Active credential profiles per person

One per credential group

This option allows you to control issuance of different types of credentials to users; for example, you might want to issue one smart card, one USB token, and so on.

See section 11.3.2, Additional credential profile options.

Allow derived credential requests to create accounts

No

Must be set to Yes to allow SSRP to issue a derived credential to a cardholder whose original credential was issued by a different system. The unknown user is added to MyID.

See the MyID configuration options section in the Derived Credentials Self-Service Request Portal guide.

Allow parent and child credential profiles

No

Used for VSCs.

See the Setting up parent/child credential profiles for VSCs section in the Microsoft VSC Integration Guide.

Allow requests without user data approved

No

Determines whether requests for credentials can be created if the person's user data approved status is not set.

Set this option to Yes to allow an operator or the Lifecycle API to request credentials even if the person's user data approved status is not set. Even though the request can be created, if the Require user data to be approved option on the credential profile is set, the request cannot be approved or collected until the person's user data approved status is set.

Set this value to No to prevent credentials from being requested when the person's user data approved status is not set and the Require user data to be approved option on the credential profile is set.

App Download URL – ANDROID

The URL for the Android version of the MyID Identity Agent.

Leave blank to hide this option.

If you click on a provisioning URL on a mobile device, but do not have the Identity Agent app installed, this link is displayed to allow you to download the app and try again.

For derived credentials, the URL is embedded into the QR code that is displayed to the user and allows them to download the Identity Agent app when using the Self-Service Kiosk to collect Derived Credentials.

See the Configuring SMS and email notifications section in the Mobile Identity Management guide or the Derived Credentials Configuration Guide for details.

App Download URL – iOS

The URL for the iOS version of the MyID Identity Agent.

Leave blank to hide this option.

If you click on a provisioning URL on a mobile device, but do not have the Identity Agent app installed, this link is displayed to allow you to download the app and try again.

For derived credentials, the URL is embedded into the QR code that is displayed to the user and allows them to download the Identity Agent app when using the Self-Service Kiosk to collect Derived Credentials.

See the Configuring SMS and email notifications section in the Mobile Identity Management guide or the Derived Credentials Configuration Guide for details.

Note: Due to restrictions imposed by Apple, the URL must be opened in the Safari browser and must link to a page that contains a link to the app to download; the user can then select this link. The URL cannot be a direct link to the app file itself.

Automated Card Issuance Time Limit

240

The time (in seconds) to be spent attempting to issue a card before canceling the process.

Automated Detect Card Time Limit

40

The time (in seconds) to be spent attempting to detect a card before it is rejected.

Automated Remove Card Time Limit

30

The time (in seconds) that MyID will wait before allowing another print command to be sent once the card has been removed from the printer.

Automatic Completion of Issuance

Ask

Enable the automatic submission of the Print Card stage.

Automatic Completion of Issuance Timeout

300

Timer value (in seconds) for automatically submitting certain forms.

Automatic Update Collection

2,245

If a user logs in with pending jobs, run the first workflow listed that they have access to.

Workflows should be listed as option,operationid;option,operationid and so on. For example: 2,245 – this automatically launches the Activate Card workflow.

See the Workflow IDs section in the Installation and Configuration Guide for a list of the workflow IDs available in MyID.

Automatically create card update jobs when additional identities are modified

No

Create card update jobs automatically on changes to additional identities.

See section 25, Additional identities for details.

Note: Changes carried out using the Credential Web Service API create update jobs whether this option is set to Yes or No. See the Credential Web Service document for details.

Batch Encode Card Timeout

15

The number of seconds to allow a card to be read before timing out in the Batch Encode Card workflow.

Change Credential Profile At Approval

No

If set, an operator can change the credential profile when approving a request. Note: This affects requests approved through the MyID Operator Client only.

See the Approving requests section in the MyID Operator Client guide.

Display credential profile details

Ask

Whether credential profile details are displayed when a card is issued.

Enable unrestricted cancellation

No

Controls whether the Unrestricted Cancellation option appears in the Issuance Settings section of the Credential Profiles workflow.

This option allows you to re-use a card without first canceling it.

Expire cards at end of day

No

If set, credentials will be issued with an expiry date set to the end of day, that is, 23:59:00 UTC.

