Overview
To install and configure Identity Guardian, use Zebra DNA Cloud (navigate to My Apps > Zebra Collection) or an Enterprise Mobility Management (EMM) system. Administrators establish usage policies and controls for Identity Guardian through Managed Configurations, enabling personalization of device restrictions and access.
There are 2 modes of user device access:
- Shared Device - A device designated for use by multiple individuals. User data is securely encrypted and stored within a personalized barcode, which is generated through facial recognition or a user-defined passcode. This barcode can be easily discarded to erase personal data.
- Personally Assigned Device - A device allocated specifically to an individual for their dedicated use. User data is securely integrated within the Android framework, rendering it inaccessible even to the organization.
Application authentication is simplified through integration with your organization's identity provider (IdP), enabling single sign-on (SSO). Users log in only once, and the system handles subsequent application log-ins, streamlining the process.
Zebra DNA Cloud's dashboard provides administrators with insights into user activities, such as sign-in/sign-out events and usage durations, thereby promoting user accountability.
Notes:
- Identity Guardian must be sideloaded and is non-operational in safe mode. Zebra advises against starting devices in safe mode. To disable safe mode, apply the corresponding XML through your EMM or scan the relevant barcode using the StageNow client on the device. The XML and StageNow barcode are available depending on your Android version:
- When using the 42Gears EMM system, apps installed via Zebra DNA Cloud in app update mode must be set as high priority.
Requirements
Identity Guardian Requirements:
- Zebra devices running Android 11 or higher are supported. See Zebra Support Portal for the supported devices.
- For biometric authentication, a front-facing camera is required on the device.
- Licenses:
- An Identity Guardian license is required for advanced features including facial biometric authentication, Single Sign-On (SSO) support and device API support. See Licensing.
- Zebra Professional-series devices require a Mobility DNA Enterprise license for basic functionality.
- An Enterprise Mobility Management (EMM) system, such as Zebra DNA Cloud or a third party system, that supports Managed Configurations (also known as Managed App Configurations) is required to configure Identity Guardian on the device.
- After installation on the device, Identity Guardian must be launched for the configurations to be applied.
- Single sign-on (SSO) support: Compatibility with Microsoft Entra ID (formerly Azure Active Directory), PingID and OKTA platforms using OAUTH and OAUTH+OIDC authentication protocols.
Download
Download and install Identity Guardian from the following sources:
- Google Play - By default, Google Play apps, including Identity Guardian, are set to update automatically. To manage updates:
- Disable Automatic Updates - Submit the Disable_AutoUpgrade_IG.xml through your EMM platform.
- Enable Automatic Updates - Submit the Enable_AutoUpgrade_IG.xml through your EMM platform.
- Zebra support portal
Device Access
There are 2 types of user device access:
- Shared Device
- Personally Assigned Device
For both types, users must first enroll in Identity Guardian before signing in to authenticate to the device.
Shared Device
In environments where a single device is used by multiple users, Identity Guardian provides secure and personalized access tailored to each user's organizational role. Users must perform a one-time enrollment with Identity Guardian before they can authenticate on a shared device. These devices can support an unlimited number of registered users.
There are 2 methods for enrolling users on shared devices:
- Standard Enrollment - Users enroll on a dedicated device using the Enrollment profile set up by their administrator. Once enrolled, they can authenticate on their shared device, which has the Authentication profile deployed by the administrator.
- Self-Enrollment - Both enrollment and authentication are conducted directly on the shared device through a unified Authentication profile that incorporates enrollment configurations set up by the administrator. SSO is used for user authentication.
User data is encrypted and stored within a unique, encrypted barcode in the /enterprise/usr/Profiles
folder. This barcode must be printed or shared within 24 hours before it is automatically deleted, ensuring that personal information is not retained on the device or in the cloud. Facial biometrics can optionally be used to enhance security. For temporary user profiles, barcodes can be set to expire automatically at a predetermined date and time. Alternatively, SSO can serve as the primary authentication method instead of issuing individual barcodes.
During enrollment, the user’s personal information, such as biometric facial image capture and passcode, is encrypted with an enrollment key. This key is an encrypted public key derived from the organization’s certificate and configured via Identity Guardian Managed Configuration. For details on generating an enrollment key, see Enrollment Configuration. Ensure the device used for enrollment is provisioned with the Enrollment configuration.
To authenticate users on a device, administrators must supply the authentication key, an encrypted private key derived from the organization’s certificate and configured through Identity Guardian Managed Configuration. For details on generating the authentication key, see Authentication Configuration. Ensure the device is provisioned with the Authentication configuration.
When the enrollment barcode is scanned, its data is decrypted using the authentication key and used for further authentication checks. This barcode cannot be decrypted or reverse-engineered on any device without the authentication key. Organizations must maintain the security and confidentiality of their authentication key.
