Derived credentials for iOS

Derived credentials provide strong authentication for mobile devices. The credentials, derived from a smart card, reside in a mobile device instead of the card. The smart card is a Personal Identity Verification (PIV) card.

The derived credentials are an enrollment certificate that contains the user identifier, such as UPN. Endpoint Management stores the credentials obtained from the credential provider in a secure vault on the device.

Endpoint Management can use derived credentials for iOS device enrollment and authentication. If configured for derived credentials, Endpoint Management doesn’t support enrollment invitations or other enrollment modes for iOS devices. Citrix recommends that you don’t enroll Android devices on servers set up for derived credentials.


  • One of the following derived credential solutions:
    • Intercede 3.14 or later. For information on the Intercede requirements, see Citrix has validated that Endpoint Management supports the Intercede derived credential solution. The app name in the Apple App Store is MyID for Citrix.

      Users must install MyID for Citrix on their devices before enrolling in Endpoint Management.

    • Other derived credential solutions

      While it’s likely that most other credential solutions are compatible with Endpoint Management, test the integration before deploying it to production.

    • If the user email domain differs from the LDAP domain, include the email domain in the Domain alias setting in Settings > LDAP. For example, if the domain for email addresses is and the LDAP domain name is, set Domain alias to,
    • Endpoint Management doesn’t support the use of derived credentials with shared devices.
  • User identity certificates:
    • The user name in the Subject alternative name field must be formatted as the otherName, rfc822Name, or dNSName field of the SubjectAltName extension. Other fields are not supported. For more information about Subject alternative name, see the RFC,
    • User identity in the Subject field in either Email or CN isn’t supported.
  • Citrix Gateway configured for certificate authentication or certificate plus security token authentication

    For information about PKI configuration, see PKI entities.

  • MDM enrollment
  • Secure Hub 10.8.15 (minimum version)
  • Secure Mail 10.8.20 (minimum version)
    • Use the same developer certificate to sign all apps in the Apple App Store.


For enrollment, the Endpoint Management server connects to the components described in the preceding Requirements section, as shown in the following diagram.

Diagram of derived credentials enrollment architecture

  • During device enrollment, Secure Hub obtains certificates from the derived credentials app.
  • The derived credentials app communicates with the credential management server during enrollment.
  • You can use the same or different server for the credential management server and a third-party PKI provider.
  • Endpoint Management server connects to your third-party PKI server to obtain certificates.

After enrollment, the components connect as shown in the following diagram.

Diagram of derived credentials post-enrollment architecture

The following sections describe how to configure Endpoint Management with a derived credentials provider, enable derived credentials for enrollment, and manage devices that use derived credentials.

Enable derived credentials

By default, the Endpoint Management console doesn’t include the Settings > Derived Credentials page. To enable the interface for derived credentials: Go to Settings > Server Properties, add the server property derived.credentials.enable, and set the property to true.

Image of Server Properties configuration screen

Configure derived credentials

These instructions assume that you have a working configuration for the derived credentials provider that you plan to integrate with Endpoint Management. You can then configure Endpoint Management to communicate with that server. You also choose a derived credentials CA certificate already added to Endpoint Management or import the certificate.

You can activate Online Certificate Status Protocol (OCSP) support for that CA certificate. For more information about OCSP, see “Discretionary CAs” in PKI entities.

  1. In the Endpoint Management console, go to Settings > Derived Credentials for iOS.

    Image of Derived Credentials configuration screen

  2. Under Provider:

    • Choose derived credentials provider. Citrix validated that Endpoint Management supports Intercede. If you choose Other for the provider, test the integration before putting your server into production.

    • App URL (iOS): If you choose Intercede as the provider, Endpoint Management fills in the App URL. If you choose Other as the provider, obtain the App URL from your derived credentials provider.

      If a device can’t contact your provider, verify the App URL with the provider. You might need to change it.

    • Optional parameters: Some derived credential providers might require that you provide parameters for the connection. For example, a vendor might require that you specify the URLs of a back-end server. Click Add to provide parameters.

