Rotating MDM tokens - PingID

PingID Administration Guide
bundle
pingid
ft:publication_title
PingID Administration Guide
Product_Version_ce
PingID
category
ContentType
Product
Productdocumentation
pingid
ContentType_ce
Product documentation

Organizational security policies might require periodic rotation of MDM tokens to prevent use of old tokens for authentication.

Rotation is implemented by adding a new token, distributing it to all managed devices, and then removing (revoking) the old token.

Important:

More than one token should coexist to permit token rotation without blocking users from authentication.

  1. In the admin console, go to Setup > PingID > Device & Pairing.
    Screen capture of the PingID admin console showing the Device & Pairing tab.
  2. In the Device Requirements section, click +Add.
  3. In the Select a Condition list, click Mobile Device Management.
  4. Click the Expand icon for the Mobile Device Management Required section to expand the section.
  5. Click +Generate New Token to create a new PingID key for MDM.
    Screen capture of the expanded Mobile Device Management Required section.
    Note:

    The Generated date below each token indicates the date and time of its creation.

  6. Click Save.
  7. Copy the value of the new generated Shared Token key.
  8. Update the token key in the MDM system:
    1. Log in to the MDM system, and go to the app config settings page.
    2. Update the token key named PINGID_MDM_TOKEN.
    3. Delete the existing key value, and in its place, paste the value of the new Shared Token key, copied from the PingID admin portal.
    Refer to examples for the supported MDM systems:
  9. Identify and locate the old token to be revoked.
    Note:

    The generated date following each token indicates the date and time of its creation.


    Screen capture of the expanded Mobile Device Management Required section.
  10. Click Revoke to remove the old token's associated key.
    Note:

    A minimum of one token must be retained. When there is only one token, clicking Revoke will offer the option to replace the existing token with a new generated token.



    CAUTION:

    If a new token was generated as the result of revoking the single listed token, all devices will be prevented from authenticating until the new token value is both updated in the MDM and distributed to all devices. Consider setting the Effective Date to a future date to permit time for distribution of the new token to all devices.

  11. Click Save.