Managed Configurations

Identity Guardian 1.1

Overview

Managed configurations are part of a specification developed by Google and the Android community. They allow for remote configuration of installed applications and devices via any Enterprise Mobility Management (EMM) system, like ZDNA Cloud, that supports this specification.

Identity Guardian offers multiple setting categories, each associated with a specific bundle. Specific parameters for each configuration are outlined in the tables within this guide. These settings include the device usage method (shared or personally assigned device), device enrollment, and user authentication. User authentication specifies both the comparison source (like barcode or facial biometrics) and authentication methods (such as facial biometrics or PIN).

Enterprise Home Screen:
Identity Guardian can be used in conjunction with Zebra's Enterprise Home Screen (EHS). If EHS is in use, ensure that the roles defined are consistent with those specified for Identity Guardian.

ZDNA Cloud

For a detailed guide on how to set up Identity Guardian using Managed Configurations through the Zebra DNA Cloud (My Apps > Zebra Collection), refer to the ZDNA Cloud documentation.

image

EMM

The features of a given app that are manageable using Managed Configurations are defined in its schema. The Identity Guardian schema is downloaded when visiting Google Play through the EMM console and selecting Identity Guardian for administration. The schema defines the features available for consumption by the EMM, and provides the information necessary to present the app's management UI within the EMM console.† This data-driven UI method allows delivery of new features and their corresponding UI attributes as soon as they become available, and without the need to download a new .exe.

For more information about configuring Zebra devices with managed configurations, see Zebra OEMConfig.

† The Identity Guardian management UI varies slightly depending on the EMM system in use.


Usage Mode

Select how Identity Guardian will be used in this configuration.

Name Key Value(s) Display Name Description
Application Mode APPLICATION_MODE ENROLLMENT (default)
AUTHENTICATION
PERSONALLY_ASSIGNED
ENROLLMENT (default)
AUTHENTICATION
PERSONALLY ASSIGNED
Enrollment - Creates barcodes to enroll users of shared devices
Authentication - Sets the app for daily use on shared devices; may be used with SSO
Personally Assigned -Sets the app for a single user on a dedicated device; may be used with SSO
Log Level logLevel 0
1 (default)
2
0
1 (default)
2
Specify the level of information to log:

• 0 - Debug; logs minimal information for basic troubleshooting
• 1 - Informational; logs general system and operational information
• 2 -Verbose; logs detailed information, including biometric data which is stored on the device at /data/tmp/public/IdentityGuardian

Enrollment Configuration

Configure Identity Guardian for user enrollment.

Note: Colored rows indicate a parent option.

Name Key Value(s) Display Name Description
Number of facial images to be enrolled FACE_VECTOR_COUNT 0
1
2
3
None
One Face (default)
Two Faces
Three Faces
Choose the number of facial images to be provided by the user during enrollment (up to 3)
Get Role Data? enableRoleDataUI 1
0
true (default)
false
Choose whether to prompt the user to select a "Role" during enrollment
Allow facial opt-out? userFaceBiometricOptOut 1
0
true
false (default)
Choose whether to allow the user to skip facial enrollment; other methods remain enforced
Set Expiration Date? enableExpiryDateUI 1
0
true (default)
false
Choose whether to prompt the user for an enrollment expiration date
List Roles listOfRoles [string] Manager, Associate Enter a list of roles for selection by enrollee, each role separated by a comma

NOTE:If Enterpise Home Screen is in use, ensure that its roles defined are consistent with those specified here.
Enable/Disable Corporate PIN enableDisablePin 1
0
true (default)
false
Select whether to require the user to enter a corporate PIN for access
Corporate PIN adminCorporatePin [string] [enter PIN] Enter a six-digit numeric PIN for enrollment
Enrollment Key enrollmentKey [string] [enter enrollment key] Enter the encrypted public key derived from the organization's certificate. This key encrypts the user's personal information, such as biometric facial image captures and passcodes, and is applicable only to shared devices. Use Data Encryption Tool to encrypt this key. Zebra recommends using this Enrollment Key for enhanced security.
Passcode Rules passcodeConfiguration Specify Rules for Passcode
Minimum Length passCodeRuleMinLength [integer] 6 (default) Enter the minimum number of characters to accept for the pass code
Minimum Uppercase Letters passCodeRuleMinUppercase 0
1
0 (default)
1
Select the minimum number of uppercase letters to accept for the passcode
Minimum Lower Letters passCodeRuleMinLowercase 0
1
0 (default)
1
Select the minimum number of lowercase letters to accept for the passcode
Minimum Numbers passCodeRuleMinNumbers 0
1
0 (default)
1
Select the minimum amount of numbers to accept for the passcode
Minimum Symbols passCodeRuleMinSymbols 0
1
0 (default)
1
Select the minimum number symbols or special characters to accept for the passcode. Acceptable symbols are: !,@,#,$,%,^,&,,-,_,?,
Custom T&C Configuration customTCConfiguration Configure Custom T&C for application
Display Custom T&C showCustomTC 1
0
true
false (default)
Select whether to display a custom Terms & Conditions tab
T&C Tab Title customTCTitle [string] [enter T&C title] Enter a title for the Terms & Conditions tab
Custom T&C Content customTCContent [string] [enter T&C content] Enter content to be displayed on the custom Terms & Conditions tab
Custom T&C URL customTCUrl [string] [enter T&C url] Enter a URL that contains custom and/or additional Terms & Conditions information

Authentication Configuration

Configure Identity Guardian for user verification and authentication. Create up to four unique authentication schemes, and define the specific options for each one. Then, for any given event option, choose the appropriate authentication scheme to apply. Each authentication scheme includes the following:

  • Primary Authentication Factor - The initial method used to confirm identity.
  • Secondary Authentication Factor - An optional second verification step that becomes mandatory when activated, establishing a two-factor authentication process.
  • Fallback Authentication Method - The alternate method employed for authentication if the primary method fails.

Note: Colored rows indicate a parent option.

Name Option Name Key Value(s) Display Name Description
User Verification Methods authenticationSchemes Select the user verification setup method
Verification Setup1 authenticationScheme1 Verification Setup1
Comparison Source authenticationScheme1ComparisonSource NONE
BARCODE
DEVICE STORAGE
NONE
BARCODE (default)
DEVICE STORAGE
For shared devices, select BARCODE. The user is prompted to scan their unique barcode for authentication before proceeding with the primary authentication method.
For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method.
For neither, select NONE.
Primary Authentication Method authenticationScheme1PrimaryAuthMethod Select the user authentication method
Primary Authentication Factor authenticationScheme1PrimaryAuthMethodFactor1 FACE
PASSCODE
SSO
NO_COMPARISON
FACE (default)
PASSCODE
SSO
NO_COMPARISON
Set the primary method for user authentication
Secondary Authentication Factor authenticationScheme1PrimaryAuthMethodFactor2 FACE
PASSCODE
SSO
NONE
FACE
PASSCODE (default)
SSO
NONE
Set the secondary method for user authentication
Fallback Authentication Method authenticationScheme1FallbackAuthMethod NONE
PASSCODE
FACE
SSO
ADMIN BYPASS PASSCODE
NONE
PASSCODE (default)
FACE
SSO
ADMIN_BYPASS_PASSCODE
Choose a backup authentication method if the primary one fails:
• None - No further authentication
• Passcode - User enters a passcode
• Face - User provides facial biometrics
• SSO - User inputs SSO login
• Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication
Primary Authentication Timeout authenticationScheme1PrimaryAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for primary authentication

Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time.
Fallback Authentication Timeout authenticationScheme1FallbackAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for fallback authentication
Verification Setup2 authenticationScheme2 Verification Setup2
Comparison Source authenticationScheme2ComparisonSource NONE
BARCODE
DEVICE STORAGE
NONE
BARCODE (default)
DEVICE STORAGE
For shared devices, select BARCODE. The user is prompted to scan their unique barcode for authentication before proceeding with the primary authentication method.
For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method.
For neither, select NONE.
Primary Authentication Method authenticationScheme2PrimaryAuthMethod Select the user authentication method
Primary Authentication Factor authenticationScheme2PrimaryAuthMethodFactor1 FACE
PASSCODE
SSO
NO_COMPARISON
FACE (default)
PASSCODE
SSO
NO_COMPARISON
Set the primary method for user authentication
Secondary Authentication Factor authenticationScheme2PrimaryAuthMethodFactor2 FACE
PASSCODE
SSO
NONE
FACE
PASSCODE (default)
SSO
NONE
Set the secondary method for user authentication
Fallback Authentication Method authenticationScheme2FallbackAuthMethod NONE
PASSCODE
FACE
SSO
ADMIN BYPASS PASSCODE
NONE
PASSCODE (default)
FACE
SSO
ADMIN_BYPASS_PASSCODE
Choose a backup authentication method if the primary one fails:
• None - No further authentication
• Passcode - User enters a passcode
• Face - User provides facial biometrics
• SSO - User inputs SSO login
• Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication
Primary Authentication Timeout authenticationScheme2PrimaryAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for primary authentication

Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time.
Fallback Authentication Timeout authenticationScheme2FallbackAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for fallback authentication
Verification Setup3 authenticationScheme3 Verification Setup3
Comparison Source authenticationScheme3ComparisonSource NONE
BARCODE
DEVICE STORAGE
NONE
BARCODE (default)
DEVICE STORAGE
For shared devices, select BARCODE. The user is prompted to scan their unique barcode for authentication before proceeding with the primary authentication method.
For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method.
For neither, select NONE.
Primary Authentication Method authenticationScheme3PrimaryAuthMethod Select the user authentication method
Primary Authentication Factor authenticationScheme3PrimaryAuthMethodFactor1 FACE
PASSCODE
SSO
NO_COMPARISON
FACE (default)
PASSCODE
SSO
NO_COMPARISON
Set the primary method for user authentication
Secondary Authentication Factor authenticationScheme3PrimaryAuthMethodFactor2 FACE
PASSCODE
SSO
NONE
FACE
PASSCODE (default)
SSO
NONE
Set the secondary method for user authentication
Fallback Authentication Method authenticationScheme3FallbackAuthMethod NONE
PASSCODE
FACE
SSO
ADMIN BYPASS PASSCODE
NONE
PASSCODE (default)
FACE
SSO
ADMIN_BYPASS_PASSCODE
Choose a backup authentication method if the primary one fails:
• None - No further authentication
• Passcode - User enters a passcode
• Face - User provides facial biometrics
• SSO - User inputs SSO login
• Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication
Primary Authentication Timeout authenticationScheme3PrimaryAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for primary authentication

Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time.
Fallback Authentication Timeout authenticationScheme3FallbackAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for fallback authentication
Verification Setup4 authenticationScheme4 Verification Setup4
Comparison Source authenticationScheme4ComparisonSource NONE
BARCODE
DEVICE STORAGE
NONE
BARCODE (default)
DEVICE STORAGE
For shared devices, select BARCODE. The user is prompted to scan their unique barcode for authentication before proceeding with the primary authentication method.
For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method.
For neither, select NONE.
Primary Authentication Method authenticationScheme4PrimaryAuthMethod Select the user authentication method
Primary Authentication Factor authenticationScheme4PrimaryAuthMethodFactor1 FACE
PASSCODE
SSO
NO_COMPARISON
FACE (default)
PASSCODE
SSO
NO_COMPARISON
Set the primary method for user authentication
Secondary Authentication Factor authenticationScheme4PrimaryAuthMethodFactor2 FACE
PASSCODE
SSO
NONE
FACE
PASSCODE (default)
SSO
NONE
Set the secondary method for user authentication
Fallback Authentication Method authenticationScheme4FallbackAuthMethod NONE
PASSCODE
FACE
SSO
ADMIN BYPASS PASSCODE
NONE
PASSCODE (default)
FACE
SSO
ADMIN_BYPASS_PASSCODE
Choose a backup authentication method if the primary one fails:
• None - No further authentication
• Passcode - User enters a passcode
• Face - User provides facial biometrics
• SSO - User inputs SSO login
• Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication
Primary Authentication Timeout authenticationScheme4PrimaryAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for primary authentication

Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time.
Fallback Authentication Timeout authenticationScheme4FallbackAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for fallback authentication
Lock-screen Event Options LockScreenShowOption Choose the verification method that is triggered by the event that causes the device screen to lock
On Unlock Bundle_LockScreenShowOptionUnlock Select the option(s) required following a device event that unlocks the screen
Verification Setup on_unlock authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1 (default)
Verification Setup2
Verification Setup3
Verification Setup4
None
Select the verification required following a device event that unlocks the screen
On Reboot Bundle_LockScreenShowOptionReboot Select the option(s) required after a device reboot
Verification Setup on_reboot authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2 (default)
Verification Setup3
Verification Setup4
None
Select the verification required after a device reboot
On AC power connected Bundle_LockScreenShowOptionACPowerCon Select the option(s) required upon connection to AC power
Verification Setup on_ac_power_connected authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3 (default)
Verification Setup4
None
Select the verification required upon connection to AC power
On AC Power Disconnection Bundle_LockScreenShowOptionACPowerDisCon Select the option(s) required upon disconnection from AC power
Verification Setup on_ac_power_disconnected authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3 (default)
Verification Setup4
None
Select the verification required upon disconnection from AC power
On device manual checkin Bundle_LockScreenShowOptionManualCheckin Select the option(s) required when the user manually signs in to the device
Verification Setup on_device_manual_checkin authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3 (default)
Verification Setup4
None (default)
Select the verification required when a user manually signs in to the device
On user change Bundle_LockScreenShowOptionUserChange Select the necessary option(s) when a new user signs in to the device after the previous user has been automatically signed out, such as due to a Force Logout action or when the device goes idle.
Verification Setup on_device_manual_checkin authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3 (default)
Verification Setup4
None
Select the verification required when a new user signs in to the device
Force Logout Options ForceLogoutShowOption Choose whether to automatically logout the user based on certain device events.
On Lock forceLogout_on_lock 0
1
true
false (default)
Choose whether to automatically logout the user when the device screen locks.
On Reboot forceLogout_on_reboot 0
1
true
false (default)
Choose whether to automatically logout the user when the device reboots
On AC power connected forceLogout_on_ac_power_connected 0
1
true
false (default)
Choose whether to automatically logout the user when the device is connected to AC power
On AC power disconnected forceLogout_on_ac_power_disconnected 0
1
true
false (default)
Choose whether to automatically logout the user when the device is disconnected from AC power
Expire Barcodes expireBarcodes Choose whether to set an expiration date for the barcode
Automatic Barcode Expiration expireBasedOnExpiryDate 1
0
true
false (default)
The barcode is valid up to the expiration date. After it expires, the barcode cannot be scanned.
Authentication Key authenticationKey Enter the encrypted private key derived from the organization's certificate. This key decrypts the user's personal information, such as biometric facial image captures and passcodes, and is applicable only to shared devices. Use Data Encryption Tool to encrypt your private key. Zebra recommends using this Authentication Key for enhanced security.
Enable ForceLock After Timeout enableForceLockAfterTimeout 1
0
true
false (default)
Choose whether the device should automatically lock after the timeout period
Force Lock Timeout forceLockTimeout [integer] 240 (default) Enter the time (in minutes) for the warning notification to appear before the device locks
Snooze Time snoozeTimeout [integer] 120 (default) Enter the delay time (in seconds) after which the device will lock once the warning notification appaers
Snooze Title snoozeTitle [string] You will be locked out soon (default) Enter the title for the device lock warning notification.
Snooze Desc snoozeDescription [string] [enter text] Enter the message for the device lock warning notification
Admin Bypass Passcode adminSpecifiedPIN Choose whether to allow the passcode to be bypassed using a special PIN or passcode
passcodes pins Choose whether to permit the use of this passcode. Multiple passcodes can be added, each toggled on/off individually.
Group Name key [string] [enter string] Enter the group name to help identify the user's group affiliation when they enter the passcode
PIN/Passcode value [string] [enter string] Enter the alternate PIN/passcode for users of this group to use instead of the original one

Facial Authentication Configuration

Configure Identity Guardian for Facial Authentication

Configuration Name Key Value(s) Display Name Description
Liveness Threshold livenessThreshold 96
94
91
88
86
Custom
High
Medium/High (default)
Medium
Medium/Low
Low
Custom
Higher values offer greater security; lower values provide faster authentication.
• High - Facial algorithm is most strict, ensures liveness and other thresholds are met before granting access. May result in some false positives.
• Medium/High (default) - Moderately strict
• Medium - Middle ground in strictness
• Medium/Low - Slightly strict
• Low - Least strict; best for environments with poor lighting and difficulty identifying users. Best used for low risk environments (e.g. warehouse) since this may result in some spoofing.
Face Liveness Threshold faceLivenessThreshold [integer value] [enter integer between 80 and 100] Enter a custom Liveness Threshold (from 80 to 100) for facial authentication.
NOTE: Only use this under the guidance of a Zebra technician.

SSO Authentication Configuration

Configure Identity Guardian for single sign-on (SSO) authentication.

Configuration Name Key Value(s) Display Name Description
Single Sign On Provider ssoProvider Microsoft
PingId
Microsoft (default)
PingId
Select the SSO provider in use
Authentication Protocol ssoProtocol OAuth2.0 OAuth2.0 Select the authentication protocol to use for communication with your SSO server
Scope ssoScope [string] [enter string] Enter the SSO scope, which defines limits on the quantity and type of data granted to an access token
Configuration Settings ssoConfigSettings [string] [enter string] Enter the JSON-formatted configuration for SSO settings needed to communicate securely with the SSO server. This is taken from the Android app configuration from your SSO provider. Click here to download sample content.
Userid identifier ssoUseridIdentifier [string] [enter string] Specify the user key for identifying the signed-in user, which is displayed in the zDNA Cloud and retrievable from the API. The user key, which could be a username, preferred username, or employee ID, can be found in the ID token or user information from the SSO response.

SSO Mapping

Enable mapping of Identity Guardian user roles based on responses from single sign-on (SSO) service during employee login.

Note: Colored rows indicate a parent option.

Configuration Name Key Value(s) Display Name Description
SSO Mapping roleSettings 1
0
true
false
Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. It provides the necessary settings to align SSO data with corresponding roles within the application, facilitating seamless integration and effective role-based access control. Add one or more Role Identifiers.
Role Identifier roleNames 1
0
true
false
Establishes links between roles in SSO responses and their corresponding roles within the Identity Guardian app. Multiple Role Identifiers can be added, each toggled on/off individually
Identity Guardian Role Name roleName [string] [enter string] Enter the Identity Guardian user role to be assigned based on SSO response during user sign-in (e.g. administrator, manager, user).
Key-value pair for role assignment ssoResponseKeys [string] [enter values and toggle on/off] Add one or more SSO key-value pairs to identify and map users to a predefined Identity Guardian user role.
SSO Key-Value Pair ssoResponseKey 1
0
true
false
Choose whether the SSO response, which contains the user key and values, should be mapped to a corresponding user role in Identity Guardian
SSO key roleKey [string] [enter string] Enter the SSO key to map it to an Identity Guardian role.
SSO value roleValue [string] [enter string] Enter the SSO value(s) to map to the Identity Guardian role. Use commas to separate multiple entries.

See Also