IMPORTANT:
Administrators MUST provision their own enrollment key on devices designated for user enrollment and MUST provision their authentication key on devices designated for user authentication. Failure to do so results in Identity Guardian using default keys, allowing any device with those keys to decrypt the barcode.
Standard Enrollment
For shared devices using standard enrollment, users initially enroll on a designated device. After which they can authenticate on their shared device.
Administrators must:
- Create individual Enrollment and Authentication profiles to enable user enrollment and authentication.
- If barcode printing or sharing is required, install and configure the Identity Guardian QR Print app.
- Deploy both Enrollment and Authentication profiles.
- Enroll users.
To accomplish this, follow these steps (see EMM Setup):
- If barcode printing or sharing is required, install and configure IGQRPrint following the instructions.
- Create an Enrollment profile:
- Set up Enrollment Configurations within Managed Configurations according to your enrollment requirements.
- Enter the Enrollment Key to encrypt the user's personal information.
- If barcode printing or sharing is required, enable the option Allow opening barcode while enrollment.
- Under Usage Mode, set Application Mode = ENROLLMENT.
- Deploy the Enrollment profile and launch Identity Guardian on the device designated for enrolling users.
- Users would follow the prompts in Identity Guardian to complete the enrollment process. The available options depend on the profile settings configured by the administrator.
- Set up Enrollment Configurations within Managed Configurations according to your enrollment requirements.
- Create an Authentication profile:
- Set up Authentication Configuration according to your requirements to enable user authentication and sign-in after enrollment is complete.
- Under Usage Mode, set Application Mode = AUTHENTICATION.
- If barcode printing or sharing is required, in Lock Screen Configuration, add the package and activity names for the necessary Apps Allowed On Lock Screen.
- Configure other Managed Configuration settings as needed, such as Facial Authentication and SSO Authentication.
- Deploy the Authentication profile and launch Identity Guardian.
- Authenticate the user. After users have enrolled, they can now authenticate and sign in to the device.
Self-Enrollment
For shared devices using self-enrollment, user enrollment and authentication take place directly on the shared device, facilitated by a unified Authentication profile (which includes enrollment configurations) deployed by the administrator, utilizing SSO for user authentication.
Administrators must:
- Create and deploy an Authentication profile to the devices, to enable user enrollment and authentication.
- Install and configure the Identity Guardian QR Print app to allow barcode printing or sharing after enrollment.
- Enroll users.
To accomplish this, follow these steps (see EMM Setup):
- Create an Authentication profile using Managed Configurations:
- In Usage Mode, set:
- Application Mode: AUTHENTICATION
- Configure the desired settings in Authentication Configuration from Managed Configurations. It is required to configure SSO as one of the verification methods.
- Enter the Authentication Key to decrypt the user's personal information.
- In Lock Screen Configuration: Expand Lock Screen Menu > Allow Self Enrollment and set the following options:
- Secure Self Enrollment: true
- User Verification: SSO
- In Lock Screen Configuration, add the package and activity names for the necessary Apps Allowed On Lock Screen.
- Configure other Managed Configuration settings as needed, such as Facial Authentication and SSO Authentication.
- In Usage Mode, set:
- Install and configure IGQRPrint following the instructions.
- Deploy the Authentication profile. Launch Identity Guardian as part of the deployment.
- Guide users through enrollment. After launching Identity Guardian, users follow prompts to complete enrollment. Available options depend on the Authentication profile settings configured by the administrator.
After enrollment is complete, users can authenticate and sign in to the device.
Print & Share Barcode
Early Access Preview: Identity Guardian QR Print (IGQRPrint) app is available as an Early Access Preview, meaning this feature is subject to change in future releases.
The Identity Guardian QR Print (IGQRPrint) app is a companion to Identity Guardian that streamlines the printing and sharing of user barcodes generated during enrollment, either standard or self-enrollment for shared devices. It enables barcode preview, resizing, and direct printing from the device to either a Zebra or non-Zebra printer. This allows barcodes to be quickly printed in a readable format for authentication and device user management. Barcodes can also be shared via Gmail, Google Drive, Bluetooth and other methods.
Setup Procedure:
Install IGQRPrint app.
Connect the printer to the device (for WiFi printers, ensure both the printer and device are on the same network):
- Zebra Card Printers - No additional steps needed.
- Other Zebra Printers - Install Zebra Print from Google Play and connect.
- Non-Zebra Printers - Install the third-party printer service and connect.
Configure IGQRPrint app if the preview is not suitable for printing or sharing. This is performed on each device. Select Settings from the top right menu. Adjust the settings and preview the barcode until satisfactory (retain default values unless instructed otherwise):
Cards Printing: For Zebra card printers only.- Allow Card Printing - Toggle to enable card printing.
