Microsoft Endpoint Manager is excited to announce support for derived credentials on Android Enterprise fully managed devices. This release of derived credentials is integrated with Entrust Datacard and Intercede in support of NIST 800-157 requirements. It is available immediately on Android Enterprise fully managed devices running Android 7.0 and above.
Derived credentials help enable mobile productivity at high-security organizations that use physical smart card readers to authenticate employees and contractors for secure access. Smart cards provide seamless and secure authentication to apps, websites, Wi-Fi, and VPN as well as enable the use of S/MIME to sign and encrypt email. With use of productivity apps on mobile devices becoming commonplace in many government and high security organizations, there is a need to embrace iOS and Android devices for work while still maintaining a highly secure environment. On laptops and desktops, users can connect smart card readers.
This article discusses how to enable the same level of security when authenticating using their Android phones. In a previous article, we discussed support for derived credentials on iOS, and in the future we expect to add support for Windows 10 and other partners such as DISA Purebred.
Mobile device enrollment flow with derived credentials
So how do smart card users join the secure passwordless revolution from their mobile phones if they cannot plug-in their smart card into their phone for authentication? They begin by authenticating themselves using a smart card reader on trusted devices which links the authentication with their mobile device. A digital certificate is then issued to the mobile device. In order to make the user experience smooth for end users, the derived credential enrollment flow is built into the Intune Company Portal app, which is the app used to enroll the device with Intune.
Let's walk through the end user experience on day zero, where a user wants to enroll an Android Enterprise fully managed device with Microsoft Intune (now a part of Microsoft Endpoint Manager) to get access to company resources, such as Office 365 apps on mobile. End users authenticate using their smart card (from a smart card enabled device) when enrolling the mobile device with Intune and then once more with the derived credential issuer’s identity system. After successfully completing both steps, a digital certificate is issued to the mobile device.
Users will be prompted shortly after enrollment to retrieve their derived credential and will be guided through the process.
- Enrollment starts with a new or factory-reset device. Intune and Android Enterprise provide multiple methods for initiating fully managed device enrollment such as QR code or token enrollment.
- During the out-of-box experience, the user is guided through enrolling with Intune and installing and authenticating to the Microsoft Intune app. When the user reaches a sign in screen, they choose Sign in from another device since they don't have their password.On a smart card-enabled device, such as a Windows PC, the user visits https://microsoft.com/devicelogin to complete their authentication request using the code that is displayed on their mobile device
- The user enters this code into the https://microsoft.com/devicelogin site on their Windows PC and authenticates with their smart card, which completes the authentication request for Intune. The user authenticates this way to complete the rest of the Intune enrollment workflow on the mobile device
- After Intune enrollment, an app notification for Microsoft Intune informs the user that they need to go through the enrollment process to get a mobile smart credential (their derived credential). Alternatively, email notifications can be used as well.
- After clicking on the notification, the user is taken to the derived credential enrollment flow within the Company Portal and follows the process to get certificates from the derived credential provider onto the device. This experience can be fully branded with your organization’s user documentation, logo, name and more.
- The final part of the process varies depending on the certificate provider, but generally involves using a physical smart card on a trusted PC to authenticate with the provider's identity system and linking the authentication request on mobile device. Depending on the provider, the user may have to scan a QR code on the mobile device.
Once the process is complete and certificates are received, the mobile device can be used for authentication, Wi-Fi, VPN, or S/MIME signing and/or encryption with apps that support it, as defined by the policies configured by the administrator.
With support for derived credentials, high-security customers in both federal and private sector can deliver a consistent experience to smart card users on not only Windows devices, but mobile devices as well. To get started, check out the derived credentials documentation for instructions to integrate with our partners, including Entrust Datacard and Intercede. We’re excited to help Microsoft customers enable secure passwordless access for all endpoints on the industry’s leading manageability and security platform.
More info and feedback
For more information on how to deploy Microsoft Endpoint Manager, add our detailed technical documentation as a favorite. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!
As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
Follow @MSIntune on Twitter
(This article is co-authored with Jessica Yang, Program Manager, Microsoft Endpoint Manager)