23.1 Configuring a credential profile for activation
The Require Activation and Pre-encode card options in the Issuance Settings section of the credential profile determine if and how a card is to be activated.
Require Activation
This option means that MyID does not activate the card during collection. The card can be activated later by the applicant. The card is issued in a locked state; if possible, it is protected by the GlobalPlatform key, but it is also possible to activate cards that do not have GlobalPlatform keys, but are capable of having their PINs locked. The user must activate the card before it can be used. You can use this option with bureau-issued cards, and you can also use this option to issue cards from MyID.
You can issue cards in the same state that a bureau returns cards. This allows you to activate cards for users in the same way as bureau cards are activated – you can print a batch of cards, then activate them one-by-one face-to-face with the users.
Note: To support GlobalPlatform locking, you must set up GlobalPlatform Factory Keys and 9B keys for your cards before you can activate them.
From the Require Activation drop-down list, select one of the following options:
- No – the cards are not locked.
Allow Self Collection – the cards are locked, and the applicants can collect the card using the Activate Card workflow in MyID Desktop, the Self-Service Kiosk, or the Self-Service App. See the Activate card section in the Operator's Guide for details.
This option also allows the applicant to use assisted activation with the help of an operator.
Note: To allow self collection, the system role Activation User must exist, and must have access to the Activate Card workflow; this system role is used because the cardholder is using a locked card. By default, this configuration is set up when you install MyID; do not use the Edit Roles workflow to change the Activation User role. If this role is not set up correctly, when you attempt to carry out self activation of a card, you may see an error similar to:
9004028 - You do not have permission to access this workflow
Note: When the Restrict Self Activation configuration option (on the Self-Service page of the Security Settings workflow) is set to Yes, you have access to the operations allowed by the Activation User role only if these operations are already permitted by your assigned roles; if the Restrict Self Activation configuration option is set to No, you have access to all operations allowed by the Activation User role, whether or not your own assigned roles provide access.
- Assisted Activation Only – the cards are locked, and the applicants must go to a MyID operator who collects the card for them using the Assisted Activation workflow. See the Assisted activation section in the Operator's Guide for details.
Note: The Require Activation option locks the card when it is issued. Do not select the Lock User PIN at Issuance option, as this may cause an error.
Note: Do not set the Issue With option in the PIN Settings section to Client Generated or Server Generated. For cards that require activation, you must select User specified PIN.
You can then request and approve a number of cards, and use Collect Card or Batch Collect Card to issue them. This allows you to print the cards, but does not activate them.
By default, Batch Collect Card is not available to any of the standard roles. Use the Edit Roles workflow to add it.
For GlobalPlatform cards, in the Select Certificates stage, make sure that you select a certificate for signing. The card is issued with a blank chip that has its GlobalPlatform keys locked.
Note: You cannot use Issue Card for cards that require activation.
Pre‑encode Card
From the Pre-encode Card drop-down list, select one of the following:
- None – the card is encoded during activation.
- 1-Step – the card is encoded during collection.
- 2-Step – the card is encoded using the Batch Encode Card workflow after collection.
Note: Both 1-Step and 2-Step pre-encode card options require activation.
23.1.1 Personalization and encoding scenarios
The Require Activation and Pre‑encode Card options allow you to determine how the card is issued. You can determine whether the card is issued face-to-face, and whether the card is encoded by the cardholder when it is activated, when it is issued, or using the Batch Encode Card workflow.
Scenario |
Require Activation |
Pre-encode Card |
Face to face issuance |
o |
None |
Bureau or batch issuance with cardholder encoding and activation |
þ |
None |
Encoding using Collect Card or Batch Collect Card and cardholder activation |
þ |
1-Step |
Bureau or batch issuance, encoding using Batch Encode Card, and cardholder activation |
þ |
2-Step |
Note: If you select Pre-encode Card you must select Require Activation.