  3. Specify a certificate for derived credentials: If the certificate is already uploaded to Endpoint Management, choose that certificate from Issuer CA. Otherwise, click Import to add a certificate. The Import Certificate dialog box appears.

  4. In the Import Certificate dialog box, click Browse to navigate to the certificate. Then click Browse to navigate to the private key file.

    Image of Derived Credentials configuration screen

  5. If you choose Intercede as the provider, Endpoint Management fills in the User Identifier field and the User Identifier type. For Intercede, the User Identifier field is Subject alternative name, and the User Identifier type is userPrincipalName. Contact other derived credential providers for their information and configure the settings.

  6. You can optionally use an OCSP responder for certificate revocation checking. By default, OSP checking is off. To activate OCSP support for the CA certificate:

    • Set OCSP check to ON.

    Image of Derived Credentials configuration screen

    • Choose an option for Use custom OCSP URL. By default, Endpoint Management extracts the OCSP URL from the certificate (the Use certificate definition for revocation option). To specify a responder URL, click Use custom and then type the URL.
    • Responder CA: From Responder CA, choose a certificate. Or, click Import and then use the Import Certificate dialog box to locate the certificate.
  7. Click Save. The Derived Credentials dialog box appears.

    Image of Derived Credentials configuration screen

    • To enable the derived credentials configuration, click Save. To use derived credentials, you must also configure enrollment settings.

    • To enable the derived credentials configuration and then go immediately to Settings > Enrollment, click Save and Go to Enrollment.

  8. To enable derived credentials for enrollment: On the Settings > Enrollment page, under Advanced Enrollment, select Derived Credentials (iOS only) and then click Enable.

    Image of Enrollment configuration screen

  9. A confirmation dialog box appears. To enable derived credentials, select the check box, and click Enable.

    Image of Enrollment configuration screen

  10. To edit options for derived credentials enrollment, go to Settings > Enrollment, select Derived Credentials (iOS only) and then click Edit.

After you enable derived credentials: In the Devices Enrollment report, the column Enrollment mode shows derived_credentials.

For enrollment steps when using derived credentials, see Enroll iOS devices that use derived credentials.

Configure Endpoint Management for Secure Mail

In order for Secure Mail to work properly with derived credentials, add the LDAP Attributes client property.

Follow the steps to add a client property in the article Client properties. Use the following information:

  • Value: userPrincipalName=${user.userprincipalname},sAMAccountNAme=${user.samaccountname},displayName=${user.displayName},mail=${user.mail}

Image of Client Properties configuration screen

Enroll iOS devices that use derived credentials

Enrollment requires that users insert their smart card to a reader attached to their desktop.

  1. The user installs Secure Hub and the app from your derived credential provider.

    The identity provider app for Intercede is MyID for Citrix. The logo for that app follows.

    Image of Intercede logo

  2. The user starts Secure Hub. When prompted, the user types the Endpoint Management server fully qualified domain name and then clicks Next. Enrollment in Secure Hub starts. If the Endpoint Management server supports derived credentials, Secure Hub prompts the user to create a Citrix PIN.

    Image of Secure Hub enrollment screen

    Image of Yes, Enroll button

    Image of Citrix PIN screen

  3. The user follows the instructions to activate their smart credential. A splash screen appears, followed by a prompt to scan a QR code.

    Image of QR code scan screen

  4. The user inserts their card into the smart card reader that’s attached to their desktop. The desktop app then displays a QR code and prompts the user to scan the code using their mobile device.

    Image of identity confirmation screen

  5. The user enters their Secure Hub PIN when prompted.

    Image of PIN entry screen

  6. After authenticating the PIN, Secure Hub downloads the certificates. The user then follows the prompts to complete enrollment.

To view device information in the Endpoint Management console:

  • Go to Manage > Devices and then select a device to display a command box. Click Show more.

  • Go to Analyze > Dashboard.