Allow Card Activation

Yes

Allows you to issue cards with their keys locked so users must activate them before use.

Allow device management from the MyID user interface

No

If set to Yes, you can search for computers or other devices registered in MyID during some operations.

Allow disposal of expired devices

Yes

If set to Yes, allows you to dispose of devices that have expired but not been canceled.

See the Disposing of cards section in the Operator's Guide.

Allow virtual smart card creation with TPM reduced functionality

No

Set to Yes to allow Microsoft Virtual Smart card to be issued within MyID when the TPM is in reduced functionality state.

See the Reduced functionality section in the Microsoft VSC Integration Guide for details.

Auth Code Scope

Both

Whether Auth Codes, when required, affect Activate, Unlock or both workflows.

Card activation expiration period

30

Not currently implemented.

This configuration option relates to custom functionality that is no longer implemented in MyID.

Card label

Yes

Allows a label to be written to a card. This is an electronic label that is written to the card, not a physical label.

Card Renewal Period

42

You can configure the length of time before expiry that you can request a card renewal using the Request Replacement Card workflow.

For example, if the card has 60 days left before expiry, and you set the Card Renewal Period to 40, you cannot request a card renewal. If the card has 30 days left before expiry and you set the Card Renewal Period to 40, MyID allows you to request the card renewal.

This option also affects the behavior of automatic certificate renewals; if the card is within the Card Renewal Period window, automatic certificate renewals do not get triggered, but instead a notification is sent to the cardholder that they must request a replacement card.

See section 6.6.1, Credential lifetimes and certificate renewal.

Check Content Signing Certificate Expiration

Yes

MyID checks that the PIV content signing certificate will not expire in the lifetime of the card.

Credential Number Per Device

Identifies the field holding the credential number; this is used at card issuance.

PIV only.

See the Setting credential numbers section of the PIV Integration Guide for details.

Default Card Data Model

PivDataModel.xml

Sets the default data model to be used in a credential profile. The data model defines how the card is personalized.

In PIV systems, this is used to ensure the correct card personalization is done for FIPS-201.

Default Card Reverse Layout

If a card has no defined reverse layout, if this configuration option contains the name of a valid card layout, the layout is used for the reverse of the card.

Delayed Cancellation Period

0

The time in hours that can be used to calculate a delay for when the original device and certificates are canceled when you replace a device.

If the configuration option is not 0, an additional Reason appears in the list when you request a replacement: Device Replacement (Delayed Cancellation). If you select this option, the device and its certificates are not canceled immediately, but are canceled after the number of hours specified in this configuration option.

Note: A device that is scheduled for delayed revocation can still be canceled through the actions of the Active credential profiles per person configuration option if the cardholder collects another device.

See the Requesting a replacement card and Certificate reasons sections in the Operator's Guide, and the Requesting a replacement device section in the MyID Operator Client guide

Deliver Card Before Activation

No

Set this to Yes to add a Delivery stage to the process for issuing a card, ensuring the card has been delivered to the recipient before it is activated.

See the Delivering cards section in the Operator's Guide for details.

Enable credentials when person is enabled

Yes

If set to Yes, enabling a user account in MyID automatically enables all issued but disabled credentials belonging to that user account.

Enable Intel Virtual Smart Card support

No

Appears only on upgraded systems that previously had this option set to Yes.

MyID support for Intel Authenticate virtual smart cards has now been deprecated. If you are currently using this solution or have further questions about it, contact Intercede for further details quoting SUP-349.

Expiration Identity Batch

20

MyID updates the directory to remove the device certificate information when a device identity is canceled or the certificate expires.

This option configures the size of batches of records that are processed when updating the directory. You should not have to change this value.

Issue MyID Signing Keys

Ask

Whether the option to use MyID management keys for logon is displayed in Services when designing a credential profile:

Ask – option available for selection

No – option not available and MyID keys not used for logon

Yes – option not available and MyID keys are used for logon

See section 23.2, Terms and conditions.

Microsoft virtual smart cards supported within MyID

No

Set to Yes to allow the use of Microsoft Virtual Smart Cards within MyID.

See the Microsoft VSC Integration Guide for details.

Mobile Provision Via Email

Yes

Set this option to allow the notification of mobile IDs to be sent to the user's email address.

Mobile Provision Via SMS

Yes

Set this option to allow the notification of mobile IDs to be sent to the user's mobile phone number.

One Active Job Per Person

Yes

When set to Yes, the Request Replacement Card workflow cancels existing Issue Card, Update Card and Request Replacement Card jobs that exist for the applicant who is to be issued a replacement card.

One Credential Profile Request Per Person

No

Setting this option limits the number of card requests to one per person per credential profile. The most recently created request job will take precedence.

Persist terms and conditions

No

When set to Yes, stores the terms and conditions that were signed as a binary object in the MyID database. This is then visible in the MyID audit report.

This option allows you to review the terms and conditions as they stood when the cardholder accepted them, rather than the terms and conditions as they currently stand, which may be different if you have updated the text of the terms and conditions.

See section 11.6.5, Storing signed terms and conditions.

PIV Biometric Maximum Age

12

Set to the maximum age of the biometric data in years. MyID checks that the biometrics will not exceed this age in the lifetime of the card.

PIV Facial Biometrics Required

Yes

When set to Yes, MyID checks that facial biometrics have been captured before authorizing card issuance.

Preserve FASCN and UUID for card update

Yes

Set to Yes to prevent the FASC-N and UUID from being changed, or No to generate new FASC-N and UUID values during card repersonalization and reinstatement.

Repersonalization and reinstatement are not currently supported.

Print Quality Confirmation

No

If set to Yes, allows the operator to confirm whether the card was printed correctly, and to offer an opportunity to retry the operation.

See the Collecting a card section in the Operator's Guide.

Secondary Serial Number

A series of field names separated by spaces which are used as a second serial number.

Serial Number IIN

123456789

Used to set the serial numbers for Oberthur PIV cards.

See the Serial numbers for IDEMIA PIV cards section in the Smart Card Integration Guide for details.

Terms and Conditions During Device Update

Just for New Certificates

Determines whether users have to sign the terms and conditions when updating cards that have credential profiles that require them to sign the terms and conditions when activating their cards.

If the card is being updated to a new credential profile, MyID checks the Terms and Conditions setting of the new credential profile.

Can be one of the following:

Yes – users are required to sign the Terms and Conditions as required by the credential profile when collecting any kind of update for their card.

Just for New Certificates – users are required to sign the Terms and Conditions as required by the credential profile only when the update they are collecting contains new certificates.

No – users do not need to sign the Terms and Conditions when collecting card updates.

See section 23.2, Terms and conditions.

Token resync window

100

The window to be used when resynchronizing an OTP device. The larger the value, the longer the resync window.

If you are having difficulty resynchronizing tokens, increase this value.

Unblocking Credential

No

Whether this installation supports unblocking credentials.

See the Smart Card Integration Guide for details.

Windows Hello for Business supported in MyID

Yes

Whether this installation supports Windows Hello for Business.

See the Setting the Windows Hello configuration options section in the Windows Hello for Business Integration Guide for details.