Overview
Managed configurations are part of a specification developed by Google and the Android community. They allow for remote configuration of installed applications and devices via any Enterprise Mobility Management (EMM) system, like Zebra DNA Cloud, that supports this specification.
Identity Guardian offers multiple setting categories, each associated with a specific bundle. Specific parameters for each configuration are outlined in the tables within this guide. These settings include the device usage method (either shared or personally assigned), device enrollment, and user authentication. User authentication specifies both the comparison source (like barcode for shared devices, or device storage for personal devices) and authentication methods (such as SSO,facial biometrics or passcode).
Use with Enterprise Home Screen:
Identity Guardian can be used in conjunction with Zebra's Enterprise Home Screen (EHS). If EHS is in use, ensure that the roles defined are consistent with those specified for Identity Guardian.
EMM
The features of a given app that are manageable using Managed Configurations are defined in its schema. The Identity Guardian schema becomes accessible once the APK is uploaaded to the EMM, either as an Enterprise app or to its app store. The schema defines the features available for consumption by the EMM, and provides the information necessary to present the app's management UI within the EMM console. This data-driven UI method allows delivery of new features and their corresponding UI attributes as soon as they become available, and without the need to download a new .EXE. The Identity Guardian management UI varies slightly depending on the EMM system in use.
For procedures on implementing configuration policies through EMM and video demonstrations, refer to the EMM Setup guide.
ZDNA Cloud
For procedures on implementing configuration policies through Zebra DNA Cloud, refer to the ZDNA Cloud setup guide. For additionl information on use of ZDNA Cloud, refer to the ZDNA Cloud documentation.
Usage Mode
Choose the operation mode for Identity Guardian and, if desired, select the logging level.
For shared devices, separate profiles for Enrollment and Authentication are required, as specified in the "Application Mode".
For personally assigned devices, the "PERSONALLY_ASSIGNED" option in "Application Mode" combines both Enrollment and Authentication configurations into a single profile.
The subsequent sections of this guide provide options for Enrollment Configuration and Authentication Configuration respectively.
| Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Application Mode | APPLICATION_MODE | ENROLLMENT (default) AUTHENTICATION PERSONALLY_ASSIGNED |
ENROLLMENT (default) AUTHENTICATION PERSONALLY ASSIGNED |
Enrollment - Defines enrollment settings for shared devices; see Enrollment Configuration. After user enrollment, a unique personalized barcode is created. Authentication - Defines authentication settings for shared devices; see Authentication Configuration Personally Assigned - Defines both Enrollment and Authentication settings for a user on personally assigned devices |
| Log Level | logLevel | 0 1 (default) 2 |
0 1 (default) 2 |
Specify the level of information to log: • 0 - Debug; logs minimal information for basic troubleshooting • 1 - Informational; logs general system and operational information • 2 -Verbose; logs detailed information, including biometric data which is stored on the device at /data/tmp/public/IdentityGuardian
|
Enrollment Configuration
Configure Identity Guardian for user enrollment.
Note: Colored rows indicate a parent option.
| Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Number of facial images to be enrolled | FACE_VECTOR_COUNT | 0 1 2 3 |
None One Face (default) Two Faces Three Faces |
Choose the number of facial images to be provided by the user during enrollment (up to 3) |
| Get Role Data? | enableRoleDataUI | 1 0 |
true (default) false |
Choose whether to prompt the user to select a "Role" during enrollment |
| Allow facial opt-out? | userFaceBiometricOptOut | 1 0 |
true false (default) |
Choose whether to allow the user to skip facial enrollment; other methods remain enforced |
| Set Expiration Date? | enableExpiryDateUI | 1 0 |
true (default) false |
Choose whether to prompt the user for an enrollment expiration date |
| List Roles | listOfRoles | [string] | Manager, Associate | Enter a list of roles for selection by enrollee, each role separated by a comma NOTE:If Enterpise Home Screen is in use, ensure that its roles defined are consistent with those specified here. |
| Enable/Disable Corporate PIN | enableDisablePin | 1 0 |
true (default) false |
Select whether to require the user to enter a corporate PIN for access |
| Corporate PIN | adminCorporatePin | [string] | [enter PIN] | Enter a six-digit numeric PIN for enrollment |
| Enrollment Key | enrollmentKey | [string] | [enter enrollment key] | Enter the encrypted public key for enrollment. Use Data Encryption Tool to encrypt this key, which is used for encrypting biometric data and is only applicable for shared devices. |
| Passcode Rules | passcodeConfiguration | Specify Rules for Passcode | ||
| Minimum Length | passCodeRuleMinLength | [integer] | 6 (default) | Enter the minimum number of characters to accept for the pass code |
| Minimum Uppercase Letters | passCodeRuleMinUppercase | 0 1 |
0 (default) 1 |
Select the minimum number of uppercase letters to accept for the passcode |
| Minimum Lower Letters | passCodeRuleMinLowercase | 0 1 |
0 (default) 1 |
Select the minimum number of lowercase letters to accept for the passcode |
