Managed Configurations

Identity Guardian 1.6

Overview

Managed configurations are part of a specification developed by Google and the Android community. They allow for remote configuration of installed applications and devices via any Enterprise Mobility Management (EMM) system, like Zebra DNA Cloud, that supports this specification.

Identity Guardian offers multiple setting categories, each associated with a specific bundle. Specific parameters for each configuration are outlined in the tables within this guide. These settings include the device usage method (either shared or personally assigned), device enrollment, and user authentication. User authentication specifies both the comparison source (like barcode for shared devices, or device storage for personal devices) and authentication methods (such as SSO,facial biometrics or passcode).

Use with Enterprise Home Screen:
Identity Guardian can be used in conjunction with Zebra's Enterprise Home Screen (EHS). If EHS is in use, ensure that the roles defined are consistent with those specified for Identity Guardian.

EMM

The features of a given app that are manageable using Managed Configurations are defined in its schema. The Identity Guardian schema becomes accessible once the APK is uploaded to the EMM, either as an Enterprise app or to its app store. The schema defines the features available for consumption by the EMM, and provides the information necessary to present the app's management UI within the EMM console. This data-driven UI method allows delivery of new features and their corresponding UI attributes as soon as they become available, and without the need to download a new .EXE. The Identity Guardian management UI varies slightly depending on the EMM system in use.

For procedures on implementing configuration policies through EMM and video demonstrations, refer to the EMM Setup guide.

ZDNA Cloud

For procedures on implementing configuration policies through Zebra DNA Cloud, refer to the ZDNA Cloud setup guide. For additionl information on use of ZDNA Cloud, refer to the ZDNA Cloud documentation.

image

Usage Mode

Choose the operation mode for Identity Guardian and, if desired, select the logging level.

For shared devices, separate profiles for Enrollment and Authentication are required, as specified in the "Application Mode".
For personally assigned devices, the "PERSONALLY_ASSIGNED" option in "Application Mode" combines both Enrollment and Authentication configurations into a single profile.

The subsequent sections of this guide provide options for Enrollment Configuration and Authentication Configuration respectively.

Name Key Value(s) Display Name Description
Application Mode APPLICATION_MODE ENROLLMENT (default)
AUTHENTICATION
PERSONALLY_ASSIGNED
PROXY
ENROLLMENT (default)
AUTHENTICATION
PERSONALLY ASSIGNED
PROXY
Enrollment - Defines enrollment settings for shared devices; see Enrollment Configuration. After user enrollment, a unique personalized barcode is created.
Authentication - Defines authentication settings for shared devices; see Authentication Configuration
Personally Assigned - Defines both Enrollment and Authentication settings for a user on personally assigned devices
Proxy - Allows apps to monitor user sign-in/sign-out events; see Proxy Mode.
Log Level logLevel 0
1 (default)
2
0
1 (default)
2
Specify the level of information to log:

• 0 - Debug; logs minimal information for basic troubleshooting
• 1 - Informational; logs general system and operational information
• 2 -Verbose; logs detailed information, including biometric data which is stored on the device at /data/tmp/public/IdentityGuardian

Enrollment Configuration

Configure Identity Guardian for user enrollment.

Note: Colored rows indicate a parent option.

Name Key Value(s) Display Name Description
Number of facial images to be enrolled FACE_VECTOR_COUNT 0
1
2
3
None
One Face (default)
Two Faces
Three Faces
Choose the number of facial images to be provided by the user during enrollment (up to 3)
Get Role Data? enableRoleDataUI 1
0
true (default)
false
Choose whether to prompt the user to select a "Role" during enrollment
Allow facial opt-out? userFaceBiometricOptOut 1
0
true
false (default)
Choose whether to allow the user to skip facial enrollment; other methods remain enforced
Set Expiration Date? enableExpiryDateUI 1
0
true (default)
false
Choose whether to prompt the user for an enrollment expiration date
List Roles listOfRoles [string] Manager, Associate Enter a list of roles for selection by enrollee, each role separated by a comma

