DPC Project website. Refer to Microsoft’s online documentation for specific installation procedures.

Table 2-3 SQL Server Components

Microsoft SQL Server Management Studio 11.0.5058.0
Microsoft Analysis Services Client Tools 11.0.5058.0
Microsoft Data Access Components 6.3.9600.17415
Microsoft Extensible Markup Language 3.0 6.0
Microsoft Internet Explorer 9.11.9600.18739
Microsoft .NET Framework 4.0.30319.42000
Operating System (OS) 6.3.9600
2.2.1.2. Verizon Shared Service Provider (SSP) PKI Integration

Detailed instructions to integrate Verizon SSP with MyID are in Intercede’s UniCERT UPI Certificate Authority Integration Guide. Here, we document the specific configurations used within our builds.

  1. Install the following prerequisites on the MyID server:
Component Comment
Java Runtime Environment 8.0 Download and install the latest update from the Oracle website. This build uses 8u121.
Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files 8 Download and install from the Oracle website.
  1. Obtain the following configuration settings from your managed PKI instance:
Setting Comment
Verizon SSP CA Path Distinguished name to directory instance supplied by Verizon
Verizon SSP Enrollment Agent Distinguished name for the Registration Authority supplied by Verizon
Verizon SSP Service Point Universal Resource Indicator end point of the Verizon SSP web service supplied by Verizon
Verizon SSP Registration Authority Operator Public Key Cryptography Standards (PKCS)#12 Credentials are supplied by Verizon SSP.
Verizon SSP Registration Authority Operator PKCS#12 Password
  1. Create a CA configuration by using the following procedures:

    1. In MyID Desktop, select the Configuration category.
    2. Select Certificate Authorities from the Configuration menu.
    3. Select New from the Select a CA drop-down menu.
    4. From the CA Type drop-down menu, select Entrust JTK. A form with a setting specifically for the Entrust Datacard CA will appear.
    5. Fill in the Certificate Authority form with the following settings from Step 2:
CA Name Enter a short name to identify the Verizon SSP.
CA Description Optional long description
CA Type Leave this setting UniCERT.
Retry Delays Leave the defaults.
CA Path Retrieve setting from Step 2.
Service Point Retrieve setting from Step 2.
Enrollment Agent Retrieve setting from Step 2.
Directory Select the Entrust directory configured from Step 2.2.1.2
Certificate Store Retrieve setting from Step 2–enter fully qualified file path.
Certificate Password Retrieve setting from Step 2.
Enable CA Select this option.

A screenshot of the dialog box with all information from the table above entered into it.

  1. Click Save.
  1. Enable Verizon SSP CA policies by using the following procedures.

    1. Within MyID Desktop, click the Configuration category and choose Certificate Authorities.
    2. From the CA Name drop-down, select the Verizon SSP CA configured in Step 3.
    3. Click Edit.
    4. In the Available Certificates list, select PIV-SSP-Derived-Auth-sw-1yr-v3 to enable it for DPC issuance.
    5. Click the Enabled (Allow Issuance) checkbox.
    6. Set the following options for the policy.
Setting Value
Display Name Arbitrary name for this policy
Description Optional description for this policy
Allow Identity Mapping Unchecked
Reverse DN Checked
Archive Keys Unchecked
Certificate Lifetime 365
Automatic Renewal Unchecked
Certificate Storage Both
Recovery Storage Both
Cryptographic Service Provider Name Microsoft Enhanced Cryptographic Provider 1.0
Requires Validation Unchecked
Private Key Exportable Unchecked
User Protected Unchecked
Key Algorithm RSA 2048
Key Purpose Signature
  1. Click Edit Attributes and set the following values:
Attribute Type Value
NACI Indicator Dynamic NACI Status
Subject Alt Microsoft UPN Dynamic User Principal Name
Subject Alt Uniform Resource Identifier Dynamic Universal Unique Identifier

Figure 2-6 Certificate Profile Attributes

A screenshot of the Certificate Attributes dialog box with the values from the table in g. above selected.

  1. Repeat Step 4 for the PIV-Auth-1-yr-v2, PIV-CardAuth-1yr-v1, and PIV-Sig-1yr-v1 certificate profiles.
2.2.1.3. Configuration for DPC

Detailed instructions to configure an instance of the MyID CMS for DPC are in Intercede’s Derived Credentials Installation and Configuration Guide. Here, we document the specific configurations used within our builds. Before you begin, you need the Test Federal Common Policy CA root certificate file, which can be downloaded from the Federal PKI test repository. Also obtain the intermediate certificates for the Verizon SSP certificate chain (Verizon SSP CA A2 Test and Verizon SSP CA C1 Test) from the Verizon certificate test repositories.

The first step in configuration is to create a content signing certificate that is used to sign data stored on the DPC mobile container. This certificate (and associated private key) must be made available to MyID through the Windows Cryptographic Application Interface store on the same server where the MyID server is installed. There are various ways to generate a certificate; in our environment we chose to create a certificate authority on a separate instance of Windows Server 2012.

  1. Install Microsoft Certificate Services. There are a few online resources that can assist in the installation process. We suggest the Adding Active Directory Certificate Services to a Lab Environment tutorial from the Microsoft Developer Network.

    Add a certificate template. For reference, we have exported the certificate template (PIVContentSigning) that we used for the content signing certificate. The configuration file (CertificateTemplates.xml) is available for download from the NCCoE DPC Project website. A script to import the certificate template can be found at the Microsoft Script Center.

  2. Request a content signing certificate from the MyID system by using the procedures noted in the “Request a Certificate” TechNet article.

