Issuing Devices
Device issuance is the process by which a device becomes ready for use by an employee. Multiple devices, including virtual smart cards, mobile app certificates and smart USB keys, can be issued to a single employee.
-
In this version of ActivID CMS, a user is limited to only one primary device (physical or virtual smart card, or YubiKey) and one derived mobile device (Apple iOS 10 or higher) using mobile app certificates.
-
Currently, mobile app certificates can only be derived from a physical smart card.
The device issuance process includes loading data (such as PKI credentials or demographic data) into the device and then, where applicable, eventually printing user information (such as the name or a photograph) on the card.
Based on an organization’s requirements, ActivID CMS can support several different processes for issuing devices to users. When ActivID CMS issues a device, it distinguishes between the initial device issuance and the replacement device issuance. Moreover, each of these issuance types supports different issuance modes. The following figure illustrates the issuance modes available for an initial device issuance.
Device Issuance Modes for an Initial Device Issuance
- The above table only applies to physical devices.
-
For virtual smart cards and mobile app certificates, only Self-Enrollment Issuance (Binding Done by User) is available. For details, see Managing Virtual Smart Cards and Managing Mobile App Certificates.
The following table lists the issuance type, who issues the device, and a description of the process.
Issuance Types |
Issued By |
Descriptions |
---|---|---|
Local (Face-to-Face Issuance) |
Issuance operator |
Device is issued by a single operator and given to the user, fully functional. |
Validated |
|
The issuance requires approval from a Validation officer. The Issuance operator cannot personalize the device without this approval. This issuance type is more secure, as more than one operator is involved. For more information, see Creating an Issuance Request. |
Self-Enrollment (binding by operator) |
User |
Binding is the process whereby ActivID CMS records the serial number of a device that will be issued to a user in the future. The device is then bound to the user, and only this device can be issued to the future user (see Binding a Device). The Issuance operator binds (assigns) the device to the user before the user can personalize the device. Device binding is a logical operation that does not affect the device (for example, no data is loaded on the chip at this stage). If desired, the operator can print user information on the card during the binding step. The Issuance operator gives the device to the user. The user personalizes the device by logging on to ActivID CMS User Portal. Note: Device personalization and device enrollment are considered to be equivalent terms.
|
Self-Enrollment (binding by user) |
User |
Binding is done by user.
This process significantly reduces the work of the operator, but also reduces the control that ActivID CMS operators have over devices used for issuance. |
Remote Issuance (Mobile Smart Card only)* |
User |
Device is issued by a single operator and enrollment is carried out on the mobile device by the user. |
* Support for mobile smart cards has been deprecated starting with ActivID CMS 5.4.
Topics in this section: