Go passwordless on Android devices using derived credentials with Microsoft Endpoint Manager
Published Apr 20 2020 03:00 AM 8,241 Views

Microsoft Endpoint Manager is excited to announce support for derived credentials on Android Enterprise fully managed devices. This release of derived credentials is integrated with Entrust Datacard and Intercede in support of NIST 800-157 requirements. It is available immediately on Android Enterprise fully managed devices running Android 7.0 and above. 


Derived credentials help enable mobile productivity at high-security organizations that use physical smart card readers to authenticate employees and contractors for secure access. Smart cards provide seamless and secure authentication to apps, websites, Wi-Fi, and VPN as well as enable the use of S/MIME to sign and encrypt email. With use of productivity apps on mobile devices becoming commonplace in many government and high security organizations, there is a need to embrace iOS and Android devices for work while still maintaining a highly secure environment. On laptops and desktops, users can connect smart card readers.


This article discusses how to enable the same level of security when authenticating using their Android phones. In a previous article, we discussed support for derived credentials on iOS, and in the future we expect to add support for Windows 10 and other partners such as DISA Purebred.


Mobile device enrollment flow with derived credentials


So how do smart card users join the secure passwordless revolution from their mobile phones if they cannot plug-in their smart card into their phone for authentication? They begin by authenticating themselves using a smart card reader on trusted devices which links the authentication with their mobile device.  A digital certificate is then issued to the mobile device. In order to make the user experience smooth for end users, the derived credential enrollment flow is built into the Intune Company Portal app, which is the app used to enroll the device with Intune. 


Let's walk through the end user experience on day zero, where a user wants to enroll an Android Enterprise fully managed device with Microsoft Intune (now a part of Microsoft Endpoint Manager) to get access to company resources, such as Office 365 apps on mobile. End users authenticate using their smart card (from a smart card enabled device) when enrolling the mobile device with Intune and then once more with the derived credential issuer’s identity system. After successfully completing both steps, a digital certificate is issued to the mobile device.


Users will be prompted shortly after enrollment to retrieve their derived credential and will be guided through the process.


  • Enrollment starts with a new or factory-reset device. Intune and Android Enterprise provide multiple methods for initiating fully managed device enrollment such as QR code or token enrollment.
  • During the out-of-box experience, the user is guided through enrolling with Intune and installing and authenticating to the Microsoft Intune app. When the user reaches a sign in screen, they choose Sign in from another device since they don't have their password.On a smart card-enabled device, such as a Windows PC, the user visits https://microsoft.com/devicelogin to complete their authentication request using the code that is displayed on their mobile device

 .2004 Android 01.png


  • The user enters this code into the https://microsoft.com/devicelogin site on their Windows PC and authenticates with their smart card, which completes the authentication request for Intune. The user authenticates this way to complete the rest of the Intune enrollment workflow on the mobile device

2004 Android 02.png


  • After Intune enrollment, an app notification for Microsoft Intune informs the user that they need to go through the enrollment process to get a mobile smart credential (their derived credential). Alternatively, email notifications can be used as well.

2004 Android 03.png


  • After clicking on the notification, the user is taken to the derived credential enrollment flow within the Company Portal and follows the process to get certificates from the derived credential provider onto the device. This experience can be fully branded with your organization’s user documentation, logo, name and more.

2004 Android 04.png


  • The final part of the process varies depending on the certificate provider, but generally involves using a physical smart card on a trusted PC to authenticate with the provider's identity system and linking the authentication request on mobile device. Depending on the provider, the user may have to scan a QR code on the mobile device.

2004 Android 05.png


Once the process is complete and certificates are received, the mobile device can be used for authentication, Wi-Fi, VPN, or S/MIME signing and/or encryption with apps that support it, as defined by the policies configured by the administrator.

2004 Android 06.png


Next steps


With support for derived credentials, high-security customers in both federal and private sector can deliver a consistent experience to smart card users on not only Windows devices, but mobile devices as well. To get started, check out the derived credentials documentation for instructions to integrate with our partners, including Entrust Datacard and Intercede. We’re excited to help Microsoft customers enable secure passwordless access for all endpoints on the industry’s leading manageability and security platform.


More info and feedback


For more information on how to deploy Microsoft Endpoint Manager, add our detailed technical documentation as a favorite. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!


As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.




clipboard_image_6.png Follow @MSIntune on Twitter



(This article is co-authored with Jessica Yang, Program Manager, Microsoft Endpoint Manager)


Version history
Last update:
‎Feb 10 2023 11:03 AM
Updated by: