Organizational security policies might require periodic rotation of MDM tokens to prevent use of old tokens for authentication.
Rotation is implemented by adding a new token, distributing it to all managed devices, and then removing (revoking) the old token.
More than one token should coexist to permit token rotation without blocking users from authentication.
In the admin console, go to
- In the Device Requirements section, click +Add.
- In the Select a Condition list, click Mobile Device Management.
- Click the Expand icon for the Mobile Device Management Required section to expand the section.
Click +Generate New Token to create a new PingID key for
The Generated date below each token indicates the date and time of its creation.
- Click Save.
- Copy the value of the new generated Shared Token key.
Update the token key in the MDM system:
Refer to examples for the supported MDM systems:
- Log in to the MDM system, and go to the app config settings page.
- Update the token key named PINGID_MDM_TOKEN.
- Delete the existing key value, and in its place, paste the value of the new Shared Token key, copied from the PingID admin portal.
Identify and locate the old token to be revoked.
The generated date following each token indicates the date and time of its creation.
Click Revoke to remove the old token's associated
A minimum of one token must be retained. When there is only one token, clicking Revoke will offer the option to replace the existing token with a new generated token.
If a new token was generated as the result of revoking the single listed token, all devices will be prevented from authenticating until the new token value is both updated in the MDM and distributed to all devices. Consider setting the Effective Date to a future date to permit time for distribution of the new token to all devices.
- Click Save.