Overview
Managed configurations are part of a specification developed by Google and the Android community. They allow for remote configuration of installed applications and devices via any Enterprise Mobility Management (EMM) system, like ZDNA Cloud, that supports this specification.
Identity Guardian offers multiple setting categories, each associated with a specific bundle. Specific parameters for each configuration are outlined in the tables within this guide. These settings include the device usage method (shared or personally assigned device), device enrollment, and user authentication. User authentication specifies both the comparison source (like barcode or facial biometrics) and authentication methods (such as facial biometrics or PIN).
Enterprise Home Screen:
Identity Guardian can be used in conjunction with Zebra's Enterprise Home Screen (EHS). If EHS is in use, ensure that the roles defined are consistent with those specified for Identity Guardian.
ZDNA Cloud
For a detailed guide on how to set up Identity Guardian using Managed Configurations through the Zebra DNA Cloud (My Apps > Zebra Collection), refer to the ZDNA Cloud documentation.
EMM
The features of a given app that are manageable using Managed Configurations are defined in its schema. The Identity Guardian schema is downloaded when visiting Google Play through the EMM console and selecting Identity Guardian for administration. The schema defines the features available for consumption by the EMM, and provides the information necessary to present the app's management UI within the EMM console.† This data-driven UI method allows delivery of new features and their corresponding UI attributes as soon as they become available, and without the need to download a new .exe.
For more information about configuring Zebra devices with managed configurations, see Zebra OEMConfig.
† The Identity Guardian management UI varies slightly depending on the EMM system in use.
Usage Mode
Select how Identity Guardian will be used in this configuration.
| Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Application Mode | APPLICATION_MODE | ENROLLMENT (default) AUTHENTICATION PERSONALLY_ASSIGNED |
ENROLLMENT (default) AUTHENTICATION PERSONALLY ASSIGNED |
Enrollment - Creates barcodes to enroll users of shared devices Authentication - Sets the app for daily use on shared devices; may be used with SSO Personally Assigned -Sets the app for a single user on a dedicated device; may be used with SSO |
| Log Level | logLevel | 0 1 (default) 2 |
0 1 (default) 2 |
Specify the level of information to log: • 0 - Debug; logs minimal information for basic troubleshooting • 1 - Informational; logs general system and operational information • 2 -Verbose; logs detailed information, including biometric data which is stored on the device at /data/tmp/public/IdentityGuardian
|
Enrollment Configuration
Configure Identity Guardian for user enrollment.
Note: Colored rows indicate a parent option.
| Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Number of facial images to be enrolled | FACE_VECTOR_COUNT | 0 1 2 3 |
None One Face (default) Two Faces Three Faces |
Choose the number of facial images to be provided by the user during enrollment (up to 3) |
| Get Role Data? | enableRoleDataUI | 1 0 |
true (default) false |
Choose whether to prompt the user to select a "Role" during enrollment |
| Allow facial opt-out? | userFaceBiometricOptOut | 1 0 |
true false (default) |
Choose whether to allow the user to skip facial enrollment; other methods remain enforced |
| Set Expiration Date? | enableExpiryDateUI | 1 0 |
true (default) false |
Choose whether to prompt the user for an enrollment expiration date |
| List Roles | listOfRoles | [string] | Manager, Associate | Enter a list of roles for selection by enrollee, each role separated by a comma NOTE:If Enterpise Home Screen is in use, ensure that its roles defined are consistent with those specified here. |
| Enable/Disable Corporate PIN | enableDisablePin | 1 0 |
true (default) false |
Select whether to require the user to enter a corporate PIN for access |
| Corporate PIN | adminCorporatePin | [string] | [enter PIN] | Enter a six-digit numeric PIN for enrollment |
| Enrollment Key | enrollmentKey | [string] | [enter enrollment key] | Enter the encrypted public key for enrollment. Use Data Encryption Tool to encrypt this key, which is used for encrypting biometric data and is only applicable for shared devices. |
| Passcode Rules | passcodeConfiguration | Specify Rules for Passcode | ||
| Minimum Length | passCodeRuleMinLength | [integer] | 6 (default) | Enter the minimum number of characters to accept for the pass code |
| Minimum Uppercase Letters | passCodeRuleMinUppercase | 0 1 |
0 (default) 1 |
