Overview
Identity Guardian offers 2 types of models for secure and personalized device access:
- Shared Device - A device that is designated for use by multiple individuals. User data is securely encrypted and encapsulated within a personal barcode, generated via facial recognition and can be easily discarded to erase personal data.
- Personally Assigned Device - A device that is issued and allocated specifically to an individual for their dedicated use. User data is securely embedded within the Android framework, making it inaccessible even to the organization.
After the administrator configures Identity Guardian, setup the user profiles based on the method of access. For users who opt into using facial biometrics, Identity Guardian provides Terms and Conditions to the user, which they must accept to use the biometric portion of the solution. The Terms & Conditions may be customized by the administrator through ZDNA.
Shared Device
In environments where a single device is used by multiple users, Identity Guardian provides secure and personalized access tailored to each user's organizational role. Users must perform a one-time enrollment with Identity Guardian before they can authenticate on a shared device. These devices can support an unlimited number of registered users.
User data is encrypted and stored within a unique, encrypted barcode in the /enterprise/usr/Profiles
folder. This barcode must be printed or shared within 24 hours before it is automatically deleted, ensuring that personal information is not retained on the device or in the cloud. Facial biometrics can optionally be used to enhance security. For temporary user profiles, barcodes can be set to expire automatically at a predetermined date and time. Alternatively, SSO can serve as the primary authentication method instead of issuing individual barcodes.
During enrollment, the user’s personal information, such as biometric facial image capture and passcode, is encrypted with an enrollment key. This key is an encrypted public key derived from the organization’s certificate and configured via Identity Guardian Managed Configuration. For details on generating an enrollment key, see Enrollment Configuration. Ensure the device used for enrollment is provisioned with the Enrollment configuration.
To authenticate users on a device, administrators must supply the authentication key, an encrypted private key derived from the organization’s certificate and configured through Identity Guardian Managed Configuration. For details on generating the authentication key, see Authentication Configuration. Ensure the device is provisioned with the Authentication configuration.
When the enrollment barcode is scanned, its data is decrypted using the authentication key and used for further authentication checks. This barcode cannot be decrypted or reverse-engineered on any device without the authentication key. Organizations must maintain the security and confidentiality of their authentication key.
IMPORTANT:
Administrators MUST provision their own enrollment key on devices designated for user enrollment and MUST provision their authentication key on devices designated for user authentication. Failure to do so results in Identity Guardian using default keys, allowing any device with those keys to decrypt the barcode.
User Enrollment
Follow the instructions below for user enrollment. Organizations may choose to walk-through this initial setup with the shared device user:
- Open Identity Guardian.
- Tap Start.
- This is a 6 digit PIN set by the administrator. Tap Continue.
- Setup ID and passcode:
- Enter ID or email
- (Optional) Select the appropriate user role (options vary based on your adminstrator setup)
- (Optional) Enter the expiration date for the barcode. This applies for temporary users.
- Create a passcode, which can contain up to 6 alphanumeric characters.
- Re-enter the passcode
- (Optional) Capture facial biometrics. If opting out, tap Skip and skip to step 7 below. Otherwise, tap Add and continue with the subsequent steps.
- Read the Terms & Conditions. Tap Confirm to accept.
- Position your face within the device screen for the photo capture. Capture 1 to 3 facial photos that may vary based on the individual's look, for example, with eyeglasses, hat, etc. Confirm the photo capture(s). Tap Add to capture additional photos. Tap Next when done.
- The barcode is generated. Tap Next.
- Tap Save to save the profile.
- Tap Continue. The profile creation is complete.
Personally Assigned Device
In environments where individual devices are assigned to specific users, set up is hassle-free with data-protection conveniently handled within the Android framework. Users maintain control over their encrypted personal data with the freedom to erase it at will. The organization cannot access this data due to Identity Guardian's sandboxed storage found within Android's access-controlled application platform.
Identity Guardian works in conjunction with identity providers (IdPs) to streamline the authentication process. Users are required to authenticate only once, and single sign-on (SSO) is employed to enhance the process efficiency and security. This permits users to access multiple applications through a single log-in session.
Administrators can monitor the security measures a user has setup on their assigned device, assist with PIN resets, and bypass screen locks for troubleshooting purposes without the need to access personal data.
User Enrollment
Follow the instructions below for user enrollment:
- Open Identity Guardian.
- Tap Start.
- Enter corporate PIN. This is a 6 digit PIN set by the administrator. Tap Continue.
- Setup ID and passcode, then tap Next.
- Enter ID or email
- (Optional) Select the appropriate user role (options vary based on setup by your adminstrator)
- Create a passcode, which can contain up to 6 alphanumeric characters.
- Re-enter the passcode.
- (Optional) Capture facial biometrics. If opting out, tap Skip and skip to step 7 below. Otherwise, tap Add and continue with the subsequent steps.
- Read the Terms & Conditions. Tap Confirm to accept.
- To add a facial photo, tap Add. Position your face within the device screen for the photo capture. Capture 1 to 3 facial photos that may vary based on the individual's look, for example, with eyeglasses, hat, etc. Confirm the photo capture(s). Tap Add to capture additional photos. Tap Next when done.
- Tap Save to save the profile.
- Tap Continue. The profile creation is complete.
Edit Profile
To edit a profile on a personally assigned device:
- Open Zebra Biometric app.
- Enter your passcode.
- Select the item to edit:
- ID & Passcode
- Face Recognition
- If ID & Passcode is selected, make the appropriate edits and tap Save:
- Role - select the desired role
- Passcode - enter the current passcode and the new passcode
- If Face Recognition is selected, delete the existing facial photo and replace it by capturing a new photo.
Delete Profile
To delete a profile on a personally assigned device:
- Open Zebra Biometric app.
- Enter your passcode.
- Tap on the menu icon at the top right and select Delete Profile.
After the profile is deleted, the enrollment screen appears to re-enroll the device and authenticate the user.
Device Sign In
After a device is setup with the user profile, the lock screen appears based on the lock-screen event option set by the administrator. This could be when a user signs out, locks or restarts the device.
To sign in a device, tap Unlock. The device prompts the user to authenticate via the primary authentication method selected by the administrator, such as facial biometric or passcode entry. If the primary authentication method fails, the secondary authentication method is presented for the user to execute. Unlicensed devices present a passcode to be entered rather than requesting for a facial biometric.
If Microsoft Authenticator app is in use, perform the following after the user unlocks the screen:
The Microsoft Authenticator app is launched prompting for user authentication. Enter the login credentials:
After authentication is successful, the user gains access to the device.
When a user launches any app that utilizes Microsoft Authenticator app as broker, the app automatically signs in without prompting for user name or password.
Device Sign Out
Sign Out only applies to shared devices. To sign out a device, perform one of the following:
- Open Identity Guardian app (Zebra Biometric) and tap Sign out.
- Lock the device.
- Restart the device (if configured by the administrator).
After a device is signed out, the lock screen is visible:
ZDNA Cloud
Leveraging the Zebra DNA Cloud platform, Identity Guardian empowers administrators with visibility into user activities, monitoring who has signed in and out of devices, what type of security is setup, when it's been used and more. Administrators also have the ability to expire users and reset PINs.
For more information, see the ZDNA Cloud documentation.