Overview
Managed configurations are part of a specification developed by Google and the Android community. They allow for remote configuration of installed applications and devices via any Enterprise Mobility Management (EMM) system, like Zebra DNA Cloud, that supports this specification.
Identity Guardian offers multiple setting categories, each associated with a specific bundle. Specific parameters for each configuration are outlined in the tables within this guide. These settings include the device usage method (either shared or personally assigned), device enrollment, and user authentication. User authentication specifies both the comparison source (like barcode for shared devices, or device storage for personal devices) and authentication methods (such as SSO,facial biometrics or passcode).
Use with Enterprise Home Screen:
Identity Guardian can be used in conjunction with Zebra's Enterprise Home Screen (EHS). If EHS is in use, ensure that the roles defined are consistent with those specified for Identity Guardian.
EMM
The features of a given app that are manageable using Managed Configurations are defined in its schema. The Identity Guardian schema becomes accessible once the APK is uploaded to the EMM, either as an Enterprise app or to its app store. The schema defines the features available for consumption by the EMM, and provides the information necessary to present the app's management UI within the EMM console. This data-driven UI method allows delivery of new features and their corresponding UI attributes as soon as they become available, and without the need to download a new .EXE. The Identity Guardian management UI varies slightly depending on the EMM system in use.
For procedures on implementing configuration policies through EMM and video demonstrations, refer to the EMM Setup guide.
ZDNA Cloud
For procedures on implementing configuration policies through Zebra DNA Cloud, refer to the ZDNA Cloud setup guide. For additionl information on use of ZDNA Cloud, refer to the ZDNA Cloud documentation.
Usage Mode
Choose the operation mode for Identity Guardian and, if desired, select the logging level.
For shared devices, separate profiles for Enrollment and Authentication are required, as specified in the "Application Mode".
For personally assigned devices, the "PERSONALLY_ASSIGNED" option in "Application Mode" combines both Enrollment and Authentication configurations into a single profile.
The subsequent sections of this guide provide options for Enrollment Configuration and Authentication Configuration respectively.
| Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Application Mode | APPLICATION_MODE | ENROLLMENT (default) AUTHENTICATION PERSONALLY_ASSIGNED PROXY |
ENROLLMENT (default) AUTHENTICATION PERSONALLY ASSIGNED PROXY |
Enrollment - Defines enrollment settings for shared devices; see Enrollment Configuration. After user enrollment, a unique personalized barcode is created. Authentication - Defines authentication settings for shared devices; see Authentication Configuration Personally Assigned - Defines both Enrollment and Authentication settings for a user on personally assigned devices Proxy - Allows apps to monitor user sign-in/sign-out events; see Proxy Mode. |
| Log Level | logLevel | 0 1 (default) 2 |
0 1 (default) 2 |
Specify the level of information to log: • 0 - Debug; logs minimal information for basic troubleshooting • 1 - Informational; logs general system and operational information • 2 -Verbose; logs detailed information, including biometric data which is stored on the device at /data/tmp/public/IdentityGuardian
|
Enrollment Configuration
Configure Identity Guardian for user enrollment.
Note: Colored rows indicate a parent option.
| Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Number of facial images to be enrolled | FACE_VECTOR_COUNT | 0 1 2 3 |
None One Face (default) Two Faces Three Faces |
Choose the number of facial images to be provided by the user during enrollment (up to 3) |
| Get Role Data? | enableRoleDataUI | 1 0 |
true (default) false |
Choose whether to prompt the user to select a "Role" during enrollment |
| Allow facial opt-out? | userFaceBiometricOptOut | 1 0 |
true false (default) |
Choose whether to allow the user to skip facial enrollment; other methods remain enforced |
| Set Expiration Date? | enableExpiryDateUI | 1 0 |
true (default) false |
Choose whether to prompt the user for an enrollment expiration date |
| List Roles | listOfRoles | [string] | Manager, Associate | Enter a list of roles for selection by enrollee, each role separated by a comma NOTE:If Enterpise Home Screen is in use, ensure that its roles defined are consistent with those specified here. |
| Enable/Disable Corporate PIN | enableDisablePin | 1 0 |
true (default) false |
Select whether to require the user to enter a corporate PIN for access |
| Corporate PIN | adminCorporatePin | [string] | [enter PIN] | Enter a six-digit numeric PIN for enrollment |
| Enrollment Key | enrollmentKey | [string] | [enter enrollment key] | Enter the encrypted public key for enrollment. This key encrypts biometric data and is applicable only to shared devices. See Generate Enrollment Key for instructions. Zebra recommends using of customer-specific keys for enhanced security. |
| Custom T&C Configuration | customTCConfiguration | Configure Custom T&C for application | ||
| Display Custom T&C | showCustomTC | 1 0 |
true false (default) |
Select whether to display a custom Terms & Conditions tab |
| T&C Tab Title | customTCTitle | [string] | [enter T&C title] | Enter a title for the Terms & Conditions tab |
| Custom T&C Content | customTCContent | [string] | [enter T&C content] | Enter content to be displayed on the custom Terms & Conditions tab |
| Custom T&C URL | customTCUrl | [string] | [enter T&C url] | Enter a URL that contains custom and/or additional Terms & Conditions information |
| Passcode Rules | passcodeConfiguration | Specify Rules for Passcode | ||
| Select Passcode Type | passwordType | Numeric AlphaNumeric |
Numeric AlphaNumeric |
Choose the passcode type, either numeric only or a combination of alphanumeric characters |
| Minimum Length | passCodeRuleMinLength | [integer] | 6 (default) | Enter the minimum number of characters to accept for the pass code |
| Minimum Uppercase Letters | passCodeRuleMinUppercase | 0 1 |
0 (default) 1 |
Select the minimum number of uppercase letters to accept for the passcode |
| Minimum Lower Letters | passCodeRuleMinLowercase | 0 1 |
0 (default) 1 |
Select the minimum number of lowercase letters to accept for the passcode |
| Minimum Numbers | passCodeRuleMinNumbers | 0 1 |
0 (default) 1 |
Select the minimum amount of numbers to accept for the passcode |
| Minimum Symbols | passCodeRuleMinSymbols | 0 1 |
0 (default) 1 |
Select the minimum number symbols or special characters to accept for the passcode. Acceptable symbols are: !,@,#,$,%,^,&,,-,_,?, |
Generate Enrollment Key
To generate the encrypted key value for the public key, use the Data Encryption Tool with the following command:
JAVA -jar DataSecurity-1.0.jar -d <data> -p com.zebra.mdna.els -s <IDG_SIGNATURE>
Instructions for running the command:
Download DataSecurity-1.0.zip and extract the file
DataSecurity-1.0.jar.Replace
<IDG_SIGNATURE>with the following:MIIFnDCCA4QCCSMxNhM5AtLv+TANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRMwEQYDVQQHDApIb2x0c3ZpbGxlMSEwHwYDVQQKDBhaZWJyYSBUZWNobm9sb2dpZXMsIEluYy4xJDAiBgNVBAsMG0VudGVycHJpc2UgTW9iaWxlIENvbXB1dGluZzEkMCIGA1UEAwwbQW5kcm9pZCBQcml2aWxlZ2VkIEtleSBSb290MB4XDTIzMDExMjE0MjMzMloXDTQ4MDIxNTE0MjMzMlowezELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMRMwEQYDVQQHDApIb2x0c3ZpbGxlMR8wHQYDVQQKDBZaZWJyYSBUZWNobm9sb2dpZXMgSW5jMQwwCgYDVQQLDANFTUMxGzAZBgNVBAMMEmNvbS56ZWJyYS5tZG5hLmVsczCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAO76NKGh9xzN/bOQnWonV8qs7BFXWnzqGJ4OS2A2hKyacE6e8hnA9vXXhZ/wa1lc93mM4wVI1dMCD3z7yF3643EB3zJ3qxtD/CmyIQjImuo2Pyd0awnmS1W9tJjQISRS45sN9B9ThYk6oX4TIh7/5Pr9q+rTayP9zpoHjK7PestODwaY3FccSmLQ3nmO+xqi5KxqDZZHAYfKj5krUx3GEKq2Pj3A4iDii0RjopXtSVvP7+R+UO+Vw0KnVhhwtC9W1yQkuwl6pcK8gE9hxsFWDzWGqZbw4NCpjtg8hW9Th5p3Xy7lRWLpJhWGh4IWMmCgPNzYyZ4Alms27owG/viCsSKyDnyIpFPSO0Pmq790ccGY6APL/jzUV9J9lqFM/Fa03uuxWY0PI2OoSYnvJP4NO88BNU/iekhuYjIHkKegJLnPdTF2FwnHJWJa96dgKo9ATO4lIhMZ/iMV3ifAekfZM20Yf38bKa7ylI8TNmBOA+Y3MEp7u8txrJDD7gZ6r4cdDTMz843V21Ckby4uAzX1+tjEuVLgd7ZssJzFuKeKp8ZEreEoTJYH1/1xK49M3XKBzyYJVDV23CwsuVkdsoxCk5Mzq4TBo1SHLTV3Ar2NaDVNYzoj/xuVnHSbmx/ErTDvX6d1BvvcvORL6bHEKlsUXs+KNeB49kzXFPkCdcU1NGx1AgMBAAEwDQYJKoZIhvcNAQELBQADggIBAJYVo2ka0tSqsCegqYllTicTehz3X2aOw5vZ6FAA1RlEsCU0S7A+H+n1jUfzoWNjlRKvBmvZnSitLXOSIDKrQnGyqlGTbwDHXhkfzsv/dSCumAFzPKfhCfZ85hSbgHt25S0+QKzCTVtDB1EVE/CGae7kBHCJQaEM+SVA3yor47Wglf0Wi3L1uQiSfdOrySic/2/FrSiI8Uu/LBvAIXuESmWJWcnOHt1zQiuADqB3Uv5falpgSTzOpcBglxVLS1WN8nZTWfkSk1yRDKMXCmsmFSJPEauzmcVtLQjmWoA7mlifY65/qMF5Bm0zIXU9N3B2braxB3oUZ7JkHmWBMPzenUjLuAQSvoGOZfbjHnMIy0T5hqc2RlDW90521oaHFwhpY1giYBFdDilC1YKF2OrGAIo8A+BIcvI4vN+3uBtofJFr/jRV0CSxNZxIr+a5lpUv6ronoBPd8LNuL8TYezbcbFity7RQHZDK9U4N/eEaift94MZY9M7PyAml7HEW2DUOEfBzwfd0EkyaPVhTvHsV3IxMASw285cDhR8JtFvDDnGE1ztXoQS80Ed6OB/HXGd92Ss3rk6t1ZVcVW+gZo4ovzqpAL9rEsH/vQO3DKoYaIHv2ZSxriSOVhyE1tOlQkYwoRymSx5A30l5l+t2GZLlOS4eySwQ7vS54+mUom9ZTHs2Replace
<data>with your public certificate key.Run the following command with the replaced values from the previous steps:
JAVA -jar DataSecurity-1.0.jar -d <data> -p com.zebra.mdna.els -s <IDG_SIGNATURE>Copy the resulting encrypted public key value and paste it into Enrollment Key in the Manage Configuration.
Authentication Configuration
Configure Identity Guardian for user verification and authentication. Create up to four unique authentication schemes, and define the specific options for each one. Then, for any given event option, choose the appropriate authentication scheme to apply. Each authentication scheme includes the following:
- Primary Authentication Factor - The first method used to verify a user's identity.
- If primary authentication fails and secondary authentication is not activated, the fallback authentication method is triggered.
- If secondary authentication is enabled and activated, then it is triggered.
- Secondary Authentication Factor - This is an optional, but mandatory when activated, second method of verification, thereby establishing a two-factor authentication process.
- If secondary authentication fails, then fallback authentication is activated.
- Fallback Authentication Method - This is an alternate method used for verification when the primary or secondary authentication methods fail.
Note: Colored rows indicate a parent option.
| Name | Option Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|---|
| User Verification Methods | authenticationSchemes | Select the user verification setup method | |||
| Verification Setup1 | authenticationScheme1 | Verification Setup1 | |||
| Comparison Source | authenticationScheme1ComparisonSource | NONE BARCODE DEVICE STORAGE LEGACY BARCODE |
NONE BARCODE (default) DEVICE STORAGE LEGACY BARCODE |
For either shared devices or personal devices to accept simple 1D user barcodes that are not encrypted, select LEGACY BARCODE. Legacy Barcode Prefix is required under Verification Setup. For shared devices, select BARCODE. Users are then prompted to scan their unique, encrypted barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. |
|
| Primary Authentication Method | authenticationScheme1PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme1PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme1PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme1FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme1PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme1FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Legacy Barcode Options | authenticationScheme1legacyBarcodeOptions | bundle | Settings for Legacy Barcode Option | ||
| Legacy Barcode Prefix | authenticationScheme1legacyBarcodePrefix | string | [enter string] | Enter the prefix required for validating the scanned user barcode. Without the prefix, the user cannot be authenticated. | |
| Verification Setup2 | authenticationScheme2 | Verification Setup2 | |||
| Comparison Source | authenticationScheme1ComparisonSource | NONE BARCODE DEVICE STORAGE LEGACY BARCODE |
NONE BARCODE (default) DEVICE STORAGE LEGACY BARCODE |
For either shared devices or personal devices to accept simple 1D user barcodes that are not encrypted, select LEGACY BARCODE. Legacy Barcode Prefix is required under Verification Setup. For shared devices, select BARCODE. Users are then prompted to scan their unique, encrypted barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. |
|
| Primary Authentication Method | authenticationScheme2PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme2PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme2PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme2FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme2PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme2FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Legacy Barcode Options | authenticationScheme1legacyBarcodeOptions | bundle | Settings for Legacy Barcode Option | ||
| Legacy Barcode Prefix | authenticationScheme1legacyBarcodePrefix | string | |||
| Verification Setup3 | authenticationScheme3 | Verification Setup3 | |||
| Comparison Source | authenticationScheme1ComparisonSource | NONE BARCODE DEVICE STORAGE LEGACY BARCODE |
NONE BARCODE (default) DEVICE STORAGE LEGACY BARCODE |
For either shared devices or personal devices to accept simple 1D user barcodes that are not encrypted, select LEGACY BARCODE. Legacy Barcode Prefix is required under Verification Setup. For shared devices, select BARCODE. Users are then prompted to scan their unique, encrypted barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. |
|
| Primary Authentication Method | authenticationScheme3PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme3PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme3PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme3FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme3PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme3FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Legacy Barcode Options | authenticationScheme1legacyBarcodeOptions | bundle | Settings for Legacy Barcode Option | ||
| Legacy Barcode Prefix | authenticationScheme1legacyBarcodePrefix | string | |||
| Verification Setup4 | authenticationScheme4 | Verification Setup4 | |||
| Comparison Source | authenticationScheme1ComparisonSource | NONE BARCODE DEVICE STORAGE LEGACY BARCODE |
NONE BARCODE (default) DEVICE STORAGE LEGACY BARCODE |
For either shared devices or personal devices to accept simple 1D user barcodes that are not encrypted, select LEGACY BARCODE. Legacy Barcode Prefix is required under Verification Setup. For shared devices, select BARCODE. Users are then prompted to scan their unique, encrypted barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. |
|
| Primary Authentication Method | authenticationScheme4PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme4PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme4PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme4FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme4PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme4FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Legacy Barcode Options | authenticationScheme1legacyBarcodeOptions | bundle | Settings for Legacy Barcode Option | ||
| Legacy Barcode Prefix | authenticationScheme1legacyBarcodePrefix | string | |||