  3. Save the content signing certificate in binary format to the Components folder of the MyID installation folder.

  4. Edit the system registry with the following procedures:

    1. From the Start menu:

      1. Select Run.
      2. Type regedit in the dialogue displayed.
      3. Click OK.
    2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\wow6432Node\Intercede\Edefice\ContentSigning.

    3. Check that the value of the following string is set:

      Active–set to WebService.

    4. Set the value of the following string to the full path of the certificate on the application server:

      For example: C:\Program Files (x86)\Intercede\MyID\Components\contentcert.cer

  5. Set the location of the MyID web service that allows a mobile device to collect the DPC by using the following procedures within MyID Desktop:

    1. From the Configuration category, select the Operation Settings workflow.

    2. Click the Certificates tab.

    3. Set the Mobile Certificate Recovery Service URL option to the location of the MyID Process Driver web service host.

      For example: https://<replace-with-your-hostname>

    4. Click Save Changes.

  6. Set which PIV Cards are available for DPC by using the following procedures within MyID Desktop:

    1. From the Configuration category, select the Operation Settings workflow.
    2. Click the Certificates tab.
    3. To allow eligibility for all PIV Federal Agency Smart Card Number values, set Cards allowed for derivation to .+ (dot plus).
    4. Click Save Changes.
  7. Configure the system to check the revocation status of the PIV Authentication certificate to seven days by using the following procedures within MyID Desktop:

    1. From the Configuration category, select Operation Settings.
    2. On the Certificates tab, set Derived credential revocation check offset to 7.
    3. Click Save Changes.
  8. Grant access to the following workflows by using the MyID Desktop: Request Derived Credentials, Cancel Credential, Enable/Disable ID, Request Replacement ID, Unlock Credential, Collect My Updates.

    1. From the Configuration category, select the Edit Roles workflow.
    2. Select the checkbox for each of the roles to which you want to grant access. In our environment, Startup User was selected for all workflows.
    3. Click Save Changes.
  9. Edit the workflows from Step 8 with the appropriate permissions.

    1. From the Configuration category, select the Edit Roles workflow.
    2. Click Show/Hide Roles.
    3. Select the checkboxes for Mobile User, Derived Credential Owner, and PIV Applicant.
    4. Click Close.
    5. Select the corresponding roles:
Role Permission
Mobile User Console Logon, Request Derived Credentials (part 1), Mobile Certificate Recovery, Collect My Updates, Issue Device
Derived Credential Owner Console Logon, Request Derived Credentials (part 2), Collect My Updates, Issue Device
PIV Applicant Request Derived Credentials (part 2), Collect My Updates
  1. Import the Test Federal Common Policy CA ­certificate into the MyID application server by using the following command as an administrator. This enables the administrator to control the PKI hierarchy that is trusted when verifying PIV Cards:

    certutil -addstore -f -Enterprise DerivedCredentialTrustedRoots RootCA.cer

  2. Configure the MyID system with the PIV Authentication and Digital Signature certificate policy Object Identifiers (OIDs) by using the following procedures. The values shown below are production values, so they may need to be changed for your organization:

    1. From the MyID Desktop Configuration category, select Operation Settings.
    2. On the Certificates tab, set the following values:
Setting Value
Derived credential certificate OID 2.16.840.1.101.3.2.1.3.13
Derived credential signing certificate OID 2.16.840.1.101.3.2.1.3.6; 2.16.840.1.101.3.2.1.3.7; 2.16.840.1.101.3.2.1.3.16
  1. Create an Identity Agent credential profile for the DPC by using the following procedures:

    1. From the MyID Desktop Configuration category, select Credential Profiles.
    2. Click New.
    3. In the Name field, enter a descriptive name for the profile.
    4. In Card Encoding, select Identity Agent (Only) and Derived Credential.
    5. In Services, leave default selections MyID Logon and MyID Encryption.
    6. In Issuance Settings, in the Mobile Device Restrictions drop-down, select Any.
    7. In Issuance Settings, Require Facial Biometrics, select Never Required.
    8. In PIN Settings, configure the following settings:
Setting Value
Authentication Mode PIN
Maximum PIN Length 12
Minimum PIN Length 6
Repeated Characters Allowed 1
Sequential Characters Allowed 1
Logon Attempts 5
PIN Inactivity Time 180
PIN History 0
Issue With User specified PIN (default)
Email PIN Unselect
Length 0
  1. In Device Profiles, select PIVDerivedCredential.xml from the Card Format drop-down.
  1. Click Next.
  2. In the Select Certificates tab, check PIV-SSP-Derived-Auth-sw-1yr-v3 along with Signing under Certificate Policy Description. Choose Authentication Certificate in the Container drop-down.
  3. Click Next.
  4. Select the roles that receive, issue, and validate DPCs. All was chosen in this example.
  5. Click Next.
  6. Select PIV_CON in the Select Card Layout tab.
  7. Click Next.
  8. Enter text into the Comments and click Next, then Finish.

2.2.2. Intercede MyID Identity Agent

The MyID Identity Agent runs as an application and interfaces with the MyID CMS and supports a wide range of mobile devices and credential stores, including the device native keystore, software keystore, and microSD. The MyID Identity Agent mobile application is required to issue and manage DPCs. No special configuration is necessary after installing the application; scanning the QR code during the initial enrollment directs the Identity Agent to your instance of MyID CMS. MyID Identity Agent is supported for both iOS and Android platforms.

2.2.2.1. Installation

MyID Identity Agent is available on the Google Play Store and the Apple App Store. Detailed installation procedures are found on the Google Play Store and Apple App Store support sites.

2.2.3. Intercede Desktop Client

The Intercede Desktop component of this example solution serves as the main point of administration of the MyID CMS. It was installed on a Dell Latitude E6540 laptop running Windows 7. The procedures below are adapted from the Installation and Configuration Guide Version 10.8, Section 7.4.

2.2.3.1. Installation

Before installation, have available the host name and the distinguished name (DN) of the issuer of the Transport Layer Security (TLS) certificate used to communicate with the MyID application server.

  1. Run the provided .msi file as an administrator.

  2. Select the destination location, then click Next.

  3. Select the desired shortcuts to be installed.

  4. Click Next.

  5. In the MyID Desktop InstallShield Wizard:

    1. In the Server URL field, enter the URL for your instance of MyID Server.

    2. In the SSL Certificate Issuer DN field, leave empty as this prompt is applicable only when mutual TLS is implemented.

    3. Click Next.

    4. Click Install.

      The MyID Desktop InstallShield Wizard dialog box

2.2.4. Intercede Self-Service Kiosk

The MyID Self-Service Kiosk serves as a DPC issuance station for eligible PIV holders. While the software is designed to run on a shared Windows system as a kiosk in public space, in this example it is installed on a Dell Latitude E6540 laptop running Windows 7. The procedures below are adapted from Self-Service Kiosk Installation and Configuration and Derived Credentials Installation and Configuration Guide.

2.2.4.1. Installation

Before installation, have available the host name and the issuer distinguished name of the TLS certificate used to communicate with the MyID application server.

  1. Click Next.

  2. Accept default and click Next.

  3. In the MyID Self-Service Kiosk InstallShield Wizard:

    1. In the Server URL field, enter the URL of your instance of MyID Server.

    2. In the SSL Certificate Issuer DN field, leave empty as this prompt is applicable only when mutual TLS is implemented.

    3. Select Next.

    4. Select Install.

    5. Select Finish.

      The MyID Self-Service Kiosk - InstallShield Wizard dialog box with Server URL filled in.

2.2.4.2. Configuration

Use the following procedures to configure the MyID Self-Service Kiosk for DPC issuance:

  1. Set the time-out for the PIN entry screen by using the following procedures:

    1. Open \Program Files (x86)\Intercede\MyIDSelfServiceKiosk\MyIDKiosk.exe.config by using a text editor.

    2. Edit the value parameter in the following line:

      <add key="DerivedCredentialsPageTimeoutSeconds" value="120"/>

    3. Edit the value parameter in the following line with the MyID application server address:

      <add key="Server" value="http://myserver.example.com/"></add>

    4. Save changes to the file.

2.2.5. Windows Client Installation for MyID and Intel Authenticate

The Intel Authenticate Integration Guide for Active Directory Policy Objects provides instructions on how to set up Group Policy Objects for various functions of the Intel Authenticate installation process. The following instructions are primarily repurposed from the Intel Authenticate Integration Guide.

2.2.5.1. Installing the MyID Self-Service Application
  1. Run SSP-2.3.1000.1_E.msi on the client computer.

  2. Click Next.

    A screenshot of instructions 1 and 2 above.

  3. Click Next.

    A screenshot of the dialog box to select a destination location for the install files. In this case, the files will install to the default location. The Next button is highlighted.

  4. Enter the Server URL for your organization’s MyID server. Leave the SSL Certificate Issuer DN field empty, as this prompt is applicable only when mutual TLS is implemented.

  5. Click Next.

    Screenshot of a dialog box to insert the URL of the server with which MyID Self-Service App will communicate. The Next button is highlighted.

  6. Click Install.

    A screenshot of the dialog box to complete installation. The Install button is highlighted.

  7. Click Finish

    A screenshot of the dialog box to complete installation. The Finish button is highlighted.

2.2.5.2. Installing the WSVC Service
  1. Run WSVC-1.6.1000.1_B.msi.

  2. Click Next.

    A screenshot of the MyID Patch - WSVC-1.6.1000.1 - InstallShield Wizard dialog box. The Next button is highlighted.

  3. Enter the username and password for the account that will install the service.

  4. Click Next.

    A screenshot of the MyID Patch - WSVC-1.6.1000.1 - InstallShield Wizard Login Credentials dialog box.

  5. Click Next.

    A screenshot of the MyID Patch - WSVC-1.6.1000.1 - InstallShield Wizard Choose Destination Location dialog box.

  6. Click Install.

    A screenshot of the MyID Patch - WSVC-1.6.1000.1 - InstallShield Wizard Install dialog box. The Install button is highlighted.

  7. Click Finish.

    A screenshot of the MyID Patch - WSVC-1.6.1000.1 - InstallShield Wizard "Setup Complete" dialog box. The Finish button is highlighted.

2.2.5.3. Installing Prerequisites for Intel Authenticate

This process may differ depending on the client system. Primarily, it is important that the Intel Management Engine is installed and that any Intel drivers are up-to-date so that the Intel Authenticate Precheck is successful.

  1. Run n1cra26w.exe. (The name may differ based on your system—this is the Intel Management Engine.)

  2. Click Next.

    A screenshot of the "Setup - Intel Management Engine 11.6 Software for Windows 10" dialog box. The Next button is highlighted.

  3. Select I accept the agreement.

  4. Click Next.

    A screenshot of the "Setup - Intel Management Engine 11.6 Software for Windows 10" dialog box showing the license agreement. The Next button is highlighted.

  5. Click Next.

    A screenshot of the "Setup - Intel Management Engine 11.6 Software for Windows 10" dialog box for Select Destination Location. The Next button is highlighted.

  6. Click Install.

    A screenshot of the "Setup - Intel Management Engine 11.6 Software for Windows 10" dialog box at the "Ready to Install" prompt. The Install button is highlighted.

