Microsoft Endpoint Manager is excited to announce support for derived credentials on Android Enterprise fully managed devices. This release of derived credentials is integrated with Entrust Datacard and Intercede in support of NIST 800-157 requirements. It is available immediately on Android Enterprise fully managed devices running Android 7.0 and above.
Derived credentials help enable mobile productivity at high-security organizations that use physical smart card readers to authenticate employees and contractors for secure access. Smart cards provide seamless and secure authentication to apps, websites, Wi-Fi, and VPN as well as enable the use of S/MIME to sign and encrypt email. With use of productivity apps on mobile devices becoming commonplace in many government and high security organizations, there is a need to embrace iOS and Android devices for work while still maintaining a highly secure environment. On laptops and desktops, users can connect smart card readers.
This article discusses how to enable the same level of security when authenticating using their Android phones. In a previous article, we discussed support for derived credentials on iOS, and in the future we expect to add support for Windows 10 and other partners such as DISA Purebred.
So how do smart card users join the secure passwordless revolution from their mobile phones if they cannot plug-in their smart card into their phone for authentication? They begin by authenticating themselves using a smart card reader on trusted devices which links the authentication with their mobile device. A digital certificate is then issued to the mobile device. In order to make the user experience smooth for end users, the derived credential enrollment flow is built into the Intune Company Portal app, which is the app used to enroll the device with Intune.
Let's walk through the end user experience on day zero, where a user wants to enroll an Android Enterprise fully managed device with Microsoft Intune (now a part of Microsoft Endpoint Manager) to get access to company resources, such as Office 365 apps on mobile. End users authenticate using their smart card (from a smart card enabled device) when enrolling the mobile device with Intune and then once more with the derived credential issuer’s identity system. After successfully completing both steps, a digital certificate is issued to the mobile device.
Users will be prompted shortly after enrollment to retrieve their derived credential and will be guided through the process.
Once the process is complete and certificates are received, the mobile device can be used for authentication, Wi-Fi, VPN, or S/MIME signing and/or encryption with apps that support it, as defined by the policies configured by the administrator.
With support for derived credentials, high-security customers in both federal and private sector can deliver a consistent experience to smart card users on not only Windows devices, but mobile devices as well. To get started, check out the derived credentials documentation for instructions to integrate with our partners, including Entrust Datacard and Intercede. We’re excited to help Microsoft customers enable secure passwordless access for all endpoints on the industry’s leading manageability and security platform.
More info and feedback
As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
Follow @MSIntune on Twitter
(This article is co-authored with Jessica Yang, Program Manager, Microsoft Endpoint Manager)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.