NOTE:If Enterpise Home Screen is in use, ensure that its roles defined are consistent with those specified here.
Enable/Disable Corporate PIN enableDisablePin 1
0
true (default)
false
Select whether to require the user to enter a corporate PIN for access
Corporate PIN adminCorporatePin [string] [enter PIN] Enter a six-digit numeric PIN for enrollment
Enrollment Key enrollmentKey [string] [enter enrollment key] Enter the encrypted public key for enrollment. This key encrypts biometric data and is applicable only to shared devices. See Generate Enrollment Key for instructions. Zebra recommends using of customer-specific keys for enhanced security.
Custom T&C Configuration customTCConfiguration Configure Custom T&C for application
Display Custom T&C showCustomTC 1
0
true
false (default)
Select whether to display a custom Terms & Conditions tab
T&C Tab Title customTCTitle [string] [enter T&C title] Enter a title for the Terms & Conditions tab
Custom T&C Content customTCContent [string] [enter T&C content] Enter content to be displayed on the custom Terms & Conditions tab
Custom T&C URL customTCUrl [string] [enter T&C url] Enter a URL that contains custom and/or additional Terms & Conditions information
Passcode Rules passcodeConfiguration Specify Rules for Passcode
Select Passcode Type passwordType Numeric
AlphaNumeric
Numeric
AlphaNumeric
Choose the passcode type, either numeric only or a combination of alphanumeric characters
Minimum Length passCodeRuleMinLength [integer] 6 (default) Enter the minimum number of characters to accept for the pass code
Minimum Uppercase Letters passCodeRuleMinUppercase 0
1
0 (default)
1
Select the minimum number of uppercase letters to accept for the passcode
Minimum Lower Letters passCodeRuleMinLowercase 0
1
0 (default)
1
Select the minimum number of lowercase letters to accept for the passcode
Minimum Numbers passCodeRuleMinNumbers 0
1
0 (default)
1
Select the minimum amount of numbers to accept for the passcode
Minimum Symbols passCodeRuleMinSymbols 0
1
0 (default)
1
Select the minimum number symbols or special characters to accept for the passcode. Acceptable symbols are: !,@,#,$,%,^,&,,-,_,?,

Generate Enrollment Key

To generate the encrypted key value for the public key, use the Data Encryption Tool with the following command:

    JAVA -jar DataSecurity-1.0.jar -d <data> -p com.zebra.mdna.els -s <IDG_SIGNATURE>

Instructions for running the command:

  1. Download DataSecurity-1.0.zip and extract the file DataSecurity-1.0.jar.

  2. Replace <IDG_SIGNATURE> with the following:

    MIIFnDCCA4QCCSMxNhM5AtLv+TANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRMwEQYDVQQHDApIb2x0c3ZpbGxlMSEwHwYDVQQKDBhaZWJyYSBUZWNobm9sb2dpZXMsIEluYy4xJDAiBgNVBAsMG0VudGVycHJpc2UgTW9iaWxlIENvbXB1dGluZzEkMCIGA1UEAwwbQW5kcm9pZCBQcml2aWxlZ2VkIEtleSBSb290MB4XDTIzMDExMjE0MjMzMloXDTQ4MDIxNTE0MjMzMlowezELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMRMwEQYDVQQHDApIb2x0c3ZpbGxlMR8wHQYDVQQKDBZaZWJyYSBUZWNobm9sb2dpZXMgSW5jMQwwCgYDVQQLDANFTUMxGzAZBgNVBAMMEmNvbS56ZWJyYS5tZG5hLmVsczCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAO76NKGh9xzN/bOQnWonV8qs7BFXWnzqGJ4OS2A2hKyacE6e8hnA9vXXhZ/wa1lc93mM4wVI1dMCD3z7yF3643EB3zJ3qxtD/CmyIQjImuo2Pyd0awnmS1W9tJjQISRS45sN9B9ThYk6oX4TIh7/5Pr9q+rTayP9zpoHjK7PestODwaY3FccSmLQ3nmO+xqi5KxqDZZHAYfKj5krUx3GEKq2Pj3A4iDii0RjopXtSVvP7+R+UO+Vw0KnVhhwtC9W1yQkuwl6pcK8gE9hxsFWDzWGqZbw4NCpjtg8hW9Th5p3Xy7lRWLpJhWGh4IWMmCgPNzYyZ4Alms27owG/viCsSKyDnyIpFPSO0Pmq790ccGY6APL/jzUV9J9lqFM/Fa03uuxWY0PI2OoSYnvJP4NO88BNU/iekhuYjIHkKegJLnPdTF2FwnHJWJa96dgKo9ATO4lIhMZ/iMV3ifAekfZM20Yf38bKa7ylI8TNmBOA+Y3MEp7u8txrJDD7gZ6r4cdDTMz843V21Ckby4uAzX1+tjEuVLgd7ZssJzFuKeKp8ZEreEoTJYH1/1xK49M3XKBzyYJVDV23CwsuVkdsoxCk5Mzq4TBo1SHLTV3Ar2NaDVNYzoj/xuVnHSbmx/ErTDvX6d1BvvcvORL6bHEKlsUXs+KNeB49kzXFPkCdcU1NGx1AgMBAAEwDQYJKoZIhvcNAQELBQADggIBAJYVo2ka0tSqsCegqYllTicTehz3X2aOw5vZ6FAA1RlEsCU0S7A+H+n1jUfzoWNjlRKvBmvZnSitLXOSIDKrQnGyqlGTbwDHXhkfzsv/dSCumAFzPKfhCfZ85hSbgHt25S0+QKzCTVtDB1EVE/CGae7kBHCJQaEM+SVA3yor47Wglf0Wi3L1uQiSfdOrySic/2/FrSiI8Uu/LBvAIXuESmWJWcnOHt1zQiuADqB3Uv5falpgSTzOpcBglxVLS1WN8nZTWfkSk1yRDKMXCmsmFSJPEauzmcVtLQjmWoA7mlifY65/qMF5Bm0zIXU9N3B2braxB3oUZ7JkHmWBMPzenUjLuAQSvoGOZfbjHnMIy0T5hqc2RlDW90521oaHFwhpY1giYBFdDilC1YKF2OrGAIo8A+BIcvI4vN+3uBtofJFr/jRV0CSxNZxIr+a5lpUv6ronoBPd8LNuL8TYezbcbFity7RQHZDK9U4N/eEaift94MZY9M7PyAml7HEW2DUOEfBzwfd0EkyaPVhTvHsV3IxMASw285cDhR8JtFvDDnGE1ztXoQS80Ed6OB/HXGd92Ss3rk6t1ZVcVW+gZo4ovzqpAL9rEsH/vQO3DKoYaIHv2ZSxriSOVhyE1tOlQkYwoRymSx5A30l5l+t2GZLlOS4eySwQ7vS54+mUom9ZTHs2
    
