Issuing Devices

Device issuance is the process by which a device becomes ready for use by an employee. Multiple devices, including virtual smart cards, mobile app certificates and smart USB keys, can be issued to a single employee.

Note:
  • In this version of ActivID CMS, a user is limited to only one primary device (physical or virtual smart card, or YubiKey) and one derived mobile device (Apple iOS 10 or higher) using mobile app certificates.

  • Currently, mobile app certificates can only be derived from a physical smart card.

The device issuance process includes loading data (such as PKI credentials or demographic data) into the device and then, where applicable, eventually printing user information (such as the name or a photograph) on the card.

Based on an organization’s requirements, ActivID CMS can support several different processes for issuing devices to users. When ActivID CMS issues a device, it distinguishes between the initial device issuance and the replacement device issuance. Moreover, each of these issuance types supports different issuance modes. The following figure illustrates the issuance modes available for an initial device issuance.

Device Issuance Modes for an Initial Device Issuance

Note:

The following table lists the issuance type, who issues the device, and a description of the process.

Device Issuance Process for an Initial Device

Issuance Types

Issued By

Descriptions

Local (Face-to-Face Issuance)

Issuance operator

Device is issued by a single operator and given to the user, fully functional.

Validated

  • Validation officer

  • Issuance operator

The issuance requires approval from a Validation officer. The Issuance operator cannot personalize the device without this approval. This issuance type is more secure, as more than one operator is involved. For more information, see Creating an Issuance Request.

Self-Enrollment (binding by operator)

User

Binding is the process whereby ActivID CMS records the serial number of a device that will be issued to a user in the future. The device is then bound to the user, and only this device can be issued to the future user (see Binding a Device).

The Issuance operator binds (assigns) the device to the user before the user can personalize the device.

Device binding is a logical operation that does not affect the device (for example, no data is loaded on the chip at this stage).

If desired, the operator can print user information on the card during the binding step.

The Issuance operator gives the device to the user.

The user personalizes the device by logging on to ActivID CMS User Portal.

Note: Device personalization and device enrollment are considered to be equivalent terms.

Self-Enrollment (binding by user)

User

Binding is done by user.

  • In the case of a smart card or YubiKey, the user assigns the device to him/herself and personalizes it.

  • In the case of a virtual smart card, the user assigns the (already-created) virtual smart card on his/her computer to him/herself and personalizes it.

  • In the case of mobile app certificates, the user starts the personalization process of the mobile device from the ActivID CMS User Portal, and completes it directly on the mobile device.

This process significantly reduces the work of the operator, but also reduces the control that ActivID CMS operators have over devices used for issuance.

Remote Issuance (Mobile Smart Card only)*

User

Device is issued by a single operator and enrollment is carried out on the mobile device by the user.

* Support for mobile smart cards has been deprecated starting with ActivID CMS 5.4.

Important: If you want to use a Google Chrome or Microsoft Edge browser to issue and update devices on the Operator Portal, you need to download the ActivID CMS browser extension as well as the ActivID CMS Client. You can do this using links provided directly on the Device Issuance or Device Update page. For details, see About Using Google Chrome or Microsoft Edge Browsers

Topics in this section: