Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.21
  3. Managing secure connections
  4. Using PKI certificates with devices or apps
  5. Sending certificates to devices and apps using profiles
  6. Use Intercede MyID to provide derived credentials certificates to devices

Use Intercede MyID to provide derived credentials certificates to devices

You can use the Intercede MyID PIV credential management solution to provide derived credentials certificates to
iOS
 and
Android
 devices activated on
UEM
. Follow the steps below to create and assign an Intercede user credential profile to users and groups. After the profile is delivered to a device, the user can scan the Intercede QR code from the
UEM Client
 to activate with MyID and download derived credentials certificates from MyID to the device’s
BlackBerry Dynamics
 keystore, or to the
BlackBerry Dynamics
 keystore and the device's native key chain.
Note that the settings that you configure in the profile apply to both
iOS
 and
Android
 devices.
The following
UEM
 administrator permissions control how administrators can work with standard user credential profiles and Intercede user credential profiles: View user credential profiles, Create and edit user credential profiles, Delete user credential profiles.
  • To support this feature for
    iOS
     devices, "Enable UEM Client to enroll in BlackBerry Dynamics" must be enabled in the assigned
    BlackBerry Dynamics
     profile. By default, this setting is enabled.
  • Verify that devices are running
    UEM Client
     for
    iOS
     version 12.51.x or later or the
    UEM Client
     for
    Android
     version 12.45.x or later.
  • Create and assign a CA certificate profile to users and groups to deliver the certificates for your organization’s Intercede MyID server to devices.
  1. In the management console, on the menu bar, click
    Policies and profiles > Managed devices > Certificates > Intercede user credential
    .
  2. Click The Add icon..
  3. Type a name and description for the profile.
  4. Under
    BlackBerry Dynamics app list
    , choose one of the following:
    • Allow all BlackBerry Dynamics apps to use certificates
      : The certificates delivered by MyID are stored in the
      BlackBerry Dynamics
       keystore and can be used by any
      BlackBerry Dynamics
       apps on the device.
    • Allow specified BlackBerry Dynamics apps to use certificates
      : The certificates delivered by MyID are stored in the
      BlackBerry Dynamics
       keystore and can be used only by the specified
      BlackBerry Dynamics
       apps.
  5. Configure the following settings:
    Setting
    Supported for
    Description
    Allow additional QR scan methods
    iOS
    Android
    If enabled, the
    UEM Client
     can scan the Intercede QR code using the camera, a saved image, or the clipboard. If not selected, the
    UEM Client
     can scan the Intercede QR code using the camera only.
    Deliver to built-in key chain
    iOS
    Android
    If enabled, certificates delivered by MyID are also stored in the device’s native key chain and can be used by native apps (for example,
    Safari
    ).
    Storing certificates in the native key chain is not supported for devices with the
    iOS
     User privacy and User privacy - User enrollment activation types.
    If you enable this setting, you cannot change it after the profile is saved. If you want to turn this setting off, you must create a new profile that does not have this setting enabled and assign it to users and groups.
    Hide certificate on Android Enterprise devices
    Android
    If enabled,
    Android Enterprise
     users cannot view the derived credentials certificates on the device. This setting is available only if you enable Deliver to built-in key chain.
    If you enable this setting, you cannot change it after the profile is saved. If you want to turn this setting off, you must create a new profile that does not have this setting enabled and assign it to users and groups.
  6. Click
    Save
    .
  • Assign the profile to user accounts and user groups.
  • After the profile is delivered to devices, instruct users to open the
    UEM Client
     and navigate to Assigned profiles > Import certificates to scan the Intercede QR code that is shared by the MyID administrator. The QR code will allow the device to activate with MyID and download the derived credentials certificates.
  • If the MyID administrator changes the derived credentials certificates, you can instruct users to use the
    UEM Client
     to import the certificates again (Assigned profiles > Import certificates > scan the Intercede QR code). The reimport will replace the existing certificates with the new ones that it downloads from MyID.
  • On
    iOS
     devices, the MyID integration is dependent on the
    BlackBerry Dynamics
     user certificate. If you remove the
    BlackBerry Dynamics
     certificate for a user from the user summary in the management console, the MyID integration is deactivated.