  3. Replace <data> with your public certificate key.

  4. Run the following command with the replaced values from the previous steps:

    JAVA -jar DataSecurity-1.0.jar -d <data> -p com.zebra.mdna.els -s <IDG_SIGNATURE>
    
  5. Copy the resulting encrypted public key value and paste it into Enrollment Key in the Manage Configuration.


Authentication Configuration

Configure Identity Guardian for user verification and authentication. Create up to four unique authentication schemes, and define the specific options for each one. Then, for any given event option, choose the appropriate authentication scheme to apply. Each authentication scheme includes the following:

  • Primary Authentication Factor - The first method used to verify a user's identity.
    • If primary authentication fails and secondary authentication is not activated, the fallback authentication method is triggered.
    • If secondary authentication is enabled and activated, then it is triggered.
  • Secondary Authentication Factor - This is an optional, but mandatory when activated, second method of verification, thereby establishing a two-factor authentication process.
    • If secondary authentication fails, then fallback authentication is activated.
  • Fallback Authentication Method - This is an alternate method used for verification when the primary or secondary authentication methods fail.

Note: Colored rows indicate a parent option.

Name Option Name Key Value(s) Display Name Description
User Verification Methods authenticationSchemes Select the user verification setup method
Verification Setup1 authenticationScheme1 Verification Setup1
Comparison Source authenticationScheme1ComparisonSource NONE
BARCODE
DEVICE STORAGE
LEGACY BARCODE
NONE
BARCODE (default)
DEVICE STORAGE
LEGACY BARCODE
For either shared devices or personal devices to accept simple 1D user barcodes that are not encrypted, select LEGACY BARCODE. Legacy Barcode Prefix is required under Verification Setup.

For shared devices, select BARCODE. Users are then prompted to scan their unique, encrypted barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE.

For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method.
Primary Authentication Method authenticationScheme1PrimaryAuthMethod Select the user authentication method
Primary Authentication Factor authenticationScheme1PrimaryAuthMethodFactor1 FACE
PASSCODE
SSO
NO_COMPARISON
FACE (default)
PASSCODE
SSO
NO_COMPARISON
Set the primary method for user authentication
Secondary Authentication Factor authenticationScheme1PrimaryAuthMethodFactor2 FACE
PASSCODE
SSO
NONE
FACE
PASSCODE (default)
SSO
NONE
Set the secondary method for user authentication
Fallback Authentication Method authenticationScheme1FallbackAuthMethod NONE
PASSCODE
FACE
SSO
ADMIN BYPASS PASSCODE
NONE
PASSCODE (default)
FACE
SSO
ADMIN_BYPASS_PASSCODE
Choose a backup authentication method if the primary one fails:
• None - No further authentication
• Passcode - User enters a passcode
• Face - User provides facial biometrics
• SSO - User inputs SSO login
• Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication
Primary Authentication Timeout authenticationScheme1PrimaryAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for primary authentication

Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time.
Fallback Authentication Timeout authenticationScheme1FallbackAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for fallback authentication
Legacy Barcode Options authenticationScheme1legacyBarcodeOptions bundle Settings for Legacy Barcode Option
Legacy Barcode Prefix authenticationScheme1legacyBarcodePrefix string [enter string] Enter the prefix required for validating the scanned user barcode. Without the prefix, the user cannot be authenticated.
Verification Setup2 authenticationScheme2 Verification Setup2
Comparison Source authenticationScheme1ComparisonSource NONE
BARCODE
DEVICE STORAGE
LEGACY BARCODE
NONE
BARCODE (default)
DEVICE STORAGE
LEGACY BARCODE
For either shared devices or personal devices to accept simple 1D user barcodes that are not encrypted, select LEGACY BARCODE. Legacy Barcode Prefix is required under Verification Setup.