| Authentication Data Storage | temporaryDataConfiguration | Configure settings to allow temporary storage of user authentication data on the device, facilitating a one-time barcode scan for initial use on shared devices. This eliminates the need for repeated barcode scans during events such as device unlock, reboot, and connect/disconnect from power. If configured, subsequent device access will prompt for primary or secondary authentication. Barcode scans remain mandatory whenever a user manually logs out from Identity Guardian, or a new user signs in following the previous user's sign out. NOTE: If Force Logout is enabled, a barcode scan is prompted for every triggered event. |
|||
| Store Authentication Data | enableTempStorageTimeout | 1 0 |
true false (default) |
Choose whether to enable temporary storge of user authentication data on the device for the specified Storage Period. This eliminates the need for rescanning a barcode after the initial one-time scan on shared devices. | |
| Storage Period | tempStorageTimeout | Integer 1 to 12 | Integer 1 to 12 (default) | Select the length of time (in hours) to temporarily store user authentication data on the device to facilitate a one-time barcode scan for initial use on shared devices. After the time elapses, the lock screen appears on the device and authentication data is deleted upon expiration. | |
| Snooze Time | tempStorageSnoozeTimeout | Integer 30 to 300 | Integer 30 to 300 (Default: 120) | Enter the time duration (in seconds) to postpone the display of the lock screen and removal of user authentication data from temporary storage. | |
| Timeout Delay Title | tempStorageSnoozeTitle | [String] | [enter string] | Enter the title for the device lock warning notification before user authentication data is removed from temporary storage. | |
| Timeout Delay Description | tempStorageSnoozeDescription | [String] | [enter string] | Enter the alert message for the device lock notification, warning the user that the device will be locked soon, triggering the removal of user authentication data from temporary storage. | |
| Lock-screen Event Options | LockScreenShowOption | Choose the verification method that is triggered by the event that causes the device screen to lock | |||
| On Unlock | Bundle_LockScreenShowOptionUnlock | Select the option(s) required following a device event that unlocks the screen | |||
| Verification Setup | on_unlock | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 (default) Verification Setup2 Verification Setup3 Verification Setup4 None |
Select the verification required following a device event that unlocks the screen | |
| Alternative Verification Setup | on_unlock | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 Verification Setup4 None (default) |
Select the verification required for Alternative Login after the device unlocks | |
| On Reboot | Bundle_LockScreenShowOptionReboot | Select the option(s) required after a device reboot | |||
| Verification Setup | on_reboot | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 (default) Verification Setup3 Verification Setup4 None |
Select the verification required after a device reboot | |
| Alternative Verification Setup | on_reboot | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 Verification Setup4 None (default) |
Select the verification required for Alternative Login after the device unlocks | |
| On AC power connected | Bundle_LockScreenShowOptionACPowerCon | Select the option(s) required upon connection to AC power | |||
| Verification Setup | on_ac_power_connected | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None |
Select the verification required upon connection to AC power | |
| Alternative Verification Setup | on_ac_power_connected | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 Verification Setup4 None (default) |
Select the verification required for Alternative Login after the device unlocks | |
| On AC Power Disconnection | Bundle_LockScreenShowOptionACPowerDisCon | Select the option(s) required upon disconnection from AC power | |||
| Verification Setup | on_ac_power_disconnected | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None |
Select the verification required upon disconnection from AC power | |
| Alternative Verification Setup | on_ac_power_disconnected | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 Verification Setup4 None (default) |
Select the verification required for Alternative Login after the device unlocks | |
| On device manual checkin | Bundle_LockScreenShowOptionManualCheckin | Select the option(s) required when the user manually signs in to the device | |||
| Verification Setup | on_device_manual_checkin | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None (default) |
Select the verification required when a user manually signs in to the device | |
| Alternative Verification Setup | on_device_manual_checkin | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 Verification Setup4 None (default) |
Select the verification required for Alternative Login after the device unlocks | |
| On user change | Bundle_LockScreenShowOptionUserChange | Select the necessary option(s) when a new user signs in to the device after the previous user has been automatically signed out, such as due to a Force Logout action or when the device goes idle. | |||
| Verification Setup | on_device_manual_checkin | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None |
Select the verification required when a new user signs in to the device | |
| Alternative Verification Setup | on_device_manual_checkin | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 Verification Setup4 None (default) |
Select the verification required for Alternative Login after the device unlocks | |
| Force Logout Options | ForceLogoutShowOption | Choose whether to automatically logout the user based on certain device events. | |||
| On Lock | forceLogout_on_lock | 1 0 |
true false (default) |
Choose whether to automatically logout the user when the device screen locks. | |
| On Reboot | forceLogout_on_reboot | 1 0 |
true false (default) |
Choose whether to automatically logout the user when the device reboots | |
| On AC power connected | forceLogout_on_ac_power_connected | 1 0 |
true false (default) |
Choose whether to automatically logout the user when the device is connected to AC power | |
| On AC power disconnected | forceLogout_on_ac_power_disconnected | 1 0 |
true false (default) |
Choose whether to automatically logout the user when the device is disconnected from AC power | |
| Expire Barcodes | expireBarcodes | Choose whether to set an expiration date for the barcode | |||
| Automatic Barcode Expiration | expireBasedOnExpiryDate | 1 0 |
true false (default) |
The barcode is valid up to the expiration date. After it expires, the barcode cannot be scanned. | |
| Authentication Key | authenticationKey | Enter the encrypted private key. This key decrypts the biometric data and is applicable only to shared devices.See Generate Authentication Key for instructions. Zebra recommends using of customer-specific keys for enhanced security. | |||
| Enable ForceLock After Timeout | enableForceLockAfterTimeout | 1 0 |
true false (default) |
Choose whether the device should automatically lock after the timeout period | |
| Force Lock Timeout | forceLockTimeout | [integer] | 240 (default) | Enter the time (in minutes) for the warning notification to appear before the device locks | |
| Snooze Time | snoozeTimeout | [integer] | 120 (default) | Enter the delay time (in seconds) for the device to lock once after the warning notification is displayed | |
| Snooze Title | snoozeTitle | [string] | You will be locked out soon (default) | Enter the title for the device lock warning notification. | |
| Snooze Desc | snoozeDescription | [string] | [enter text] | Enter the message for the device lock warning notification | |
| Admin Bypass Passcode | adminSpecifiedPIN | Choose whether to allow an admin specified passcode to be used to bypass the user-specified passcode. When in use, user accountability is not enforced. | |||
| passcodes | pins | Choose whether to permit the use of this passcode. Multiple passcodes can be added, each toggled on/off individually. | |||
| Group Name | key | [string] | [enter string] | Enter the group name to identify the user’s affiliation when they input the passcode. Length: 4-256 characters. | |
| PIN/Passcode | value | [string] | [enter string] | Enter the alternate PIN/passcode for this group, available for users as an alternative to the original one. Length: 6-12 characters. |
Generate Authentication Key
To generate the encrypted key value for the private key, use the Data Encryption Tool with the following command:
JAVA -jar DataSecurity-1.0.jar -d <data> -p com.zebra.mdna.els -s <IDG_SIGNATURE>
Instructions for running the command:
Download DataSecurity-1.0.zip and extract the file
DataSecurity-1.0.jar.Replace
<IDG_SIGNATURE>with the following:MIIFnDCCA4QCCSMxNhM5AtLv+TANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRMwEQYDVQQHDApIb2x0c3ZpbGxlMSEwHwYDVQQKDBhaZWJyYSBUZWNobm9sb2dpZXMsIEluYy4xJDAiBgNVBAsMG0VudGVycHJpc2UgTW9iaWxlIENvbXB1dGluZzEkMCIGA1UEAwwbQW5kcm9pZCBQcml2aWxlZ2VkIEtleSBSb290MB4XDTIzMDExMjE0MjMzMloXDTQ4MDIxNTE0MjMzMlowezELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMRMwEQYDVQQHDApIb2x0c3ZpbGxlMR8wHQYDVQQKDBZaZWJyYSBUZWNobm9sb2dpZXMgSW5jMQwwCgYDVQQLDANFTUMxGzAZBgNVBAMMEmNvbS56ZWJyYS5tZG5hLmVsczCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAO76NKGh9xzN/bOQnWonV8qs7BFXWnzqGJ4OS2A2hKyacE6e8hnA9vXXhZ/wa1lc93mM4wVI1dMCD3z7yF3643EB3zJ3qxtD/CmyIQjImuo2Pyd0awnmS1W9tJjQISRS45sN9B9ThYk6oX4TIh7/5Pr9q+rTayP9zpoHjK7PestODwaY3FccSmLQ3nmO+xqi5KxqDZZHAYfKj5krUx3GEKq2Pj3A4iDii0RjopXtSVvP7+R+UO+Vw0KnVhhwtC9W1yQkuwl6pcK8gE9hxsFWDzWGqZbw4NCpjtg8hW9Th5p3Xy7lRWLpJhWGh4IWMmCgPNzYyZ4Alms27owG/viCsSKyDnyIpFPSO0Pmq790ccGY6APL/jzUV9J9lqFM/Fa03uuxWY0PI2OoSYnvJP4NO88BNU/iekhuYjIHkKegJLnPdTF2FwnHJWJa96dgKo9ATO4lIhMZ/iMV3ifAekfZM20Yf38bKa7ylI8TNmBOA+Y3MEp7u8txrJDD7gZ6r4cdDTMz843V21Ckby4uAzX1+tjEuVLgd7ZssJzFuKeKp8ZEreEoTJYH1/1xK49M3XKBzyYJVDV23CwsuVkdsoxCk5Mzq4TBo1SHLTV3Ar2NaDVNYzoj/xuVnHSbmx/ErTDvX6d1BvvcvORL6bHEKlsUXs+KNeB49kzXFPkCdcU1NGx1AgMBAAEwDQYJKoZIhvcNAQELBQADggIBAJYVo2ka0tSqsCegqYllTicTehz3X2aOw5vZ6FAA1RlEsCU0S7A+H+n1jUfzoWNjlRKvBmvZnSitLXOSIDKrQnGyqlGTbwDHXhkfzsv/dSCumAFzPKfhCfZ85hSbgHt25S0+QKzCTVtDB1EVE/CGae7kBHCJQaEM+SVA3yor47Wglf0Wi3L1uQiSfdOrySic/2/FrSiI8Uu/LBvAIXuESmWJWcnOHt1zQiuADqB3Uv5falpgSTzOpcBglxVLS1WN8nZTWfkSk1yRDKMXCmsmFSJPEauzmcVtLQjmWoA7mlifY65/qMF5Bm0zIXU9N3B2braxB3oUZ7JkHmWBMPzenUjLuAQSvoGOZfbjHnMIy0T5hqc2RlDW90521oaHFwhpY1giYBFdDilC1YKF2OrGAIo8A+BIcvI4vN+3uBtofJFr/jRV0CSxNZxIr+a5lpUv6ronoBPd8LNuL8TYezbcbFity7RQHZDK9U4N/eEaift94MZY9M7PyAml7HEW2DUOEfBzwfd0EkyaPVhTvHsV3IxMASw285cDhR8JtFvDDnGE1ztXoQS80Ed6OB/HXGd92Ss3rk6t1ZVcVW+gZo4ovzqpAL9rEsH/vQO3DKoYaIHv2ZSxriSOVhyE1tOlQkYwoRymSx5A30l5l+t2GZLlOS4eySwQ7vS54+mUom9ZTHs2Replace
<data>with your private certificate key.Run the following command with the replaced values from the previous steps:
JAVA -jar DataSecurity-1.0.jar -d <data> -p com.zebra.mdna.els -s <IDG_SIGNATURE>Copy the resulting encrypted private key value and paste it into Authentication Key in the Manage Configuration.
Facial Authentication Configuration
Configure Identity Guardian for Facial Authentication
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Liveness Threshold | livenessThreshold | 96 94 91 88 86 Custom |
High Medium/High (default) Medium Medium/Low Low Custom |
Higher values offer greater security; lower values provide faster authentication. • High - Facial algorithm is most strict, ensures liveness and other thresholds are met before granting access. May result in some false positives. • Medium/High (default) - Moderately strict • Medium - Middle ground in strictness • Medium/Low - Slightly strict • Low - Least strict; best for environments with poor lighting and difficulty identifying users. Best used for low risk environments (e.g. warehouse) since this may result in some spoofing. |
| Face Liveness Threshold | faceLivenessThreshold | [integer value] | [enter integer between 80 and 100] | Enter a custom Liveness Threshold (from 80 to 100) for facial authentication. NOTE: Only use this under the guidance of a Zebra technician. |
SSO Authentication Configuration
Configure Identity Guardian for single sign-on (SSO) authentication.
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Single Sign On Provider | ssoProvider | Microsoft PingId |
Microsoft (default) PingId Okta |
Select the SSO provider in use |
| Authentication Protocol | ssoProtocol | OAuth2.0 | OAuth2.0 | Select the authentication protocol to use for communication with your SSO server |
| Scope | ssoScope | [string] | [enter string] | Enter the SSO scope, which defines limits on the quantity and type of data granted to an access token |
| Configuration Settings | ssoConfigSettings | [string] | [enter string] | Enter the JSON-formatted configuration for SSO settings needed to communicate securely with the SSO server. This is taken from the Android app configuration from your SSO provider. Click here to download sample content. |
| Userid identifier | ssoUseridIdentifier | [string] | [enter string] | Specify the user key for identifying the signed-in user, which is displayed in the zDNA Cloud and retrievable from the API. The user key, which could be a user name, preferred user name, or employee ID, can be found in the ID token or user information from the SSO response. |
SSO Mapping
Enable mapping of Identity Guardian user roles based on responses from single sign-on (SSO) service during employee login.
Note: Colored rows indicate a parent option.
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| SSO Mapping | roleSettings | 1 0 |
true false |
Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. It provides the necessary settings to align SSO data with corresponding roles within the application, facilitating seamless integration and effective role-based access control. Add one or more Role Identifiers. |
| Role Identifier | roleNames | 1 0 |
true false |
Establishes links between roles in SSO responses and their corresponding roles within the Identity Guardian app. Multiple Role Identifiers can be added, each toggled on/off individually |
| Identity Guardian Role Name | roleName | [string] | [enter string] | Enter the Identity Guardian user role to be assigned based on SSO response during user sign-in (e.g. administrator, manager, user). |
| Key-value pair for role assignment | ssoResponseKeys | [string] | [enter values and toggle on/off] | Add one or more SSO key-value pairs to identify and map users to a predefined Identity Guardian user role. |
| SSO Key-Value Pair | ssoResponseKey | 1 0 |
true false |
Choose whether the SSO response, which contains the user key and values, should be mapped to a corresponding user role in Identity Guardian |
| SSO key | roleKey | [string] | [enter string] | Enter the SSO key to map it to an Identity Guardian role. |
| SSO value | roleValue | [string] | [enter string] | Enter the SSO value(s) to map to the Identity Guardian role. Use commas to separate multiple entries. |
Lock Screen Configuration
Configure the behavior of Identity Guardian when the device is in locked mode.
