Issue Your Device

Note: The following procedure applies to smart cards and smart USB keys. If you want to issue a mobile device, refer to Issue a Mobile Device below.

  1. Connect the device you want to issue and click on Add Device:

    My Devices page displaying a device in the Active state with the Add Device button outlined in red in the top right corner

    Note: Issuance of multiple devices may not be available for all users. If your current configuration does not permit the issuance of an additional device, the Add Device button is disabled.

  2. Checks are performed to verify that the ActivID CMS Web Browser extension and HID CMS Client are installed.

    Note: Refer to Troubleshooting if these checks are not successful.

  3. A check is then performed to detect your device:

    Add Device dialog box during Check Device step with a Cancel button in the bottom right corner

    Note: This check searches only for available and compatible devices (for example, a device that is not yet issued).

    If your device is detected, the next step begins automatically.

    Important:

    • If no device is detected, you are prompted to connect your device and hit Refresh:
      Add Device dialog box during Check Device step displaying instructions for when no compatible device is not detected, with a Refresh button in the top right corner outlined in red and with a Cancel button in the bottom right corner
      Once your device is detected, issuance is started automatically.

    • If more than one device is detected, you must select the device you want to issue, and click Next:

      Add Device dialog box during Check Device step with one device selected among two devices displayed, with a Refresh button in the top right corner and with a Cancel button and a Next button in the bottom right corner

  1. The device is issued:

    Add Device dialog box during Issue Device step with Device Issuance in progress

    Important:
    During the issuance, the following message may be displayed:
    Add Device dialog box during Issue Device step displaying message about device registration while Device Issuance is in progress
    You should follow the instructions in the dialog boxes that are displayed. If you do not complete this process, the issuance will fail. (For details, see Particularities Concerning FIDO Applications).
    Note: Refer to Troubleshooting if the issuance fails.

  2. After the device is issued, you are prompted to change the PIN:

    Add Device dialog box during Change PIN step showing empty New PIN field selected, with a Cancel button in the bottom right corner

    Important:
    If you do not change the PIN, your device is not activated and is shown on your My Devices page as Pending status. You cannot activate or use this device until it has been activated by an operator using the Operator Portal.
    Note: When the device is activated by the operator, it will still have its initial PIN.

  3. Enter and confirm your new PIN, then click Next. The device is then activated:

    4. Add Device dialog box during Change PIN step showing device activation in progress

    After your device is activated, the Add Device dialog box closes automatically. Your My Devices page now displays details about the newly-issued device:

    My Devices page displaying two devices in the Active state with the Add Device and Add Mobile buttons in the top right corner

Particularities Concerning FIDO Applications

If your device contains a FIDO application that uses an Entra ID passkey-enabled service, you will be prompted by Microsoft Windows to register the passkey. You will enter or set your FIDO application PIN during the passkey registration with Entra ID. This takes place during the issuance of your device (before setting the device PIN).

Note: The FIDO application PIN may be either independent from, or shared with, the PIN that protects the other credentials (PKI, etc.) — in other words, the “device PIN”.

Depending on your device and its configuration:

  • If the FIDO application PIN is not shared, you are prompted to set your FIDO application PIN. This PIN can be the same as the device PIN you provide to HID CMS at the end of the issuance.

    Note: You may choose to have different PINs, just remember to use the right PIN in the right context: the FIDO application PIN for passkey authentication with Entra ID, and the device PIN for all the other HID CMS scenarios.

  • If the FIDO application PIN is shared, HID CMS displays a temporary PIN that you must use to register your passkey with Entra ID.

    Note: This temporary PIN is automatically copied to the clipboard and you just need to paste it (using Ctrl+V) when prompted by the Microsoft Windows passkey registration pop-ups. You do not need to remember this temporary PIN.

    At the end of the issuance, HID CMS asks you to enter your definitive device PIN. This same PIN will also be used for passkey authentication with Entra ID.

Issue a Mobile Device

Important:
Mobile device issuance may not be enabled for all users. If the issuance of a mobile device is not permitted based on your current configuration, the Add Mobile button is not available.
Currently, only Apple devices running iOS 18 or higher are supported.

  1. Click on Add Mobile:

    My Devices page displaying a device in the Active state with the Add Mobile button outlined in red in the top right corner

    An Mobile Enrollment dialog box is opened:

    Mobile Enrollement dialog box displaying a QR code with a Cancel button in the bottom right corner

  2. Scan the QR code with your mobile or copy the URL into your mobile browser. This downloads the profile onto your mobile.

    Note: The following example is provided for illustration only. The screens displayed and steps to follow may vary depending on the configuration and operating system of the device used.

    3. Two iPhone screens showing the installation of the profile during CMS Mobile Device Issuance: the first shows a hand icon pointing to the Install clickable link in the top right corner, and the second showing a hand icon pointing to an Install button at the bottom of the screen

  3. Click on Install (top right) to begin and then on the Install button at the bottom of the screen.

    Note: You may need to enter your PIN code.

    4. Two iPhone screens showing the key generation and the certificate enrollment during CMS Mobile Device Issuance

  4. Wait for the installation process to finish:

    5. An iPhone screen showing the installed profile during CMS Mobile Device Issuance with a hand icon pointing to a Done button in the top right corner

  1. Click Done (top right) once the profile is installed. The mobile device and its credentials (mobile app certificates) are ready to use.

    Important:
    If an error occurs while installing the profile on your mobile device, this device will not be available on your My Devices page. Before you can start the issuance process again, you need to access the mobile settings on your device and remove the profile which failed to install correctly.

    Mobile Enrollment dialog box displaying a QR code with a Cancel button in the bottom right corner

  2. After you have completed the enrollment on your mobile device, click Done in the Mobile Enrollment dialog box.

    3. The dialog box closes and your My Devices page now displays details about the newly-issued mobile device:

    My Devices page displaying two devices in the Active state with an Add Device and Add Mobile button in the top right corner

Note: If there is a problem with your mobile device, you can use the Delete Mobile button (Delete Mobile button) associated with your device and start the issuance again.