Updating and Reissuing Devices

When you update a device after it is given to a user, you are updating the data that is stored on the device. This process is called “applications update” or “device re-issuance.” The device update can be performed either by an ActivID CMS operator or by the end user using the ActivID CMS User Portal.

For information about updates performed by users, refer to the ActivID CMS User online documentation.

To be able to perform a device update from the Device Update page, the operator must be assigned a role that has the following permissions:

Unlock a device,
Recycle a device,
Execute a pending applications update request, and
Re-issue an entire device.

For more information on assigning roles, see Managing Roles.

Important: To issue and update devices on the Operator Portal, you need to download the ActivID CMS browser extension as well as the ActivID CMS Client. You can do this using links provided directly on the Device Issuance or Device Update page. For details, see About Using Google Chrome or Microsoft Edge Browsers

Unlocking a Device

The access to information stored on a device is protected by a PIN.

When trying to use the device, if a user enters too many wrong PINs consecutively, then the device is automatically locked. It cannot be used until it is unlocked.

The following steps apply to an ActivID CMS configuration with “Both Self and Assisted Online” or “Assisted Online Only” unlock methods. For more information, see Configure the ActivID CMS User Portal or refer to the ActivID CMS User online documentation.

Note: When a virtual smart card is locked, it can be unlocked in the User Portal by clicking on the “Forgot your PIN?” link.

Select the Device Update tab.

The Device Update page appears:
From the Select the smart card reader drop-down list, select the appropriate card reader.

Note: YubiKey devices inserted in the client machine appear as a card reader with a card inserted.
Insert the card you want to unlock into the card reader you selected.

Warning!
Do not remove the card from the reader during this process.
Click Proceed.

If the device is locked, the following page appears:
Click Next. After ActivID CMS unlocks the device and sets the PIN to a temporary value, the following page appears:
Enter and confirm a new PIN.
Remove the card from the reader. The initial Device Update page reappears.

Recycling a Device

Prerequisites: Before you can recycle a device:

You must terminate a permanent device before you can recycle it. For more information, see Terminating a Device.
You must cancel a temporary device before you can recycle it. For more information, see Canceling a Temporary Device.

Device recycling enables you to remove the content of a device and issue the device to another user.

You can only recycle a device if:

The initial and permanent replacement device has been terminated (that is, all the credentials have been revoked).
A temporary replacement device has been canceled.
A device issuance has failed.

Do not recycle a device that has a user’s information and/or a picture printed on it, since you cannot re-issue it to another user.

Select the Device Update tab.
From the Select the smart card reader drop-down list, select the appropriate card reader.

Note: YubiKey devices inserted in the client machine appear as a card reader with a card inserted.

Insert the card you want to recycle into the card reader you selected.

Warning!
Do not remove the card from the reader during this process.

Click Proceed. ActivID CMS checks the status of the device.

When ActivID CMS determines that the device has been terminated, a message appears.
Click Recycle.

ActivID CMS starts to recycle the device.

Synchronization messages appear under the progress bar. After ActivID CMS recycles the device, a confirmation message appears.
Remove the device from the reader.

You can issue it to another user. The initial Device Update page reappears again. You can process another device.

Warning!
When recycling, ActivID CMS removes the physical content of the device. Do not remove the card from the reader during this step.

Updating Applications on Devices

Prerequisites: Before you can update an application:

The target device policy must have been created and must be compatible with the device’s current device policy (that is, the initial and the target policies are based on the same device profile).
The Help Desk operator or Issuance officer has submitted an applications update request. For more information, see Requesting an Applications Update.

An applications update request is a request to add applications to, or remove them from, a device.

Note: For mobile app certificates, updates are requested using the Help Desk and then installed by the user through the User Portal.

Select the Device Update tab.
From the Select the smart card reader drop-down list, select the appropriate card reader.

Note: YubiKey devices inserted in the client machine appear as a card reader with a card inserted.
Insert the card you want to update into the card reader you selected.

Warning!
Do not remove the card from the reader during this process.
Click Proceed. ActivID CMS checks the status of the device.

If ActivID CMS determines that there is a pending applications update request to be applied to the device, then the following page appears showing the status of the device.
In the Smart Card PIN field, enter the card PIN, and then click Next.

After ActivID CMS updates the device, a confirmation message appears.
Remove the device from the reader.
Return the device to the user.

The initial Device Update page reappears. You can process another device.

Re-Issuing Devices

Prerequisites: Before you can re-issue a device:

The target device policy must have been created.
The Help Desk operator or Issuance officer must have submitted a device re-issuance request. For more information, see Requesting Device Re-Issuance.

Note:

To change the CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment. that issued the certificate, use the same device re-issuance process.
The administrator must create a device policy with a new CA and use it during device re-issuance.
To update the device with a new device profile, use the same device re-issuance process.
The administrator must create a device policy with a new device profile and use it during a device re-issuance request.

When a device is re-issued, all applications are removed from the device, re-issued and personalized on the device. Certificate and keys can be recovered from the initial state of the device. At a high-level, this is what occurs:

The Administrator creates a "Target Device Policy."
The Issuance officer creates a Device Re-issuance Request.
The User updates the device.

When a device is re-issued, the following changes occur:

The PIN is automatically re-initialized with a new PIN. The flag for “change pin at first use” is reset according to the device policy.
If applicable, the PKI credentials are regenerated:
- New signature keys are created.
- New encryption keys are created.
- If the recovery option is set in the device policy, the old encryption keys are recovered.
If applicable, the SKI Symmetric Key Infrastructure credential is automatically regenerated with a new key. The old keys are revoked.
If applicable, the Generic Container A Generic Container (GC) applet is used to store static data on devices. The applet treats all data as opaque or generic and never attempts to assign any meaning to the data with which it is dealing. (GC) data is re-issued.
- GCs are re-issued. The GC application is re-issued.
- If a static data Cardholder-related information including things such as health benefits, biometrics, unique organizational identifiers, or unique personal identifiers that rarely change. plug-in is used to personalize the GC instance, then it is called during the re-issuance process. You can either personalize the device with the same initial data or with updated data backed-up by the plug-in.
- If data is stored in a GC instance and is not initialized with a static data plug-in, then the data is lost.

To re-issue a device:

Select the Device Update tab.
From the Select the smart card reader drop-down list, select the appropriate card reader.

Note: YubiKey devices inserted in the client machine appear as a card reader with a card inserted.

Insert the card you want to update into the card reader you selected.

Warning!
Do not remove the card from the reader during the process.

Click Proceed. ActivID CMS checks the status of the device.

If ActivID CMS determines that there is a pending re-issuance request to be applied to the device, then the following page appears showing the status of the device.

Click Next. After ActivID CMS re-issues the device, a confirmation message appears.
Remove the card from the reader.
Return the device to the user.

The initial Device Update page reappears. You can process another device.