Over the years, Citrix has built support for various mobile CAC readers into some of our mobile Receiver apps. Now that DoD has moved on to derived credentials for mobile platforms, instead of physical smartcards, Citrix has begun adding support to some of the mobile Receivers — now called Citrix Workspace app — starting with iOS.
Before moving on, I want to give a quick recap of derived credentials in DoD. Purebred is a DoD management program that provides derived credentials for mobile devices. This provides end users soft certs that can be leverages for items such as authentication, digital signing, and encryption/decryption. The use of derived credentials eliminates the need for smartcard sleeves, Bluetooth readers, and the middleware that supports them.
The new Purebred support added into Citrix Workspace app allows a user to leverage existing Purebred credentials on an iOS device to create a virtual smartcard that can log one into Citrix published applications and desktops. Their CAC can stay stashed away in their pocket! The virtual smartcard also provides access to the signature and encryption certificates for use with S/MIME. Users will be able to decrypt secure messages within published Outlook with ease. An iPad can now be leveraged as a mobile thin client for DoD teleworking. The best part is that the work is based on the new Smartcard v3 virtual channel, providing a superior user experience when connecting over the WAN.
To leverage the new derived credentials capability, the iOS device must already be enrolled in Purebred. If not, contact your IT support organization to complete this step. Open the new Workspace app, tap “Get Started”, but do not enter your server information just yet. Tap the three dots at the top right to access the menu and enter the Settings. In the Advanced section, enable the use of Derived Credentials.
As this is the first time you’ve run Workspace app, you will also need to create your first virtual smart card. You may change the name if you like or you can simply create your PIN. You will need to import the authentication, signing, and encryption certificates. Due to the Apple API used, the open dialog will not automatically be in the Purebred container. Tap “Locations” at the top left of the dialog to go up one level, where you can now tap on the “Purebred Key Chain”. If you do not see the Purebred Key Chain, back out of the dialog and open the Files app on iOS, otherwise skip to the next paragraph. On the Browse navigation bar on the left, tap Edit at the top right. Enable the Purebred Key Chain and tap Done, also at the top right. Exit the File app, return to the Workspace app and start adding certificates to the virtual smart card.
The dialog will filter out only viable certificates with the Purebred Key Chain for each usage type so there should only be one to select for each. After tapping a certificate you much tap “Import Key” at the bottom left of the dialog. Once all three certificates are imported, tap “Save” at the top right. You can view the certificates that have been added but you cannot alter the virtual smart card. If you need to make a change, slide the virtual smartcard item to the left to access the delete button. Then create a new virtual smart card.
Back out of the settings until you are at the add account window again. Enter your server address and tap “Continue”. When the Workspace app detects your environment requires certificate authentication, it will ask which certificate to use based on what you added to the virtual smart card. Select the certificate and tap “Next”. After you unlock the virtual smart card with the PIN created, it will now be available for login to the session.