It is normally not best practice but if it is required to enforce a change of PIN for a managed credential then this is possible to configure within vSEC:CMS. Follow the instructions in this article to see how you can configure this.
Configuration Server Side
From Templates - PIN Policies click Add.
Enter a template name and from the Card type drop-down box select the appropriate card type that the template will be used with. In this example we will use IDPrime.
Enable Server managed PIN policy checkbox and in the Change PIN after field enter the number of days when the change PIN will be triggered for the managed end user credential.
It is important to be aware that the change PIN is triggered from the vSEC:CMS on the server-side. It is not a flag/setting that is configured on the credential. Therefore a user could choose to ignore this change request which in this case would mean that the credential would remain operational. However you can configure the change notification to display an always-on-top dialog on the end users client host to coerce the user to change the PIN.
Click the Configure button to create notification periods that can be used to remind the user that they need to change their PIN.
Click Add rename the Title if required and in the Period Configuration enter the number of days from when this notification will be triggered in the From and To fields. For example, below this notification will be triggered 10 days before change PIN was configured for change as set in the Change PIN after field. Enable the Force period if you want to make sure that the end user cannot close the change PIN dialog when the user logs onto their PC (see Configuration Client Side below for details on using the client side component).
In the Notification section enable the Enable Notification checkbox and enter the frequency which the notification will be sent. Click the Configure Notification button to configure the notification that will be sent. This can either be an email or SMS.
If an email or SMS is to be sent you will need to have already configured a connector for email or SMS from Options - Connections. For example, see the section Configure Email Connection in this article for instructions on how to set up a connector for email and how you can configure the actual email template that the same principle applies here if configuring an email notification.
Click Ok to save and close the configuration.
If you want to force the end user to change their PIN when they first use their managed credential then enable Manage Force PIN change server-side. It will be necessary to have the Automatically initiate cards after issuance checkbox enabled in the Issue Card section of the credential template for this feature to function. Also you need to configure the Initiate Card in the template and enable System set user PIN and configure the PIN to be exported and set the checkbox Force change at first use.
When you now create a credential template from Templates - Card Templates in the Issue Card section you should enable the Apply PIN Policy checkbox and select the PIN policy template created from the drop-down box.
If you are planning to test this in your environment then it is important that the issued credential that you are testing has been initiated, i.e. that the PIN has been set on the credential. Additionally, a background thread runs once a day to determine if a managed credential PIN needs to be changed. Therefore, if you are testing you can trigger this background thread to run by restarting the vSEC:CMS services and then log on once to the vSEC:CMS console. You should see in Repository - Smart Cards that the managed credential Status has a flag stating: PIN change needed.
Configuration Client Side
On any client host where the managed credential is used it will be necessary to have the vSEC:CMS User Self-Service (USS) client installed. See the article vSEC:CMS User Self-Service that describes how to use the USS.
The USS should be running in system tray mode in order for the detection to be made that a managed credential PIN needs to be changed. Again refer to the article vSEC:CMS User Self-Service that describes how this can be configured and used.