| Minimum Numbers | passCodeRuleMinNumbers | 0 1 |
0 (default) 1 |
Select the minimum amount of numbers to accept for the passcode |
| Minimum Symbols | passCodeRuleMinSymbols | 0 1 |
0 (default) 1 |
Select the minimum number symbols or special characters to accept for the passcode. Acceptable symbols are: !,@,#,$,%,^,&,,-,_,?, |
| Custom T&C Configuration | customTCConfiguration | Configure Custom T&C for application | ||
| Display Custom T&C | showCustomTC | 1 0 |
true false (default) |
Select whether to display a custom Terms & Conditions tab |
| T&C Tab Title | customTCTitle | [string] | [enter T&C title] | Enter a title for the Terms & Conditions tab |
| Custom T&C Content | customTCContent | [string] | [enter T&C content] | Enter content to be displayed on the custom Terms & Conditions tab |
| Custom T&C URL | customTCUrl | [string] | [enter T&C url] | Enter a URL that contains custom and/or additional Terms & Conditions information |
Authentication Configuration
Configure Identity Guardian for user verification and authentication. Create up to four unique authentication schemes, and define the specific options for each one. Then, for any given event option, choose the appropriate authentication scheme to apply. Each authentication scheme includes the following:
- Primary Authentication Factor - The first method used to verify a user's identity.
- If primary authentication fails and secondary authentication is not activated, the fallback authentication method is triggered.
- If secondary authentication is enabled and activated, then it is triggered.
- Secondary Authentication Factor - This is an optional, but mandatory when activated, second method of verification, thereby establishing a two-factor authentication process.
- If secondary authentication fails, then fallback authentication is activated.
- Fallback Authentication Method - This is an alternate method used for verification when the primary or secondary authentication methods fail.
Note: Colored rows indicate a parent option.
| Name | Option Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|---|
| User Verification Methods | authenticationSchemes | Select the user verification setup method | |||
| Verification Setup1 | authenticationScheme1 | Verification Setup1 | |||
| Comparison Source | authenticationScheme1ComparisonSource | NONE BARCODE DEVICE STORAGE |
NONE BARCODE (default) DEVICE STORAGE |
For shared devices, select BARCODE. Users are then prompted to scan their unique barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. |
|
| Primary Authentication Method | authenticationScheme1PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme1PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme1PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme1FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme1PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme1FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Verification Setup2 | authenticationScheme2 | Verification Setup2 | |||
| Comparison Source | authenticationScheme2ComparisonSource | NONE BARCODE DEVICE STORAGE |
NONE BARCODE (default) DEVICE STORAGE |
For shared devices, select BARCODE. Users are then prompted to scan their unique barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. |
|
| Primary Authentication Method | authenticationScheme2PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme2PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme2PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme2FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme2PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme2FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Verification Setup3 | authenticationScheme3 | Verification Setup3 | |||
| Comparison Source | authenticationScheme3ComparisonSource | NONE BARCODE DEVICE STORAGE |
NONE BARCODE (default) DEVICE STORAGE |
For shared devices, select BARCODE. Users are then prompted to scan their unique barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. |
|
| Primary Authentication Method | authenticationScheme3PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme3PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme3PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme3FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme3PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme3FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Verification Setup4 | authenticationScheme4 | Verification Setup4 | |||
| Comparison Source | authenticationScheme4ComparisonSource | NONE BARCODE DEVICE STORAGE |
NONE BARCODE (default) DEVICE STORAGE |
For shared devices, select BARCODE. Users are then prompted to scan their unique barcode before proceeding with the primary authentication method. However, if shared devices are using SSO as the primary authentication method without a barcode, select NONE. For personal devices, select DEVICE STORAGE. The user is prompted to proceed with the primary authentication method. |
|
| Primary Authentication Method | authenticationScheme4PrimaryAuthMethod | Select the user authentication method | |||
| Primary Authentication Factor | authenticationScheme4PrimaryAuthMethodFactor1 | FACE PASSCODE SSO NO_COMPARISON |
FACE (default) PASSCODE SSO NO_COMPARISON |
Set the primary method for user authentication | |
| Secondary Authentication Factor | authenticationScheme4PrimaryAuthMethodFactor2 | FACE PASSCODE SSO NONE |
FACE PASSCODE (default) SSO NONE |
Set the secondary method for user authentication | |
| Fallback Authentication Method | authenticationScheme4FallbackAuthMethod | NONE PASSCODE FACE SSO ADMIN BYPASS PASSCODE |