  7. Check the box next to Install Intel Management Engine 11.6 Software for Windows 10 now.

  8. Click Finish.

    A screenshot of the "Setup - Intel Management Engine 11.6 Software for Windows 10" dialog box. The Finish button is highlighted.

  9. Run u2vdo22us14avc.exe. (The name may differ based on your system—this is the graphics driver update.)

  10. Click Next.

A screenshot of the "Setup - Intel HD Graphics Driver" dialog box. The Next button is highlighted.
  1. Select I accept the agreement.
  2. Click Next.
A screenshot of the "Setup - Intel HD Graphics Driver" dialog box displaying the license agreement. The Next button is highlighted.
  1. Click Next.
A screenshot of the "Setup - Intel HD Graphics Driver" dialog box at the "Select Destination Location" prompt. The Next button is highlighted.
  1. Click Install.
A screenshot of the "Setup - Intel HD Graphics Driver" dialog box. The Install button is highlighted.
  1. Check the box next to Install Intel HD Graphics Driver now.
  2. Click Finish.
A screenshot of the "Setup - Intel HD Graphics Driver" dialog box at the finish prompt. The Finish button is highlighted.
2.2.5.4. Installing the Intel Authenticate Client

The Intel Authenticate Client should be installed automatically by the Group Policy Object (GPO), but it can also be installed manually by running IAx64-2.5.0.68.msi.

  1. Run IAx64-2.5.0.68.msi.

  2. Click Next.

    A screenshot of the "Intel® Authenticate Setup" dialog box. The Next button is highlighted.

  3. Select I accept the terms in the License Agreement.

  4. Click Next.

    A screenshot of the "Intel® Authenticate Setup" dialog box displaying the license agreement. The Next button is highlighted.

  5. Click Install.

    A screenshot of the "Intel® Authenticate Setup" dialog box at the "Ready to Install" prompt. The Install button is highlighted.

  6. Click Finish.

    A screenshot of the "Intel® Authenticate Setup" dialog box at the Finish prompt. The Finish button is highlighted.

2.2.5.5. Configuring Intel Authenticate
  1. Once the Enforce Policy GPO is run, the window for configuring Intel Authenticate will open on the client machine. You can also open this manually by searching for Intel Authenticate in the Start Menu.

  2. Click the right arrow button.

    A screenshot of the Intel® Authenticate Factor Management window, showing a right arrow button in the lower right hand corner of the box.

  3. Click the right arrow button.

    A screenshot of the Intel® Authenticate Factor Management window. The prompt states that "You can use a combination of factors like: Bluetooth Proximity, Protected PIN, or Protected Fingerprint. A right arrow button is shown in the lower right hand corner of the box.

  4. Click Enroll Factor.

    A screenshot of the Intel® Authenticate Factor Management window showing an Enroll Factor/Protected PIN button.

  5. Click Proceed.

    A screenshot of the Intel® Authenticate Factor Management window for Protected PIN. The text in the window states, " Using Intel Secure technology, a protected PIN is used for authentication. The digits placement change in the keypad makes the protected PIN more secure than any other PIN code or password used by Windows, websites and other services. Enabled for: OS Login. The Proceed button is shown at the bottom of the window.

  6. Enter a PIN for Intel Authenticate, which will be used for any certificates issued to the device.

  7. Reenter the PIN.

  8. Click Return to home.

    A screenshot of the Intel® Authenticate Factor Management window for Protected PIN. The text in the window states, " Protected PIN enrolled sucessfully." The Return to home button is being selected.

    A screenshot of the Intel® Authenticate Factor Management window showing that all factors were enrolled.

2.2.6. Intel Authenticate GPO

The Intel Authenticate Integration Guide for Active Directory Policy Objects provides instructions on how to set up GPOs for various functions of the Intel Authenticate installation process. The following instructions are primarily repurposed from the Intel Authenticate Integration Guide.

2.2.6.1. Preparing a Digital Signing Certificate
  1. In a new PowerShell window, generate a new self-signed certificate to sign the Intel Policy. Enter the command:

    New-SelfSignedCertificate –Subject “CN=TestCert” –KeyUsageProperty All –KeyAlgorithm RSA –KeyLength 2048 -KeyUsage DigitalSignature -Provider “Microsoft
    Enhanced RSA and AES Cryptographic Provider” –CertStoreLocation “Cert:\CurrentUser\My”
    

    A screenshot of a PowerShell window with the command from number 1 above entered.

  2. Run mmc.exe from the Start menu to open the Microsoft Management Console window.

    A screenshot of the Microsoft Management Console showing the Console Root folder highlighted in the upper left corner.

  3. Select File > Add/Remove Snap-In. Add the Certificates snap-in.

    A screenshot of the "Add or Remove Snap-ins" selections dialog box. The Certificated Snap-in is highlighted and added. The OK button is selected.

  4. The newly created certificate should be in the Certificates – Current User > Personal > Certificates store.

    A screenshot of the Microsoft Management Console displaying the folder content structure and the newly created certificate is highlighted.

  5. Right-click the newly created certificate and select Copy.

  6. Navigate to Certificates – Current User > Trusted Root Certification Authorities > Certificates and paste the certificate there.

  7. Click Yes when a warning message appears.

    A screenshot of the Security Warning that states: "You are about to install a certificate from a certification authority (CA) claiming to represent: ...."

    A screenshot of the Microsoft Management Console with the newly pasted certificate in the proper folder.

2.2.6.2. Creating a Profile
  1. Run the ProfileEditor.exe file as an administrator.

    A screenshot of the dialog box with "Run as administrator" selected.

  2. Click Create a New Profile….

    A screenshot of the Intel® Setup and Configuration Software: Profile Editor dialog box. The Create a New Profile link is selected.