The time zone setting of the operator's workstation may affect the expiry date. Because the expiry time is 23:59:00 UTC, to ensure that the expiry time is in the future, if the operator's workstation is behind UTC (for example, PDT, which is UTC -7) the expiry is set to 23:59:00 UTC on the following date.

This prevents the case where, for example, on January 1 at 20:00:00 PDT an operator requests a same-date expiry. An expiry date of 23:59:00 UTC on January 1 would be in the past, but an expiry date of 23:59:00 UTC on January 2 is still in the future.

Note: This setting is designed for devices requested through the MyID Operator Client. Note, however, that even if the devices were requested through the MyID Operator Client, the expiry date is not set to the required value if the devices are collected through the Issue Card or Collect My Card workflows. All other methods of collecting devices work as expected.

This setting affects requests made in MyID Desktop only under the following circumstances:

• The Expire cards at end of day option is set.

• You do not set an explicit expiry date in Request Card. (Setting an explicit expiry date in MyID Desktop sets the time to 00:00:00 UTC.)

• You do not collect the request using the Issue Card or Collect My Card workflows. (These workflows do not check the Expire cards at end of day option at all.)

Under the above circumstances, when you collect the device, the time is set to 23:59:00 UTC.

When this option is set to the default NO, the time is set to 00:00:00 UTC (the start of the day).

This setting also affects the CardExpiryDate and MaxRequestExpiryDate nodes in the Lifecycle API; if the Expire Cards at End of Day configuration option is set to Yes, the time portion of the expiry date is set to 23:59 UTC. If the Expire Cards at End of Day option is set to No, the time portion is set to 00:00 UTC.

Note: This setting does not affect any existing expiry dates, whether for requests already created, or maximum credential expiry dates already set for users.

Note: Some CAs do not allow control over the time portion of the certificate expiry. When MyID sets the lifetime of the certificate, the date is set as expected, but the time may not match exactly, depending on the certificate authority being used.

See the CardExpiryDate and MaxRequestExpiryDate sections in the Lifecycle API document, the Setting expiry dates for a card section in the Operator's Guide, and the Approving requests section in the MyID Operator Client guide.

Manual Card Update

No

Whether a card update can be performed manually. This allows you to select which updates to apply to the card from the list of available updates.

Maximum multiple credential requests

1

This is the maximum number of multiple credential requests that will be accepted.

See the Requesting multiple cards section in the Operator's Guide.

Maximum unvalidated multiple credential requests

1

The maximum number of multiple credential requests that will be accepted without secondary validation.

See the Requesting multiple cards section in the Operator's Guide.

Output Mechanism for Job Challenge Code Generation

Choose at request

Determines how the one-time password for job authentication is delivered. Choose one of the following:

Email

Display on screen

Both

Choose at request

See section 24.8, Requesting a device identity.

Print Card Timeout

5

The number of seconds between printing a card and issuing.

Printer Request Buffer Delay

10

This is the time in seconds to pause between sending requests to the printer.

Used with the Fargo SDK for Fargo printers.

Reload Device Profile

No

Whether the device profile is reloaded onto the card during issuance. Used for Thales authentication devices.

Requisite User Data

No

Displays an extra option in the Credential Profiles workflow that allows you to restrict issuance to user accounts with specific user attribute mappings.

Restrict collection of replacement devices if expiry date within (Days)

0

Stops the issuance of a replacement credential if the date for the expiry is within the specified number of days.

Rotate Keys On Card Update

No

When a card update is collected, any GlobalPlatform or PIV 9B keys associated with the device will also be updated if they are found to be out of date.

See section 7.3.8, Rotating customer keys for details.

Set Credential Profile On Renewal

No

If set to Yes, the operator can specify a credential profile when renewing a device.

Note: This setting affects devices renewed through the MyID Operator Client only.

Set expiry date at request

No

If set to Yes, the operator can specify a date for expiry of credentials when they are requested.

Note: This setting affects the MyID Operator Client and MyID Desktop only. Requests created using APIs directly are not affected.

Show Disqualified Credential Profiles

Yes

Set to Yes to display all credential profiles, whether or not they meet the Requisite User Data requirements.

Set to No to hide any credential profiles that do not meet the Requisite User Data requirements.

Note: This setting affects the display of credential profiles in the MyID Operator Client only.

See section 11.3.1.11, Requisite User Data.

Show the Card Content button in the Audit Workflow

Yes

Set to Yes to display the Card Content button on the Audit workflow.