NONE PASSCODE (default) FACE SSO ADMIN_BYPASS_PASSCODE |
Choose a backup authentication method if the primary one fails: • None - No further authentication • Passcode - User enters a passcode • Face - User provides facial biometrics • SSO - User inputs SSO login • Admin Bypass Passcode - User enters an admin-set bypass code; applicable if Passcode is the primary or secondary authentication |
|
| Primary Authentication Timeout | authenticationScheme4PrimaryAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for primary authentication Zebra recommends a longer timeout period, such as 300000 (5 minutes), for sufficient user login time. |
|
| Fallback Authentication Timeout | authenticationScheme4FallbackAuthTimeout | [Integer] | Integer (default=20000) | Set the timeout (in milliseconds) for fallback authentication | |
| Authentication Data Storage | temporaryDataConfiguration | Configure settings to allow temporary storage of user authentication data on the device, facilitating a one-time barcode scan for initial use on shared devices. This eliminates the need for repeated barcode scans during events such as device unlocking, rebooting, and connecting or disconnecting from power. If configured, subsequent device access will prompt for primary/secondary authentication. Barcode scans remain manadtory whenever a user manually logs out from Identity Guardian, or a new user signs in following the previous user's sign out. NOTE: If Force Logout is enabled, a barcode scan is prompted for every triggered event. | |||
| Store Authentication Data | enableTempStorageTimeout | 1 0 |
true false (default) |
Choose whether to enable temporary storge of user authentication data on the device for the specified Storage Period. This eliminates the need for rescanning a barcode after the initiaal one-time scan on shared devices. | |
| Storage Period | tempStorageTimeout | Integer 1 to 12 | Integer 1 to 12 (default) | Select the length of time (in hours) to temporarily store user authentication data on the device to facilitate a one-time barcode scan for initial use on shared devices. After the time elapses, the lock screen appears on the device and authentication data is deleted upon expiration. | |
| Lock-screen Event Options | LockScreenShowOption | Choose the verification method that is triggered by the event that causes the device screen to lock | |||
| On Unlock | Bundle_LockScreenShowOptionUnlock | Select the option(s) required following a device event that unlocks the screen | |||
| Verification Setup | on_unlock | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 (default) Verification Setup2 Verification Setup3 Verification Setup4 None |
Select the verification required following a device event that unlocks the screen | |
| On Reboot | Bundle_LockScreenShowOptionReboot | Select the option(s) required after a device reboot | |||
| Verification Setup | on_reboot | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 (default) Verification Setup3 Verification Setup4 None |
Select the verification required after a device reboot | |
| On AC power connected | Bundle_LockScreenShowOptionACPowerCon | Select the option(s) required upon connection to AC power | |||
| Verification Setup | on_ac_power_connected | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None |
Select the verification required upon connection to AC power | |
| On AC Power Disconnection | Bundle_LockScreenShowOptionACPowerDisCon | Select the option(s) required upon disconnection from AC power | |||
| Verification Setup | on_ac_power_disconnected | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None |
Select the verification required upon disconnection from AC power | |
| On device manual checkin | Bundle_LockScreenShowOptionManualCheckin | Select the option(s) required when the user manually signs in to the device | |||
| Verification Setup | on_device_manual_checkin | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None (default) |
Select the verification required when a user manually signs in to the device | |
| On user change | Bundle_LockScreenShowOptionUserChange | Select the necessary option(s) when a new user signs in to the device after the previous user has been automatically signed out, such as due to a Force Logout action or when the device goes idle. | |||
| Verification Setup | on_device_manual_checkin | authenticationScheme1 authenticationScheme2 authenticationScheme3 authenticationScheme4 NONE |
Verification Setup1 Verification Setup2 Verification Setup3 (default) Verification Setup4 None |
Select the verification required when a new user signs in to the device | |
| Force Logout Options | ForceLogoutShowOption | Choose whether to automatically logout the user based on certain device events. | |||
| On Lock | forceLogout_on_lock | 1 0 |
true false (default) |
Choose whether to automatically logout the user when the device screen locks. | |
| On Reboot | forceLogout_on_reboot | 1 0 |
true false (default) |
Choose whether to automatically logout the user when the device reboots | |
| On AC power connected | forceLogout_on_ac_power_connected | 1 0 |
true false (default) |
Choose whether to automatically logout the user when the device is connected to AC power | |
| On AC power disconnected | forceLogout_on_ac_power_disconnected | 1 0 |
true false (default) |
Choose whether to automatically logout the user when the device is disconnected from AC power | |
| Expire Barcodes | expireBarcodes | Choose whether to set an expiration date for the barcode | |||
| Automatic Barcode Expiration | expireBasedOnExpiryDate | 1 0 |
true false (default) |
The barcode is valid up to the expiration date. After it expires, the barcode cannot be scanned. | |