For shared devices, select BARCODE. Users are then prompted to scan their unique, encrypted barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE.

For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method.
Primary Authentication Method authenticationScheme2PrimaryAuthMethod Select the user authentication method
Primary Authentication Factor authenticationScheme2PrimaryAuthMethodFactor1 FACE
PASSCODE
SSO
NO_COMPARISON
FACE (default)
PASSCODE
SSO
NO_COMPARISON
Set the primary method for user authentication
Secondary Authentication Factor authenticationScheme2PrimaryAuthMethodFactor2 FACE
PASSCODE
SSO
NONE
FACE
PASSCODE (default)
SSO
NONE
Set the secondary method for user authentication
Fallback Authentication Method authenticationScheme2FallbackAuthMethod NONE
PASSCODE
FACE
SSO
ADMIN BYPASS PASSCODE
NONE
PASSCODE (default)
FACE
SSO
ADMIN_BYPASS_PASSCODE
Choose a backup authentication method if the primary one fails:
• None - No further authentication
• Passcode - User enters a passcode
• Face - User provides facial biometrics
• SSO - User inputs SSO login
• Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication
Primary Authentication Timeout authenticationScheme2PrimaryAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for primary authentication

Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time.
Fallback Authentication Timeout authenticationScheme2FallbackAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for fallback authentication
Legacy Barcode Options authenticationScheme1legacyBarcodeOptions bundle Settings for Legacy Barcode Option
Legacy Barcode Prefix authenticationScheme1legacyBarcodePrefix string
Verification Setup3 authenticationScheme3 Verification Setup3
Comparison Source authenticationScheme1ComparisonSource NONE
BARCODE
DEVICE STORAGE
LEGACY BARCODE
NONE
BARCODE (default)
DEVICE STORAGE
LEGACY BARCODE
For either shared devices or personal devices to accept simple 1D user barcodes that are not encrypted, select LEGACY BARCODE. Legacy Barcode Prefix is required under Verification Setup.

For shared devices, select BARCODE. Users are then prompted to scan their unique, encrypted barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE.

For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method.
Primary Authentication Method authenticationScheme3PrimaryAuthMethod Select the user authentication method
Primary Authentication Factor authenticationScheme3PrimaryAuthMethodFactor1 FACE
PASSCODE
SSO
NO_COMPARISON
FACE (default)
PASSCODE
SSO
NO_COMPARISON
Set the primary method for user authentication
Secondary Authentication Factor authenticationScheme3PrimaryAuthMethodFactor2 FACE
PASSCODE
SSO
NONE
FACE
PASSCODE (default)
SSO
NONE
Set the secondary method for user authentication
Fallback Authentication Method authenticationScheme3FallbackAuthMethod NONE
PASSCODE
FACE
SSO
ADMIN BYPASS PASSCODE
NONE
PASSCODE (default)
FACE
SSO
ADMIN_BYPASS_PASSCODE
Choose a backup authentication method if the primary one fails:
• None - No further authentication
• Passcode - User enters a passcode
• Face - User provides facial biometrics
• SSO - User inputs SSO login
• Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication
Primary Authentication Timeout authenticationScheme3PrimaryAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for primary authentication

Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time.
Fallback Authentication Timeout authenticationScheme3FallbackAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for fallback authentication
Legacy Barcode Options authenticationScheme1legacyBarcodeOptions bundle Settings for Legacy Barcode Option
Legacy Barcode Prefix authenticationScheme1legacyBarcodePrefix string
Verification Setup4 authenticationScheme4 Verification Setup4
Comparison Source authenticationScheme1ComparisonSource NONE
BARCODE
DEVICE STORAGE
LEGACY BARCODE
NONE
BARCODE (default)
DEVICE STORAGE
LEGACY BARCODE
For either shared devices or personal devices to accept simple 1D user barcodes that are not encrypted, select LEGACY BARCODE. Legacy Barcode Prefix is required under Verification Setup.

For shared devices, select BARCODE. Users are then prompted to scan their unique, encrypted barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE.

For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method.
Primary Authentication Method authenticationScheme4PrimaryAuthMethod Select the user authentication method
Primary Authentication Factor authenticationScheme4PrimaryAuthMethodFactor1 FACE
PASSCODE
SSO
NO_COMPARISON
FACE (default)
PASSCODE
SSO
NO_COMPARISON
Set the primary method for user authentication
Secondary Authentication Factor authenticationScheme4PrimaryAuthMethodFactor2 FACE
PASSCODE
SSO
NONE
FACE
PASSCODE (default)
SSO
NONE
Set the secondary method for user authentication
Fallback Authentication Method authenticationScheme4FallbackAuthMethod NONE
PASSCODE
FACE
SSO
ADMIN BYPASS PASSCODE
NONE
PASSCODE (default)
FACE
SSO
ADMIN_BYPASS_PASSCODE
Choose a backup authentication method if the primary one fails:
• None - No further authentication
• Passcode - User enters a passcode
• Face - User provides facial biometrics
• SSO - User inputs SSO login
• Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication
Primary Authentication Timeout authenticationScheme4PrimaryAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for primary authentication

Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time.
Fallback Authentication Timeout authenticationScheme4FallbackAuthTimeout [Integer] Integer (default=20000) Set the timeout (in milliseconds) for fallback authentication
Legacy Barcode Options authenticationScheme1legacyBarcodeOptions bundle Settings for Legacy Barcode Option
Legacy Barcode Prefix authenticationScheme1legacyBarcodePrefix string
Authentication Data Storage temporaryDataConfiguration Configure settings to allow temporary storage of user authentication data on the device, facilitating a one-time barcode scan for initial use on shared devices. This eliminates the need for repeated barcode scans during events such as device unlock, reboot, and connect/disconnect from power. If configured, subsequent device access will prompt for primary or secondary authentication. Barcode scans remain mandatory whenever a user manually logs out from Identity Guardian, or a new user signs in following the previous user's sign out.
NOTE: If Force Logout is enabled, a barcode scan is prompted for every triggered event.
Store Authentication Data enableTempStorageTimeout 1
0
true
false (default)
Choose whether to enable temporary storge of user authentication data on the device for the specified Storage Period. This eliminates the need for rescanning a barcode after the initial one-time scan on shared devices.
Storage Period tempStorageTimeout Integer 1 to 12 Integer 1 to 12 (default) Select the length of time (in hours) to temporarily store user authentication data on the device to facilitate a one-time barcode scan for initial use on shared devices. After the time elapses, the lock screen appears on the device and authentication data is deleted upon expiration.
Snooze Time tempStorageSnoozeTimeout Integer 30 to 300 Integer 30 to 300 (Default: 120) Enter the time duration (in seconds) to postpone the display of the lock screen and removal of user authentication data from temporary storage.
Timeout Delay Title tempStorageSnoozeTitle [String] [enter string] Enter the title for the device lock warning notification before user authentication data is removed from temporary storage.
Timeout Delay Description tempStorageSnoozeDescription [String] [enter string] Enter the alert message for the device lock notification, warning the user that the device will be locked soon, triggering the removal of user authentication data from temporary storage.
Lock-screen Event Options LockScreenShowOption Choose the verification method that is triggered by the event that causes the device screen to lock
On Unlock Bundle_LockScreenShowOptionUnlock Select the option(s) required following a device event that unlocks the screen
Verification Setup on_unlock authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1 (default)
Verification Setup2
Verification Setup3
Verification Setup4
None
Select the verification required following a device event that unlocks the screen
Alternative Verification Setup on_unlock authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3
Verification Setup4
None (default)
Select the verification required for Alternative Login after the device unlocks
On Reboot Bundle_LockScreenShowOptionReboot Select the option(s) required after a device reboot
Verification Setup on_reboot authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2 (default)
Verification Setup3
Verification Setup4
None
Select the verification required after a device reboot
Alternative Verification Setup on_reboot authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3
Verification Setup4
None (default)
Select the verification required for Alternative Login after the device unlocks
On AC power connected Bundle_LockScreenShowOptionACPowerCon Select the option(s) required upon connection to AC power
Verification Setup on_ac_power_connected authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3 (default)
Verification Setup4
None
Select the verification required upon connection to AC power
Alternative Verification Setup on_ac_power_connected authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3
Verification Setup4
None (default)
Select the verification required for Alternative Login after the device unlocks
On AC Power Disconnection Bundle_LockScreenShowOptionACPowerDisCon Select the option(s) required upon disconnection from AC power
Verification Setup on_ac_power_disconnected authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3 (default)
Verification Setup4
None
Select the verification required upon disconnection from AC power
Alternative Verification Setup on_ac_power_disconnected authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3
Verification Setup4
None (default)
Select the verification required for Alternative Login after the device unlocks
On device manual checkin Bundle_LockScreenShowOptionManualCheckin Select the option(s) required when the user manually signs in to the device
Verification Setup on_device_manual_checkin authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3 (default)
Verification Setup4
None (default)
Select the verification required when a user manually signs in to the device
Alternative Verification Setup on_device_manual_checkin authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3
Verification Setup4
None (default)
Select the verification required for Alternative Login after the device unlocks
On user change Bundle_LockScreenShowOptionUserChange Select the necessary option(s) when a new user signs in to the device after the previous user has been automatically signed out, such as due to a Force Logout action or when the device goes idle.
Verification Setup on_device_manual_checkin authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3 (default)
Verification Setup4
None
Select the verification required when a new user signs in to the device
Alternative Verification Setup on_device_manual_checkin authenticationScheme1
authenticationScheme2
authenticationScheme3
authenticationScheme4
NONE
Verification Setup1
Verification Setup2
Verification Setup3
Verification Setup4
None (default)
Select the verification required for Alternative Login after the device unlocks
Force Logout Options ForceLogoutShowOption Choose whether to automatically logout the user based on certain device events.
On Lock forceLogout_on_lock 1
0
true
false (default)
Choose whether to automatically logout the user when the device screen locks.
On Reboot forceLogout_on_reboot 1
0
true
false (default)
Choose whether to automatically logout the user when the device reboots
On AC power connected forceLogout_on_ac_power_connected 1
0
true
false (default)
Choose whether to automatically logout the user when the device is connected to AC power
On AC power disconnected forceLogout_on_ac_power_disconnected 1
0
true
false (default)
Choose whether to automatically logout the user when the device is disconnected from AC power
Expire Barcodes expireBarcodes Choose whether to set an expiration date for the barcode
Automatic Barcode Expiration expireBasedOnExpiryDate 1
0
true
false (default)
The barcode is valid up to the expiration date. After it expires, the barcode cannot be scanned.
Authentication Key authenticationKey Enter the encrypted private key. This key decrypts the biometric data and is applicable only to shared devices.See Generate Authentication Key for instructions. Zebra recommends using of customer-specific keys for enhanced security.
Enable ForceLock After Timeout enableForceLockAfterTimeout 1
0
true
false (default)
Choose whether the device should automatically lock after the timeout period
Force Lock Timeout forceLockTimeout [integer] 240 (default) Enter the time (in minutes) for the warning notification to appear before the device locks
Snooze Time snoozeTimeout [integer] 120 (default) Enter the delay time (in seconds) for the device to lock once after the warning notification is displayed
Snooze Title snoozeTitle [string] You will be locked out soon (default) Enter the title for the device lock warning notification.
Snooze Desc snoozeDescription [string] [enter text] Enter the message for the device lock warning notification
Admin Bypass Passcode adminSpecifiedPIN Choose whether to allow an admin specified passcode to be used to bypass the user-specified passcode. When in use, user accountability is not enforced.
passcodes pins Choose whether to permit the use of this passcode. Multiple passcodes can be added, each toggled on/off individually.
Group Name key [string] [enter string] Enter the group name to identify the user’s affiliation when they input the passcode. Length: 4-256 characters.
PIN/Passcode value [string] [enter string] Enter the alternate PIN/passcode for this group, available for users as an alternative to the original one. Length: 6-12 characters.