  3. Click Select Signing Certificate.

    A screenshot of the Intel® Setup and Configuration Software: Profile Editor dialog box. The Select Signing Certificate button is selected.

  4. Select the newly created certificate and click Select.

    A screenshot of the Signing Certificate selection box is shown. The newly created certificate is highlighted and the Select button is selected.

  5. Under Authentications Factors, check the box next to Protected PIN.

  6. Click the Edit button.

    A screenshot of the Intel® Setup and Configuration Software: Profile Editor dialog box. Protected PIN is selected under Authentication Factors. The Edit button is selected.

  7. Set the PIN length and the minimum number of unique digits.

  8. Click Close.

    A screenshot of the Protected PIN dialog box is shown. The Minimum PIN length is set to 6; the Minimum unique digits is set to 3. The Close button is selected.

  9. Under Actions > OS Login, check the box next to Enable OS Login.

  10. Check the box next to Protected PIN.

  11. Click Advanced Settings.

    A screenshot of the Intel® Setup and Configuration Software: Profile Editor dialog box. Enable OS Login is selected, and Protected PIN is selected. The Advanced Settings button is selected.

  12. Uncheck the box next to Require the system drive to be encrypted.

  13. Click Close.

    A screenshot of the Advanced Settings of OS Login. The "Require the system drive to be encrypted" box is unselected. The Close button is highlighted.

  14. Click the Save As… button and save the profile.

2.2.6.3. Creating a Shared Folder
  1. Create a new folder on the network.

  2. Give it a name such as shared-gpo-folder.

    A screenshot of File Explorer, showing a new folder named shared-gpo-folder.

  3. Right-click the folder and select Properties.

  4. Go to the Security Tab.

  5. Click Edit.

    A screenshot of the folder Properties/Security tab.

  6. Click Add.

    A screenshot of the "Permissions for shared-gpo-folder" Security dialog box. The Add button is highlighted.

  7. Enter Domain Computers in the text box.

  8. Click OK.

    A screenshot of the "Select Users, Computers, Service Accounts, or Groups" dialog box. The words "Domain Computers" is typed into the "Enter the object names to select" box.

  9. Ensure that the Domain Computers have read permissions on this folder.

  10. Click OK.

    A screenshot of the "Permissions for shared-gpo-folder" Security dialog box.

  11. Click OK.

  12. Copy all the files from the HostFiles folder, as well as the Intel Profile you created, into this shared folder.

    A screenshot of Files Explorer showing the "shared-gpo-folder" folder location.

2.2.6.4. Creating Windows Management Instrumentation (WMI) Filters for the GPOs
  1. Open the Group Policy Management window by running gpmc.msc from the Start menu.

  2. Right-click WMI Filters and select New….

    A screenshot of the Group Policy Management window. "WMI Filters" is highlighted.

  3. Enter a name such as Is Intel Authenticate Supported and click Add.

    A screenshot of the WMI Filters dialog box.

  4. In the Query field, enter SELECT * FROM Intel_Authenticate WHERE Supported=“true”.

  5. Click OK.

    A screenshot of the WMI Query dialog box.

  6. Click Save.

    A screenshot of the WMI Filters dialog box. The Save button is selected.

  7. Right-click WMI Filters and select New….

  8. Enter a name such as Is Intel Authenticate Installed and click Add.

    A screenshot of the New WMI Filter dialog box.

  9. In the Query field, enter SELECT * FROM Intel_Authenticate WHERE isClientInstalled=“true” AND isEngineInstalled=“true”.

  10. Click OK.

    A screenshot of the WMI Query dialog box.

  11. Click Save.

    A screenshot of the New WMI Filter dialog box.

    A screenshot of Group Policy Management. WMI Filters is highlighted in the file tree.

2.2.6.5. Creating a GPO to Discover Intel Authenticate
  1. Open Group Policy Management.

  2. In the Group Policy Management tree, right-click the domain and select Create a GPO in the domain and Link it here.

  3. Enter a name for this GPO.

    A screenshot of the New GOP dialog box showing instructions from #3 above.

  4. Right-click the GPO just created and select Edit.

  5. Right-click Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks and select New > Scheduled Task (At least Windows 7).

    A screenshot of the Scheduled Tasks dialog box.

  6. Select Replace from the drop-down list for Action.

  7. Enter a descriptive name.

  8. Click Change User or Group.

  9. Enter SYSTEM and click OK.

    A screenshot of the Select User or Group dialog box, with SYSTEM entered in the text box.

  10. Check the box next to Run whether user is logged on or not.

  11. A window will open asking for a password. Click Cancel.

    A screenshot of the Task Scheduler (Windows 7) dialog box.

  12. Check the box next to Do not store password. The task will only have access to local resources.

  13. Check the box next to Run with highest privileges.

    A screenshot of the Copy files locally Properties dialog box. The boxes named in instructions #12 and #13 above are checked.

  14. Select the Triggers tab.

  15. Click New….

    A screenshot of the Triggers tab in the New Task (At least Windows 7) Properties dialog box. The New button is selected.

  16. Select At task creation/modification for Begin the task.

  17. Click OK.

    A screenshot of the New Trigger dialog box. "At task creation/modification" is selected from the "Begin the task:" dropdown menu. The OK button is selected.

  18. Select the Actions tab.

  19. Click New….

    A screenshot of the Actions tab in the New Task (At least Windows 7) Properties dialog box. The New button is selected.

  20. Select Start a program.

  21. For Program/script, enter the network location of the CopyFilesLocally.bat file.

  22. Click OK.

    A screenshot of the New Action dialog box with information from instruction #21 above entered. The OK button is selected.

  23. Click OK.

    A screenshot of the Actions tab in the New Task (At least Windows 7) Properties dialog box. The OK button is selected.

