Self-service device update

4.12 Self-service device update

The Self-Service App provides you with a mechanism to provide self-service device updates for your cardholders.

You can use this optional feature in the following situations:

Rolling out a new certificate policy to end users (change credential profile, instruct users (out of band) to use the feature to update their device).
Letting end users recover additional encryption certificates that have been issued to other devices (configure the credential profile rules to allow automatic recovery of key history, instruct users to use the feature).
Troubleshooting incorrect revocation of certificates (if a certificate has been incorrectly revoked, instruct users to use the feature to replace those certificates).

4.12.1 Overview

When enabled, this feature works in the following way.

Once authenticated, MyID creates an update request for the authenticated device and applies it. This is a standard update request type that looks for differences in certificate assignment; where those differences are found, it applies the required changes. The update request is the same as would be applied if the request was generated by an operator or through the Lifecycle API.

If no differences are found, no actions are taken against the device. The attempt is still included in audit reports.

The feature applies to any supported device type on a Windows PC (smart card, USB token, VSC, Windows Hello).

Use cases – with the latest version of the credential profile assigned to the device as a reference, the self-service update feature:

Replaces certificates that are revoked in MyID.
Collects any new certificate policies that are available.
Collect new additional identity certificate policies linked to the user in MyID.
Removes any additional identity certificate policies that are no longer linked to the user in MyID.
Collects key history updates based on the requirements of the credential profile.

4.12.2 Configuring MyID to allow self-service device updates

Important: This feature is not enabled by default. It may not be appropriate for all environments.

Configuration requires that two roles are configured to control access to the feature. The first makes the Update My Device option available before user authentication (to allow it to be easily located by self-service users) with the second used to control any further role-based restrictions on who is allowed to use the feature. If you require this feature to be available to any user of the Self-Service App, you are recommended to apply this to the Cardholder role, which is typically given to all users. Review which roles are allocated by default in your installation to determine if a more suitable role exists.

An external system configuration is also required. This step enables the UserSync process that creates the update request; however, note that all processing takes place on the MyID server when using the UserSync_UpdateCardToLatest mapping file.

To set up the role permissions for self-service device updates:

In MyID Desktop, from the Configuration category, select Edit Roles.
Add the Update My Device option from the Cards section to the Default SSA User (981) role.

This allows the operation to be visible in the Self-Service App before the user authenticates.
Add the Update My Device option to the roles you want to be able to use the feature.

For example, add the option to the Cardholder role.
Additionally, add the Collect My Updates option from the Cards section to the roles you want to be able to use the feature.

For example, add the option to the Cardholder role.
Click Save Changes.

To configure the external system for the self-service device update feature:

In MyID Desktop, from the Configuration category, select External Systems.
Click New.
From the Listener Type drop-down list, select UserSync.

The configuration details for the self-service device update feature appear.
Type a Name and Description for the external system.
From the Mapping File drop-down list, select UserSync_UpdateCardToLatest.

The mapping file contents are displayed in the Contents pane.
Click Save.

4.12.3 Running self-service device updates

You must deploy the Self-Service App to your users' workstations. Once installed, users can run the Self-Service App and select the Update My Device option:

Alternatively, you can provide a shortcut directly to the Update My Device option (which has ID 5013).

You can use the command line; for example:

MyIDApp.exe /opid:5013

or a hyperlink; for example:

myidssa:///opid:5013

4.12.4 Troubleshooting

If the user cannot authenticate to MyID (for example, if the certificate used for signing on the current credential profile is revoked or not set up, you cannot use this feature. This also applies if PIN authentication cannot be achieved; for example, if the PIN is locked.

The feature does not override or conflict with update requests created using other methods; for example, operator request, API request, or other MyID process such as certificate renewal. Those mechanisms are still valid and continue to work as before.