Generate Authentication Key

To generate the encrypted key value for the private key, use the Data Encryption Tool with the following command:

    JAVA -jar DataSecurity-1.0.jar -d <data> -p com.zebra.mdna.els -s <IDG_SIGNATURE>

Instructions for running the command:

  1. Download DataSecurity-1.0.zip and extract the file DataSecurity-1.0.jar.

  2. Replace <IDG_SIGNATURE> with the following:

    MIIFnDCCA4QCCSMxNhM5AtLv+TANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRMwEQYDVQQHDApIb2x0c3ZpbGxlMSEwHwYDVQQKDBhaZWJyYSBUZWNobm9sb2dpZXMsIEluYy4xJDAiBgNVBAsMG0VudGVycHJpc2UgTW9iaWxlIENvbXB1dGluZzEkMCIGA1UEAwwbQW5kcm9pZCBQcml2aWxlZ2VkIEtleSBSb290MB4XDTIzMDExMjE0MjMzMloXDTQ4MDIxNTE0MjMzMlowezELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMRMwEQYDVQQHDApIb2x0c3ZpbGxlMR8wHQYDVQQKDBZaZWJyYSBUZWNobm9sb2dpZXMgSW5jMQwwCgYDVQQLDANFTUMxGzAZBgNVBAMMEmNvbS56ZWJyYS5tZG5hLmVsczCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAO76NKGh9xzN/bOQnWonV8qs7BFXWnzqGJ4OS2A2hKyacE6e8hnA9vXXhZ/wa1lc93mM4wVI1dMCD3z7yF3643EB3zJ3qxtD/CmyIQjImuo2Pyd0awnmS1W9tJjQISRS45sN9B9ThYk6oX4TIh7/5Pr9q+rTayP9zpoHjK7PestODwaY3FccSmLQ3nmO+xqi5KxqDZZHAYfKj5krUx3GEKq2Pj3A4iDii0RjopXtSVvP7+R+UO+Vw0KnVhhwtC9W1yQkuwl6pcK8gE9hxsFWDzWGqZbw4NCpjtg8hW9Th5p3Xy7lRWLpJhWGh4IWMmCgPNzYyZ4Alms27owG/viCsSKyDnyIpFPSO0Pmq790ccGY6APL/jzUV9J9lqFM/Fa03uuxWY0PI2OoSYnvJP4NO88BNU/iekhuYjIHkKegJLnPdTF2FwnHJWJa96dgKo9ATO4lIhMZ/iMV3ifAekfZM20Yf38bKa7ylI8TNmBOA+Y3MEp7u8txrJDD7gZ6r4cdDTMz843V21Ckby4uAzX1+tjEuVLgd7ZssJzFuKeKp8ZEreEoTJYH1/1xK49M3XKBzyYJVDV23CwsuVkdsoxCk5Mzq4TBo1SHLTV3Ar2NaDVNYzoj/xuVnHSbmx/ErTDvX6d1BvvcvORL6bHEKlsUXs+KNeB49kzXFPkCdcU1NGx1AgMBAAEwDQYJKoZIhvcNAQELBQADggIBAJYVo2ka0tSqsCegqYllTicTehz3X2aOw5vZ6FAA1RlEsCU0S7A+H+n1jUfzoWNjlRKvBmvZnSitLXOSIDKrQnGyqlGTbwDHXhkfzsv/dSCumAFzPKfhCfZ85hSbgHt25S0+QKzCTVtDB1EVE/CGae7kBHCJQaEM+SVA3yor47Wglf0Wi3L1uQiSfdOrySic/2/FrSiI8Uu/LBvAIXuESmWJWcnOHt1zQiuADqB3Uv5falpgSTzOpcBglxVLS1WN8nZTWfkSk1yRDKMXCmsmFSJPEauzmcVtLQjmWoA7mlifY65/qMF5Bm0zIXU9N3B2braxB3oUZ7JkHmWBMPzenUjLuAQSvoGOZfbjHnMIy0T5hqc2RlDW90521oaHFwhpY1giYBFdDilC1YKF2OrGAIo8A+BIcvI4vN+3uBtofJFr/jRV0CSxNZxIr+a5lpUv6ronoBPd8LNuL8TYezbcbFity7RQHZDK9U4N/eEaift94MZY9M7PyAml7HEW2DUOEfBzwfd0EkyaPVhTvHsV3IxMASw285cDhR8JtFvDDnGE1ztXoQS80Ed6OB/HXGd92Ss3rk6t1ZVcVW+gZo4ovzqpAL9rEsH/vQO3DKoYaIHv2ZSxriSOVhyE1tOlQkYwoRymSx5A30l5l+t2GZLlOS4eySwQ7vS54+mUom9ZTHs2
    
  3. Replace <data> with your private certificate key.

  4. Run the following command with the replaced values from the previous steps:

    JAVA -jar DataSecurity-1.0.jar -d <data> -p com.zebra.mdna.els -s <IDG_SIGNATURE>
    
  5. Copy the resulting encrypted private key value and paste it into Authentication Key in the Manage Configuration.


Facial Authentication Configuration

Configure Identity Guardian for Facial Authentication

Configuration Name Key Value(s) Display Name Description
Liveness Threshold livenessThreshold 96
94
91
88
86
Custom
High
Medium/High (default)
Medium
Medium/Low
Low
Custom
Higher values offer greater security; lower values provide faster authentication.
• High - Facial algorithm is most strict, ensures liveness and other thresholds are met before granting access. May result in some false positives.
• Medium/High (default) - Moderately strict
• Medium - Middle ground in strictness
• Medium/Low - Slightly strict
• Low - Least strict; best for environments with poor lighting and difficulty identifying users. Best used for low risk environments (e.g. warehouse) since this may result in some spoofing.
Face Liveness Threshold faceLivenessThreshold [integer value] [enter integer between 80 and 100] Enter a custom Liveness Threshold (from 80 to 100) for facial authentication.
NOTE: Only use this under the guidance of a Zebra technician.

SSO Authentication Configuration

Configure Identity Guardian for single sign-on (SSO) authentication.

Configuration Name Key Value(s) Display Name Description
Single Sign On Provider ssoProvider Microsoft
PingId
Microsoft (default)
PingId
Okta
Select the SSO provider in use
Authentication Protocol ssoProtocol OAuth2.0 OAuth2.0 Select the authentication protocol to use for communication with your SSO server
Scope ssoScope [string] [enter string] Enter the SSO scope, which defines limits on the quantity and type of data granted to an access token
Configuration Settings ssoConfigSettings [string] [enter string] Enter the JSON-formatted configuration for SSO settings needed to communicate securely with the SSO server. This is taken from the Android app configuration from your SSO provider. Click here to download sample content.
Userid identifier ssoUseridIdentifier [string] [enter string] Specify the user key for identifying the signed-in user, which is displayed in the zDNA Cloud and retrievable from the API. The user key, which could be a user name, preferred user name, or employee ID, can be found in the ID token or user information from the SSO response.

SSO Mapping

Enable mapping of Identity Guardian user roles based on responses from single sign-on (SSO) service during employee login.

Note: Colored rows indicate a parent option.

Configuration Name Key Value(s) Display Name Description
SSO Mapping roleSettings 1
0
true
false
Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. It provides the necessary settings to align SSO data with corresponding roles within the application, facilitating seamless integration and effective role-based access control. Add one or more Role Identifiers.
Role Identifier roleNames 1
0
true
false
Establishes links between roles in SSO responses and their corresponding roles within the Identity Guardian app. Multiple Role Identifiers can be added, each toggled on/off individually
Identity Guardian Role Name roleName [string] [enter string] Enter the Identity Guardian user role to be assigned based on SSO response during user sign-in (e.g. administrator, manager, user).
Key-value pair for role assignment ssoResponseKeys [string] [enter values and toggle on/off] Add one or more SSO key-value pairs to identify and map users to a predefined Identity Guardian user role.
SSO Key-Value Pair ssoResponseKey 1
0
true
false
Choose whether the SSO response, which contains the user key and values, should be mapped to a corresponding user role in Identity Guardian
SSO key roleKey [string] [enter string] Enter the SSO key to map it to an Identity Guardian role.
SSO value roleValue [string] [enter string] Enter the SSO value(s) to map to the Identity Guardian role. Use commas to separate multiple entries.

Lock Screen Configuration

Configure the behavior of Identity Guardian when the device is in locked mode.

Note: Colored rows indicate a parent option.

Configuration Name Key Value(s) Display Name Description
Apps Allowed On Lock Screen allowPackagesToRunOnTopOfIG 1
0
true
false
Enables the selection of specific applications to be displayed on the device's lock screen, allowing these apps to continue operating even when the device is locked. This should be restricted to certain apps, such as the phone app, which allows phone calls to be received. Tap Add Application Details to add multiple apps.
Application Details allowListPackageBundle 1
0
true
false
Choose whether to display this app in the foreground of the device lock screen.
Package Name allowListPackageName [string] [enter string] Enter the application's package name to display in the foreground of the lock screen, for example, "com.android.your-app"
Activity Name allowListActivityName [string] [enter string] Enter the app activity name to display in the foreground of the lock screen, for example, "com.android.your-app.appActivity"
Custom Lock Screen Message lockScreenMessageConfigurations bundle bundle Allow users to include a custom message on the device lock screen. This custom message remains visible to all users when they sign in or sign out of the device.
Allow Custom Lock Screen Message enableLockScreenMessage bool true
false (default)
Choose whether to enable the option for users to add a custom message on the device lock screen. If enabled, this option appears in the message settings within Identity Guardian.
Custom Lock Screen Message Source lockScreenType choice App Specific Choose the source of the custom lock screen message. Currently only a single source is available.
Lock Screen Menu lockScreenMenuOptions bundle bundle Enable to allow options to be accessible from the top right menu on the lock screen.
Lock Screen Menu lockScreenMenuOptions bundle bundle Enable to allow options to be accessible from the top right menu on the lock screen.
Allow Self Enrollment enrollUserConfigurations Enable this option to allow users to self-enroll in Identity Guardian directly from the device lock screen. This applies only to shared devices.
Secure Self Enrollment enableEnrollUser bool true
false (default)
Enable this option to allow users to self-enroll in Identity Guardian directly from the device lock screen.
User Verification enrollUserAuthType choice SSO Select the authentication method used to validate a user. Currently, only SSO is available.
Enable Admin Bypass Passcode on Lock screen enableAdminByPassPassCode bool true
false (default)
Choose to enable the admin bypass passcode option on the lock screen.
Customize Alternative Login Button alternateLoginBtnText [string] Alternative Login (default) Enter a custom title to replace the default title for the alternate login button on the lock screen. The title must be between 4 and 20 characters in length. If less than 4 characters are entered, the default title "Alternative Login" is used. If more than 20 characters are entered, any characters beyond the 20-character limit will be truncated.
Auto Unlock autoUnlockConfigurations bundle bundle Enable this option to allow users to automatically initiate face, passcode, or SSO authentication when unlocking the device, eliminating the need to tap the sign-in button.
On Unlock enableAutoUnlockOnDeviceUnlock bool true
false (default)
Select whether to automatically initiate face/passcode/sso detection and unlock the device if the signed-in user presses the power button.

Guardian Safe Configuration

Configure Guardian Safe for storing user application credentials.

Configuration Name Key Value(s) Display Name Description
Guardian Safe enableGuardianSafe ENABLE
DISABLE (default)
ENABLE
DISABLE (default)
Select whether users can store app credentials in Guardian Safe.
Automatically Grant Accessibility Permission autoEnableAccessibilityPermission ENABLE
DISABLE (default)
ENABLE
DISABLE (default)
Select whether to automatically grant the Accessibility Service permissions required by Guardian Safe. If enabled, the admin accepts the permissions on behalf of the user, thereby eliminating the need for the user to manually accept the permissions. If disabled, users need to manually grant the permissions when prompted.
Auto Fill for SSO autoFillSSO ENABLE
DISABLE (default)
ENABLE
DISABLE (default)
Select whether to automatically fill in the password for SSO logins after it is saved from the initial login attempt when SSO is set as the secondary authentication method.

See Also