  24. Right-click Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks and select New > Scheduled Task (At least Windows 7).

    A screenshot of the Scheduled Tasks screen within the Group Policy Management Editor window.

  25. Select Replace from the drop-down list for Action.

  26. Enter a descriptive name.

  27. Click Change User or Group.

  28. Enter SYSTEM and click OK.

    A screenshot of the Select User or Group dialog box.

  29. Check the box next to Run whether user is logged on or not.

  30. A window will open asking for a password. Click Cancel.

    A screenshot of the Task Scheduler (Windows 7) dialog box.

  31. Check the box next to Do not store password. The task will only have access to local resources.

  32. Check the box next to Run with highest privileges.

    A screenshot of the General tab in the New Task (At least Windows 7) Properties dialog box. Information from instructions #31 and #32 are included.

  33. Select the Triggers tab.

  34. Click New….

  35. Select At task creation/modification for Begin the task.

  36. Click OK.

    A screenshot of the New Trigger dialog box. The OK button is selected.

  37. Select the Actions tab.

  38. Click New….

  39. Select Start a program.

    A screenshot of the New Action dialog box. "Start a program" is selected from the "Action:" dropdown menu.

  40. For Program/script, enter C:\Temp\DetectIntelAuthenticate.bat.

  41. For Start In, enter C:\Temp.

  42. Click OK.

    A screenshot of the New Action dialog box with information from instruction #41 above.

  43. Click OK.

    A screenshot of the Actions tab in the New Task (At least Windows 7) Properties dialog box. The OK button is selected.

    A screenshot of the Scheduled Tasks screen within the Group Policy Management Editor window.

2.2.6.6. Creating a GPO to Install Intel Authenticate
  1. Open Group Policy Management.

  2. In the Group Policy Management tree, right-click the domain and select Create a GPO in the domain and Link it here.

  3. Enter a name for this GPO.

  4. Click OK.

    A screenshot of the New GOP dialog box showing instructions from #3 above.

  5. Select the GPO you just created and select Is Intel Authenticate Supported in the WMI Filtering section.

  6. Click Yes.

    A screenshot of the Group Policy Management dialog box. The Yes button is selected.

  7. Right-click the GPO just created and select Edit.

    A screenshot of the Scheduled Tasks screen within the Group Policy Management Editor window.

  8. Right-click Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks and select New > Scheduled Task (At least Windows 7).

  9. Select Replace from the drop-down list for Action.

  10. Enter a descriptive name.

  11. Click Change User or Group.

  12. Enter SYSTEM and click OK.

    A screenshot of the Select User or Group dialog box.

  13. Check the box next to Run whether user is logged on or not.

  14. A window will open asking for a password. Click Cancel.

    A screenshot of the Task Scheduler (Windows 7) dialog box.

  15. Check the box next to Do not store password. The task will only have access to local resources.

  16. Check the box next to Run with highest privileges.

    A screenshot of the General tab in the New Task (At least Windows 7) Properties dialog box. Information from instructions #15 and #16 are included.

  17. Select the Triggers tab.

  18. Click New….

  19. Select At task creation/modification for Begin the task.

  20. Check the box next to Delay task for.

  21. Select 30 minutes.

  22. Ensure Enabled is selected and click OK.

    A screenshot of the New Trigger dialog box. The OK button is selected.

  23. Select the Actions tab.

  24. Click New….

  25. Select Start a program.

  26. For Program/script, enter C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.

  27. For Add arguments, enter -executionpolicy unrestricted C:\Temp\RunInstaller.ps1.

  28. For Start In, enter C:\Temp.

  29. Click OK.

    A screenshot of the New Action dialog box with information from instruction #28 above.

  30. Click OK.

  31. Right-click Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks and select New > Scheduled Task (At least Windows 7).

  32. Select Replace from the drop-down list for Action.

  33. Enter a descriptive name.

  34. Click Change User or Group.

  35. Enter SYSTEM and click OK.

    A screenshot of the Select User or Group dialog box.

  36. Check the box next to Run whether user is logged on or not.

  37. A window will open asking for a password. Click Cancel.

    A screenshot of the Task Scheduler (Windows 7) dialog box.

  38. Check the box next to Do not store password. The task will only have access to local resources.

  39. Check the box next to Run with highest privileges.

    A screenshot of the General tab in the New Task (At least Windows 7) Properties dialog box. Information from instructions #38 and #39 are included.

  40. Select the Triggers tab.

  41. Click New….

  42. Select At task creation/modification for Begin the task.

  43. Check the box next to Delay task for.

  44. Select 30 minutes.

  45. Ensure Enabled is selected and click OK.

    A screenshot of the New Trigger dialog box. The OK button is selected.

  46. Select the Actions tab.

  47. Click New….

  48. Select Start a program.

  49. For Program/script, enter C:\Temp\DetectIntelAuthenticate.bat.

  50. For Start In, enter C:\Temp.

  51. Click OK.

    A screenshot of the New Action dialog box with information from instruction #50 above.

  52. Click OK.

    A screenshot of the Actions tab in the New Task (At least Windows 7) Properties dialog box. The OK button is selected.

    A screenshot of the Scheduled Tasks screen within the Group Policy Management Editor window.

2.2.6.7. Creating a GPO to Enforce the Policy
  1. Open Group Policy Management.

  2. In the Group Policy Management tree, right-click the domain and select Create a GPO in the domain and Link it here.

  3. Enter a name for this GPO.

  4. Click OK.

    A screenshot of the New GOP dialog box showing instructions from #3 above.

  5. Select the GPO you just created and select Is Intel Authenticate Installed in the WMI Filtering section.

  6. Click Yes.

    A screenshot of the Group Policy Management dialog box.

