ActivID ActivClient Smart Card Auto Update
The ActivID ActivClient Smart Card Auto Update is a component that provides a high level of integration with ActivID CMS. It enables you to automate the update process of smart card content (for cards managed by ActivID CMS), thus eliminating the need for administrators to send emails to end-users, instructing them on how to access the ActivID CMS User Portal in order to execute the update.
Typically, when device updates are available in ActivID CMS (for example, a replacement certificate for a certificate that is about to expire, or a new certificate that has been added to the card), administrators inform users via email that they must access the User Portal and update their device. The email includes a link to the User Portal URL. This method only works if users read the emails and then click on the URL when they are connected to the corporate network.
The Smart Card Auto Update component automates this process. When a smart card is inserted, ActivClient automatically contacts ActivID CMS to determine if a device update request is available for the smart card. This process happens on a regular basis (by default, weekly), to guarantee that updates occur in a timely manner.
-
If no update is available, there is no disruption to the user (the process happens behind the scenes).
-
If an update is available, then ActivClient lets the user decide if the update should be performed or not. For example, if the user is about to disconnect from the network, or about to remove the card, ActivClient offers to cancel the update. In this case, ActivClient will offer to update the card again later on (after the next card insertion).
-
If the user is ready to perform the update, then ActivClient opens a window connected to the ActivID CMS User Portal. The user can authenticate and quickly perform the device update. At the end of the process, the card is ready for use with the updated content.
In addition, users can start the device update process from the ActivClient User Console (using the Tools > Advanced menu). This provides a mechanism to connect to ActivID CMS to check for device updates without waiting for the recurrent (weekly) automatic check. This capability is good for troubleshooting.
End-User Experience
When ActivClient has detected that a card update request is available, and when the user accepts the device update, ActivClient opens a window connecting to the ActivID CMS User Portal. When the device update process is running, users must make sure that they do not:
-
Use the card for other operations (for example, email signature). Such card requests will be automatically blocked until the device update process is complete.
-
Lock the screen or log off until the process is complete.
-
Remove the card until the process is complete.
When the device update is complete, the User Portal instructs the user to remove and re-insert the card in order to use it. This operation guarantees that all ActivClient and Windows components are aware of the new credentials present on the card. For example, if the Windows Logon certificate is updated, removing and re-inserting the card publishes the new certificate to the Windows CAPI store—a requirement for a successful Windows Logon.
The following illustrations show the user experience from the user’s viewpoint.
-
Notification window is displayed above the Windows notification area:
User Portal – Automatic Update Welcome Screen is displayed:
-
Click Start.
User Portal – Automatic Update Completion Screen is displayed:
-
Click Done.
ActivClient Settings
For details on how to configure ActivClient to work with ActivID CMS for the Smart Card Auto-Update, refer to the HID ActivID ActivClient documentation.
How to install the ActivID CMS Root certificates on user workstations.
How to install the ActivID CMS Client on user workstations.
You can do this either in advance (for example, install the ActivID CMS Client at the same time you install ActivID ActivClient), or you can automatically install the ActivID CMS Client when the user first accesses the User Portal. Note that this latter option might not be available, depending on your workstation configuration—for example, if users do not have local administrative privileges, then they might not be able to install the ActivID CMS Client. The specific behavior depends on the user's access rights, Windows UAC configuration, and the browser version and security configuration.
To enable the ActivClient Smart Card Automatic Update, you must configure ActivID CMS to allow automatic card updates. Perform this procedure in the ActivID CMS Operator Portal by selecting the Configuration tab, clicking User Portal and then ensuring that the Automatic Updates Operations option is enabled.
ActivID CMS administrators can also decide which updates will be accessible via the ActivClient Smart Card Automatic Update. These options include who can bind the card to the user, whether or not to set security questions during device issuance, whether or not to change the PIN during issuance, etc. For details on these options, refer to Configuring the ActivID CMS User Portal.
In addition, administrators can control how many users can concurrently access the User Portal Automatic Update by customizing the maximum number of concurrent sessions in the Miscellaneous section of the Customization page in the ActivID CMS Operator Portal Configuration tab. The following limits can be customized:
-
CCM API limit is used by ActivClient to determine if there is a pending update.
-
User Portal limit is used for the portal section (Welcome, Progress and Finish screens).
-
Card Synchronization limit is used for the actual update performed on the card.