Select the minimum number of uppercase letters to accept for the passcode |
| Minimum Lower Letters | passCodeRuleMinLowercase | 0 1 |
0 (default) 1 |
Select the minimum number of lowercase letters to accept for the passcode |
| Minimum Numbers | passCodeRuleMinNumbers | 0 1 |
0 (default) 1 |
Select the minimum amount of numbers to accept for the passcode |
| Minimum Symbols | passCodeRuleMinSymbols | 0 1 |
0 (default) 1 |
Select the minimum number symbols or special characters to accept for the passcode. Acceptable symbols are: !,@,#,$,%,^,&,,-,_,?, |
| Custom T&C Configuration | customTCConfiguration | Configure Custom T&C for application | ||
| Display Custom T&C | showCustomTC | 1 0 |
true false (default) |
Select whether to display a custom Terms & Conditions tab |
| T&C Tab Title | customTCTitle | [string] | [enter T&C title] | Enter a title for the Terms & Conditions tab |
| Custom T&C Content | customTCContent | [string] | [enter T&C content] | Enter content to be displayed on the custom Terms & Conditions tab |
| Custom T&C URL | customTCUrl | [string] | [enter T&C url] | Enter a URL that contains custom and/or additional Terms & Conditions information |
Authentication Configuration
Configure Identity Guardian for user verification and authentication. Create up to four unique authentication schemes, and define the specific options for each one. Then, for any given event option, choose the appropriate authentication scheme to apply. Each authentication scheme includes the following:
- Primary Authentication Factor - The initial method used to confirm identity.
- Secondary Authentication Factor - An optional second verification step that becomes mandatory when activated, establishing a two-factor authentication process.
- Fallback Authentication Method - The alternate method employed for authentication if the primary method fails.
Note: Colored rows indicate a parent option.
| Name | Option Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|---|
| User Verification Methods | authenticationSchemes | Select the user verification setup method | |||
| Verification Setup1 | authenticationScheme1 | Verification Setup1 | |||
| Comparison Source | authenticationScheme1ComparisonSource | NONE BARCODE DEVICE STORAGE |
NONE BARCODE (default) DEVICE STORAGE |
For shared devices, select BARCODE. The user is prompted to scan their unique barcode for authentication before proceeding with the primary authentication method. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. For neither, select NONE. |
|
| Primary Authentication Method | authenticationScheme1PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme1PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme1PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme1FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme1PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme1FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Verification Setup2 | authenticationScheme2 | Verification Setup2 | |||
| Comparison Source | authenticationScheme2ComparisonSource | NONE BARCODE DEVICE STORAGE |
NONE BARCODE (default) DEVICE STORAGE |
For shared devices, select BARCODE. The user is prompted to scan their unique barcode for authentication before proceeding with the primary authentication method. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. For neither, select NONE. |
|
| Primary Authentication Method | authenticationScheme2PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme2PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme2PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme2FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme2PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme2FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Verification Setup3 | authenticationScheme3 | Verification Setup3 | |||
| Comparison Source | authenticationScheme3ComparisonSource | NONE BARCODE DEVICE STORAGE |
NONE BARCODE (default) DEVICE STORAGE |
For shared devices, select BARCODE. The user is prompted to scan their unique barcode for authentication before proceeding with the primary authentication method. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. For neither, select NONE. |
|
| Primary Authentication Method | authenticationScheme3PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme3PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme3PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme3FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme3PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme3FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Verification Setup4 | authenticationScheme4 | Verification Setup4 | |||
| Comparison Source | authenticationScheme4ComparisonSource | NONE BARCODE DEVICE STORAGE |
NONE BARCODE (default) DEVICE STORAGE |
For shared devices, select BARCODE. The user is prompted to scan their unique barcode for authentication before proceeding with the primary authentication method. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. For neither, select NONE. |
|
| Primary Authentication Method | authenticationScheme4PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme4PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme4PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme4FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme4PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme4FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Lock-screen Event Options | LockScreenShowOption | Choose the verification method that is triggered by the event that causes the device screen to lock | |||
| On Unlock | Bundle_LockScreenShowOptionUnlock | Select the option(s) required following a device event that unlocks the screen | |||
| Verification Setup | on_unlock | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 (default) Verification Setup2 Verification Setup3 Verification Setup4 None |
Select the verification required following a device event that unlocks the screen | |
| On Reboot | Bundle_LockScreenShowOptionReboot | Select the option(s) required after a device reboot | |||
| Verification Setup | on_reboot | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 (default) Verification Setup3 Verification Setup4 None |
Select the verification required after a device reboot | |
| On AC power connected | Bundle_LockScreenShowOptionACPowerCon | Select the option(s) required upon connection to AC power | |||
| Verification Setup | on_ac_power_connected | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None |
Select the verification required upon connection to AC power | |
| On AC Power Disconnection | Bundle_LockScreenShowOptionACPowerDisCon | Select the option(s) required upon disconnection from AC power | |||
| Verification Setup | on_ac_power_disconnected | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None |
Select the verification required upon disconnection from AC power | |
| On device manual checkin | Bundle_LockScreenShowOptionManualCheckin | Select the option(s) required when the user manually signs in to the device | |||
| Verification Setup | on_device_manual_checkin | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None (default) |
Select the verification required when a user manually signs in to the device | |
| On user change | Bundle_LockScreenShowOptionUserChange | Select the necessary option(s) when a new user signs in to the device after the previous user has been automatically signed out, such as due to a Force Logout action or when the device goes idle. | |||
| Verification Setup | on_device_manual_checkin | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None |
Select the verification required when a new user signs in to the device | |
| Force Logout Options | ForceLogoutShowOption | Choose whether to automatically logout the user based on certain device events. | |||
| On Lock | forceLogout_on_lock | 0 1 |
true false (default) |
Choose whether to automatically logout the user when the device screen locks. | |
| On Reboot | forceLogout_on_reboot | 0 1 |
true false (default) |
Choose whether to automatically logout the user when the device reboots | |
| On AC power connected | forceLogout_on_ac_power_connected | 0 1 |
true false (default) |
Choose whether to automatically logout the user when the device is connected to AC power | |
| On AC power disconnected | forceLogout_on_ac_power_disconnected | 0 1 |
true false (default) |
Choose whether to automatically logout the user when the device is disconnected from AC power | |
| Expire Barcodes | expireBarcodes | Choose whether to set an expiration date for the barcode | |||
| Automatic Barcode Expiration | expireBasedOnExpiryDate | 1 0 |
true false (default) |
The barcode is valid up to the expiration date. After it expires, the barcode cannot be scanned. | |
| Authentication Key | authenticationKey | Enter the encrypted private key for decryption. Use Data Encryption Tool to encrypt your public key. This is used to decrypt the biometric data and only applies to shared devices. | |||
| Enable ForceLock After Timeout | enableForceLockAfterTimeout | 1 0 |
true false (default) |
Choose whether the device should automatically lock after the timeout period | |
| Force Lock Timeout | forceLockTimeout | [integer] | 240 (default) | Enter the time (in minutes) for the warning notification to appear before the device locks | |
| Snooze Time | snoozeTimeout | [integer] | 120 (default) | Enter the delay time (in seconds) after which the device will lock once the warning notification appaers | |
| Snooze Title | snoozeTitle | [string] | You will be locked out soon (default) | Enter the title for the device lock warning notification. | |
| Snooze Desc | snoozeDescription | [string] | [enter text] | Enter the message for the device lock warning notification | |
| Admin Bypass Passcode | adminSpecifiedPIN | Choose whether to allow the passcode to be bypassed using a special PIN or passcode | |||
| passcodes | pins | Choose whether to permit the use of this passcode. Multiple passcodes can be added, each toggled on/off individually. | |||
| Group Name | key | [string] | [enter string] | Enter the group name to help identify the user's group affiliation when they enter the passcode | |
| PIN/Passcode | value | [string] | [enter string] | Enter the alternate PIN/passcode for users of this group to use instead of the original one |
Facial Authentication Configuration
Configure Identity Guardian for Facial Authentication
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Liveness Threshold | livenessThreshold | 96 94 91 88 86 Custom |
High Medium/High (default) Medium Medium/Low Low Custom |
Higher values offer greater security; lower values provide faster authentication. • High - Facial algorithm is most strict, ensures liveness and other thresholds are met before granting access. May result in some false positives. • Medium/High (default) - Moderately strict • Medium - Middle ground in strictness • Medium/Low - Slightly strict • Low - Least strict; best for environments with poor lighting and difficulty identifying users. Best used for low risk environments (e.g. warehouse) since this may result in some spoofing. |
| Face Liveness Threshold | faceLivenessThreshold | [integer value] | [enter integer between 80 and 100] | Enter a custom Liveness Threshold (from 80 to 100) for facial authentication. NOTE: Only use this under the guidance of a Zebra technician. |
SSO Authentication Configuration
Configure Identity Guardian for single sign-on (SSO) authentication.
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Single Sign On Provider | ssoProvider | Microsoft PingId |
Microsoft (default) PingId |
Select the SSO provider in use |
| Authentication Protocol | ssoProtocol | OAuth2.0 | OAuth2.0 | Select the authentication protocol to use for communication with your SSO server |
| Scope | ssoScope | [string] | [enter string] | Enter the SSO scope, which defines limits on the quantity and type of data granted to an access token |
| Configuration Settings | ssoConfigSettings | [string] | [enter string] | Enter the JSON-formatted configuration for SSO settings needed to communicate securely with the SSO server. This is taken from the Android app configuration from your SSO provider. Click here to download sample content. |
| Userid identifier | ssoUseridIdentifier | [string] | [enter string] | Specify the user key for identifying the signed-in user, which is displayed in the zDNA Cloud and retrievable from the API. The user key, which could be a username, preferred username, or employee ID, can be found in the ID token or user information from the SSO response. |
SSO Mapping
Enable mapping of Identity Guardian user roles based on responses from single sign-on (SSO) service during employee login.
Note: Colored rows indicate a parent option.
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| SSO Mapping | roleSettings | 1 0 |
true false |
Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. It provides the necessary settings to align SSO data with corresponding roles within the application, facilitating seamless integration and effective role-based access control. Add one or more Role Identifiers. |
| Role Identifier | roleNames | 1 0 |
true false |
Establishes links between roles in SSO responses and their corresponding roles within the Identity Guardian app. Multiple Role Identifiers can be added, each toggled on/off individually |
| Identity Guardian Role Name | roleName | [string] | [enter string] | Enter the Identity Guardian user role to be assigned based on SSO response during user sign-in (e.g. administrator, manager, user). |
| Key-value pair for role assignment | ssoResponseKeys | [string] | [enter values and toggle on/off] | Add one or more SSO key-value pairs to identify and map users to a predefined Identity Guardian user role. |
| SSO Key-Value Pair | ssoResponseKey | 1 0 |
true false |
Choose whether the SSO response, which contains the user key and values, should be mapped to a corresponding user role in Identity Guardian |
| SSO key | roleKey | [string] | [enter string] | Enter the SSO key to map it to an Identity Guardian role. |
| SSO value | roleValue | [string] | [enter string] | Enter the SSO value(s) to map to the Identity Guardian role. Use commas to separate multiple entries. |