  7. Right-click the GPO just created and select Edit.

    A screenshot of the Scheduled Tasks screen within the Group Policy Management Editor window.

  8. Right-click Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks and select New > Scheduled Task (At least Windows 7).

  9. Select Replace from the drop-down list for Action.

  10. Enter a descriptive name.

  11. Click Change User or Group.

  12. Enter SYSTEM and click OK.

    A screenshot of the Select User or Group dialog box.

  13. Check the box next to Run whether user is logged on or not.

  14. A window will open asking for a password. Click Cancel.

    A screenshot of the Task Scheduler (Windows 7) dialog box.

  15. Check the box next to Do not store password. The task will only have access to local resources.

  16. Check the box next to Run with highest privileges.

    A screenshot of the General tab in the New Task (At least Windows 7) Properties dialog box. Information from instructions #15 and #16 are included.

  17. Select the Triggers tab.

  18. Click New….

  19. Select On a schedule for Begin the task.

  20. Select Daily.

  21. Check the box next to Delay task for.

  22. Select 30 minutes.

  23. Ensure Enabled is selected and click OK.

    A screenshot of the New Trigger dialog box and the Enabled box is checked. The OK button is selected.

  24. Select the Actions tab.

  25. Click New….

  26. Select Start a program.

  27. For Program/script, enter C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.

  28. For Add arguments, enter -executionpolicy unrestricted “C:\Temp\EnforcePolicy.ps1” “C:\Temp\intelprofile.xml”.

  29. For Start In, enter C:\Temp.

  30. Click OK.

    A screenshot of the New Action dialog box with information from instruction #29 above.

  31. Click OK.

    A screenshot of the Actions tab in the New Task (At least Windows 7) Properties dialog box.

    A screenshot of the Scheduled Tasks screen within the Group Policy Management Editor window.

2.2.7. Intel Virtual Smart Card (VSC) Configuration

The Intel Authenticate Integration Guide for Active Directory Policy Objects provides instructions on how to set up GPOs for various functions of the Intel Authenticate installation process. The following instructions are primarily repurposed from the Intel Authenticate Integration Guide.

2.2.7.1. Configuring MyID for Intel VSC
  1. Open MyID Desktop.

  2. Click New Action.

  3. Click Configuration > Operation Settings.

    A screenshot of the New Action window in the MyID Desktop application. The Configuration tab is selected.

  4. Go to the Devices tab.

  5. Delete the value in Default Card Data Model.

  6. Set Enable Intel Virtual Smart Card support to Yes.

  7. Click Save changes.

    A screenshot of the Operation Settings/Devices tab in the MyID Desktop application.

2.2.7.2. Setting Up a PIN Protection Key
  1. Click New Action.

  2. Click Configuration > Key Manager.

    A screenshot of the New Action window in the MyID Desktop application. The Key Manager icon is selected.

  3. For Select Key Type to Manage, select PIN Generation Key.

  4. Click Next.

    A screenshot of the Key Manager window in the MyID Desktop application. "PIN Generation Key" is selected from the dropdown menu.

  5. Click Add New Key.

    A screenshot of the Key Manager/Existing Keys tab in the MyID Desktop application. The Add New Key button is highlighted.

  6. Enter a name and a description.

  7. For Encryption Type, select 3DES.

  8. Select Automatically Generate Encryption Key in Software and Store on Database.

  9. Click Save.

    A screenshot of the Key Manager window in the MyID Desktop application. Information from instructions 6-8 above is shown.

2.2.7.3. Creating a Credential Profile
  1. Click New Action.

  2. Click Configuration > Credential Profiles.

  3. Click New.

    A screenshot of the Credential Profiles window in the MyID Desktop application. The New button is selected.

  4. Enter a name and a description.

  5. Check the box next to Derived Credential.

  6. Check the box next to Intel Virtual Smart Card (Only).

    A screenshot of the Credential Profiles window in the MyID Desktop application. The Derived Credential and Intel Virtual Smart Card (Only) boxes are checked.

  7. Select the Services tab.

  8. Check the box next to MyID Logon.

  9. Check the box next to MyID Encryption.

    A screenshot of the Credential Profiles window in the MyID Desktop application. The MyID Logon and MyID Encryption boxes are checked.

  10. Select the Issuance Settings tab.

  11. Set Require Activation to No.

  12. Set Pre-encode Card to None.

  13. Set Require Fingerprints at Issuance to Never Required.

  14. Set Require Facial Biometrics to Never Required.

  15. Set Additional Authentication to None.

  16. Set Terms and Conditions to None.

  17. Set Proximity Card Check to None.

  18. Set Notification Scheme to None.

  19. Uncheck all boxes.

  20. Set Mobile Device Restrictions to Any.

  21. Set Generate Logon Code to Simple.

    A screenshot of the Credential Profiles window in the MyID Desktop application. Information and actions from instructions 10-21 above are shown.

  22. Select the PIN Settings tab.

  23. For PIN Algorithm, select EdeficePinGenerator.

  24. For Protected Key, select the PIN generation key created earlier.

    A screenshot of the Credential Profiles window in the MyID Desktop application. Information and actions from instructions 22-24 above are shown.

  25. Select the Device Profiles tab.

  26. For Card Format, select PIVDerivedCredential.xml.

  27. Click Next.

    A screenshot of the Credential Profiles window in the MyID Desktop application. Information and actions from instructions 25-27 above are shown.

  28. Select the certificates to be issued with the VSC.

  29. Click Next.

    A screenshot of the Select Certificates tab in Credential Profiles window in the MyID Desktop application.

  30. Select the roles that are allowed to use this profile.

  31. Click Next.

    A screenshot of the Select Roles tab in Credential Profiles window in the MyID Desktop application.

  32. Enter a description and click Next.

    A screenshot of the Add Comments tab in Credential Profiles window in the MyID Desktop application. The Next button is highlighted.

2.2.8. DPC Life-Cycle Workflows

This section details the steps to perform issuance and termination of the DPC by using the MyID CMS. Issuance is started from the MyID Self-Service Kiosk application, while termination uses the MyID Desktop administration application.

2.2.8.1. Mobile Device Issuance Workflow

The following steps are performed by the DPC Applicant by using the MyID Self-Service Kiosk and the MyID Identity Agent application on the target mobile device.

  1. At the Welcome screen of the MyID Self-Service Kiosk, insert your PIV Card into the card reader.

    A screenshot of the MyID Self-Service Kiosk welcome screen that is prompting a user to insert their PIV card.

  2. On the Enter your PIN screen:

    1. Enter the PIN used to activate the inserted PIV Card.

    2. Select Next.

      A screenshot of the Enter your PIN screen in MyID Self-Service Kiosk.

  3. On the Select Credential Profile screen:

    1. To provision the DPC to the MyID software token, select Derived PIV Profile.

    2. To provision the DPC to the iOS Secure Enclave hardware-backed token, select DPC for Native iOS Keystore.

      A screenshot of Select Credential Profile screen in the MyID Self-Service Kiosk.

    3. The MyID Self-Service Kiosk will display a QR code; the remaining steps are completed by using the MyID Identity Agent application on the target mobile device.

      A screenshot of the MyID Self-Service Kiosk showing the QR code.

  4. Launch MyID Identity Agent.

  5. On the initial screen, under Actions, tap Scan QR Code.

    A screenshot of the MyID Identity Agent as shown on a tablet.

  6. Use the device camera to capture the QR code displayed by the MyID Self-Service Kiosk.

    A screenshot of a device camera capturing the QR code.

  7. On the Set PIN screen:

    1. In the Enter PIN field, enter a numeric PIN that will be used to activate the DPC.

    2. In the Confirm PIN field, enter the same numeric PIN.

      PIN entry dialog for DPC.

  8. If DPC provisioning was successful, the Identities screen will provide a visual representation of information for the DPC subscriberʼs linked PIV Card.

    Completed DPC issuance visual.

2.2.8.2. Intel Authenticate Issuance Workflow
2.2.8.2.1. Requesting a DPC for Intel VSC
  1. Go to a MyID Kiosk.

    Initial DPC issuance kiosk screen that prompts for PIV Card.

  2. Insert a PIV Card.

  3. Enter the PIN for the PIV Card.

    PIN Entry screen in DPC issuance kiosk.

  4. Select the profile created for Derived PIV. An email will be sent to the user with a onetime code for collection.

    Prompt to choose credential profile from options.

    Notification to subscriber that email has been sent with instructions.

2.2.8.2.2. Collecting the DPC

The following procedures will request and install the DPC in the Intel Authenticate protected token. Note that the DPC will be protected by the enrollment factors set in Section 2.2.5.5.

  1. On the client machine, open the MyID Self-Service Application with the parameters /nopopup and

    /iptonly.

    $ MyIDApp.exe /nopopup /iptonly

  2. Click Continue.

    First step in workflow to collect DPC using Intel device.

  3. Enter the Logon Code from the email.

  4. Click Continue.

    Step 4 in workflow to collect DPC. Prompt to enter logon code.

  5. Click Finish after the certificates are successfully collected.

    End of workflow showing activity completed.

2.2.8.3. Maintenance Workflow

Changes to a DPC subscriberʼs PIV Card that would result in a rekey or reissuance (e.g., official name change) require the subscriber to repeat the initial issuance workflow as described in the previous section. The issued DPC will replace any existing DPC in the Identity Agent container.

2.2.8.4. Termination Workflow
  1. Select the target device associated with the DPC subscriber that will be terminated.

    image198

  2. Select a reason for termination, and enter any other required information for policy compliance.

    Workflow screen for terminating a DPC through admin console. Administrator gives a reason code.

  3. Click Next.

  4. Confirm the termination of the DPC.

    Final step in workflow to terminate DPC. Image shows confirmation screen for administrator.

Appendix A       List of Acronyms

AD Active Directory
ADFS Active Directory Federation Services
CA Certificate Authority
CMS Credential Management System
DMZ Demilitarized Zone
DN Distinguished Name
DPC Derived PIV Credential
EMM Enterprise Mobility Management
GPO Group Policy Object
IDAM Identity and Access Management
IDG Identity Guard
IDMS Identity Management System
IIS Internet Information Services
IT Information Technology
JTK Java Tool Kit
LDAP Lightweight Directory Access Protocol
NACI National Agency Check with Inquiries
NCCoE National Cybersecurity Center of Excellence
NIST National Institute of Standards and Technology
OFW Outer Firewall
OID Object Identifier
OS Operating System
OU Organizational Unit
PIN Personal Identification Number
PIV Personal Identity Verification
PKCS Public Key Cryptography Standards
PKI Public Key Infrastructure
QR Quick Response (code)
RSA Rivest-Shamir-Adleman
SCEP Simple Certificate Enrollment Protocol
SP Special Publication
SQL Structured Query Language
SSL Secure Sockets Layer
SSP Shared Service Provider
TLS Transport Layer Security
UPI UniCERT Programmatic Interface
UPN User Principal Name
URL Universal Resource Locator
VLAN Virtual Local Area Network
VSC Virtual Smart Card
WAN Wide Area Network
WMI Windows Management Instrumentation
WSVC World Wide Web Publishing Service