| Authentication Key | authenticationKey | Enter the encrypted private key for decryption. Use Data Encryption Tool to encrypt your public key. This is used to decrypt the biometric data and only applies to shared devices. | |||
| Enable ForceLock After Timeout | enableForceLockAfterTimeout | 1 0 |
true false (default) |
Choose whether the device should automatically lock after the timeout period | |
| Force Lock Timeout | forceLockTimeout | [integer] | 240 (default) | Enter the time (in minutes) for the warning notification to appear before the device locks | |
| Snooze Time | snoozeTimeout | [integer] | 120 (default) | Enter the delay time (in seconds) after which the device will lock once the warning notification appaers | |
| Snooze Title | snoozeTitle | [string] | You will be locked out soon (default) | Enter the title for the device lock warning notification. | |
| Snooze Desc | snoozeDescription | [string] | [enter text] | Enter the message for the device lock warning notification | |
| Admin Bypass Passcode | adminSpecifiedPIN | Choose whether to allow an admin specified passcode to be used to bypass the user-specified passcode. When in use, user accountability is not enforced. | |||
| passcodes | pins | Choose whether to permit the use of this passcode. Multiple passcodes can be added, each toggled on/off individually. | |||
| Group Name | key | [string] | [enter string] | Enter the group name to help identify the user's group affiliation when they enter the passcode | |
| PIN/Passcode | value | [string] | [enter string] | Enter the alternate PIN/passcode for users of this group to use instead of the original one |
Facial Authentication Configuration
Configure Identity Guardian for Facial Authentication
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Liveness Threshold | livenessThreshold | 96 94 91 88 86 Custom |
High Medium/High (default) Medium Medium/Low Low Custom |
Higher values offer greater security; lower values provide faster authentication. • High - Facial algorithm is most strict, ensures liveness and other thresholds are met before granting access. May result in some false positives. • Medium/High (default) - Moderately strict • Medium - Middle ground in strictness • Medium/Low - Slightly strict • Low - Least strict; best for environments with poor lighting and difficulty identifying users. Best used for low risk environments (e.g. warehouse) since this may result in some spoofing. |
| Face Liveness Threshold | faceLivenessThreshold | [integer value] | [enter integer between 80 and 100] | Enter a custom Liveness Threshold (from 80 to 100) for facial authentication. NOTE: Only use this under the guidance of a Zebra technician. |
SSO Authentication Configuration
Configure Identity Guardian for single sign-on (SSO) authentication.
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| Single Sign On Provider | ssoProvider | Microsoft PingId |
Microsoft (default) PingId |
Select the SSO provider in use |
| Authentication Protocol | ssoProtocol | OAuth2.0 | OAuth2.0 | Select the authentication protocol to use for communication with your SSO server |
| Scope | ssoScope | [string] | [enter string] | Enter the SSO scope, which defines limits on the quantity and type of data granted to an access token |
| Configuration Settings | ssoConfigSettings | [string] | [enter string] | Enter the JSON-formatted configuration for SSO settings needed to communicate securely with the SSO server. This is taken from the Android app configuration from your SSO provider. Click here to download sample content. |
| Userid identifier | ssoUseridIdentifier | [string] | [enter string] | Specify the user key for identifying the signed-in user, which is displayed in the zDNA Cloud and retrievable from the API. The user key, which could be a username, preferred username, or employee ID, can be found in the ID token or user information from the SSO response. |
SSO Mapping
Enable mapping of Identity Guardian user roles based on responses from single sign-on (SSO) service during employee login.
Note: Colored rows indicate a parent option.
| Configuration Name | Key | Value(s) | Display Name | Description |
|---|---|---|---|---|
| SSO Mapping | roleSettings | 1 0 |
true false |
Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. It provides the necessary settings to align SSO data with corresponding roles within the application, facilitating seamless integration and effective role-based access control. Add one or more Role Identifiers. |
| Role Identifier | roleNames | 1 0 |
true false |
Establishes links between roles in SSO responses and their corresponding roles within the Identity Guardian app. Multiple Role Identifiers can be added, each toggled on/off individually |
| Identity Guardian Role Name | roleName | [string] | [enter string] | Enter the Identity Guardian user role to be assigned based on SSO response during user sign-in (e.g. administrator, manager, user). |
| Key-value pair for role assignment | ssoResponseKeys | [string] | [enter values and toggle on/off] | Add one or more SSO key-value pairs to identify and map users to a predefined Identity Guardian user role. |
| SSO Key-Value Pair | ssoResponseKey | 1 0 |
true false |
Choose whether the SSO response, which contains the user key and values, should be mapped to a corresponding user role in Identity Guardian |
| SSO key | roleKey | [string] | [enter string] | Enter the SSO key to map it to an Identity Guardian role. |
| SSO value | roleValue | [string] | [enter string] | Enter the SSO value(s) to map to the Identity Guardian role. Use commas to separate multiple entries. |