Note: Colored rows indicate a parent option.
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Apps Allowed On Lock Screen | allowPackagesToRunOnTopOfIG | 1 0 |
true false |
Enables the selection of specific applications to be displayed on the device's lock screen, allowing these apps to continue operating even when the device is locked. This should be restricted to certain apps, such as the phone app, which allows phone calls to be received. Tap Add Application Details to add multiple apps. |
| Application Details | allowListPackageBundle | 1 0 |
true false |
Choose whether to display this app in the foreground of the device lock screen. |
| Package Name | allowListPackageName | [string] | [enter string] | Enter the application's package name to display in the foreground of the lock screen, for example, "com.android.your-app" |
| Activity Name | allowListActivityName | [string] | [enter string] | Enter the app activity name to display in the foreground of the lock screen, for example, "com.android.your-app.appActivity" |
| Custom Lock Screen Message | lockScreenMessageConfigurations | bundle | bundle | Allow users to include a custom message on the device lock screen. This custom message remains visible to all users when they sign in or sign out of the device. |
| Allow Custom Lock Screen Message | enableLockScreenMessage | bool | true false (default) |
Choose whether to enable the option for users to add a custom message on the device lock screen. If enabled, this option appears in the message settings within Identity Guardian. |
| Custom Lock Screen Message Source | lockScreenType | choice | App Specific | Choose the source of the custom lock screen message. Currently only a single source is available. |
| Lock Screen Menu | lockScreenMenuOptions | bundle | bundle | Enable to allow options to be accessible from the top right menu on the lock screen. |
| Lock Screen Menu | lockScreenMenuOptions | bundle | bundle | Enable to allow options to be accessible from the top right menu on the lock screen. |
| Allow Self Enrollment | enrollUserConfigurations | Enable this option to allow users to self-enroll in Identity Guardian directly from the device lock screen. This applies only to shared devices. | ||
| Secure Self Enrollment | enableEnrollUser | bool | true false (default) |
Enable this option to allow users to self-enroll in Identity Guardian directly from the device lock screen. |
| User Verification | enrollUserAuthType | choice | SSO | Select the authentication method used to validate a user. Currently, only SSO is available. |
| Enable Admin Bypass Passcode on Lock screen | enableAdminByPassPassCode | bool | true false (default) |
Choose to enable the admin bypass passcode option on the lock screen. |
| Customize Alternative Login Button | alternateLoginBtnText | [string] | Alternative Login (default) | Enter a custom title to replace the default title for the alternate login button on the lock screen. The title must be between 4 and 20 characters in length. If less than 4 characters are entered, the default title "Alternative Login" is used. If more than 20 characters are entered, any characters beyond the 20-character limit will be truncated. |
| Auto Unlock | autoUnlockConfigurations | bundle | bundle | Enable this option to allow users to automatically initiate face, passcode, or SSO authentication when unlocking the device, eliminating the need to tap the sign-in button. |
| On Unlock | enableAutoUnlockOnDeviceUnlock | bool | true false (default) |
Select whether to automatically initiate face/passcode/sso detection and unlock the device if the signed-in user presses the power button. |
Guardian Safe Configuration
Configure Guardian Safe for storing user application credentials.
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Guardian Safe | enableGuardianSafe | ENABLE DISABLE (default) |
ENABLE DISABLE (default) |
Select whether users can store app credentials in Guardian Safe. |
| Automatically Grant Accessibility Permission | autoEnableAccessibilityPermission | ENABLE DISABLE (default) |
ENABLE DISABLE (default) |
Select whether to automatically grant the Accessibility Service permissions required by Guardian Safe. If enabled, the admin accepts the permissions on behalf of the user, thereby eliminating the need for the user to manually accept the permissions. If disabled, users need to manually grant the permissions when prompted. |
| Auto Fill for SSO | autoFillSSO | ENABLE DISABLE (default) |
ENABLE DISABLE (default) |
Select whether to automatically fill in the password for SSO logins after it is saved from the initial login attempt when SSO is set as the secondary authentication method. |