- PrinterIP - Enter the IP address of the Zebra card printer.
- Printer Port - Specify if not using the default.
Share To Parameters: Adjust barcode size for printing and sharing.
- Allow ShareTo - Toggle to enable non-card printing or sharing.
- Margin (Mils) - Adjust the margins if the barcode is too large or close to the edges. The default is 10. Increasing this value decreases the barcode size.
- Orientation - Choose Portrait or Landscape.
Configure Apps Allowed On Lock Screen from Managed Configuration settings and deploy this to the devices.
Apps Allowed On Lock Screen:
For added security, application package names for the print applications must be specified in Lock Screen Configuration from Managed Configurations in order to allow the barcode to be printed or shared. Open Apps Allowed On Lock Screen and add the following Application Details as needed:
Purpose | Package Name | Activity Name |
---|---|---|
Display the barcode print preview | com.zebra.igqrprint | com.zebra.igqrprint.PreviewActivity |
com.zebra.igqrprint | com.zebra.igqrprint.SettingsActivity | |
android | com.android.internal.app.ChooserActivity | |
Print the barcode | com.android.bips | ImagePrintActivity |
com.android.printspooler | com.android.printspooler.ui.PrintActivity |
To share barcodes through apps, add the respective third-party package name and activity names.
Configure IGQRPrint app:
If the barcode displayed in the preview screen
Open IGQRPrint app.
From the top right menu, select Settings.
Configure settings (keep default values unless specified):
Cards Printing: For Zebra card printers.- Allow Card Printing - Toggle to enable card printing.
- PrinterIP - Enter the IP address of the Zebra card printer.
- Printer Port - Specify if not using the default.
Share To Parameters: Adjust barcode size for card and paper printing.
- Allow ShareTo - Toggle to enable non-card printing or sharing.
- Margin (Mils) - Adjust margins if the barcode is too large or near the edges. The default is 10. Increasing this value decreases the barcode size.
- Orientation - Choose Portrait or Landscape.
Tap Save Settings at the bottom of the screen.
Personally Assigned Device
In environments where devices are assigned to specific users, these individuals retain control over their encrypted personal data and can delete it as needed. User data is safeguarded within the Android framework, stored in Identity Guardian's isolated storage, which is part of Android's access-controlled application platform. This ensures that even the organization itself cannot access the data.
Identity Guardian integrates with identity providers (IdPs) to streamline the authentication process. It uses a single sign-on (SSO) system, requiring users to authenticate only once. This system manages security and simplifies access, allowing users to log into multiple applications in a single session. For enhanced security, administrators can customize multifactor authentication settings, including a passcode, facial biometrics, and/or SSO. Unlike shared devices, personally assigned devices do not utilize barcodes.
Profile Setup
For personally assigned devices, administrators should create a profile which encompasses both enrollment and authentication configurations by following these steps (see EMM Setup):
- Create a profile:
- Use Managed Configurations to configure a profile.
- Under Usage Mode, set Application Mode = PERSONALLY ASSIGNED.
- Configure all necessary Managed Configuration settings, such as Enrollment, Authentication, and SSO Authentication.
- Deploy the profile. Launch Identity Guardian as part of the deployment.
- Guide users through enrollment. Users would follow the prompts in Identity Guardian to complete the enrollment process. The available options depend on the profile settings configured by the administrator.
- Authenticate the user. After enrollment is complete, users can authenticate and sign in to the device.
SSO
Identity Guardian integrates with identity providers (IdPs) simplifying authentication by only requiring users to log in once, and then leveraging single sign-on (SSO) to streamline the process. This single login grants users to gain access to multiple applications, eliminating the need to keep track of multiple logins for each app.
Supported identity providers:
For authenticating users with SSO, the Microsoft Authenticator and Custom Chrome Tabs are supported to communicate with SSO as the broker.
See SSO Requirements.
Microsoft Entra ID
This section provides guidance to integrate Identity Guardian with Microsoft Entra ID (formerly Azure Active Directory):
I. Register & Configure Identity Guardian
II. Add a 3rd-party Device Compliance Partner
III. Configure Microsoft Authenticator App
IV. Configure Zebra Identity Guardian App
I. Register & Configure Identity Guardian
To establish a trust relationship between Identity Guardian and the Microsoft identity platform, register Zebra Identity Guardian as an Android application in Microsoft Entra ID (IdP). For more information, refer to Microsoft's documentation for guidance on registering an application with the Microsoft identity platform.
Follow these steps:
- In the Microsoft Entra admin center, navigate to Applications > App registrations. In the Register an application screen, enter/select the following:
- Name: [Enter a name, e.g., Zebra Identity Guardian]
- Supported account type: Accounts in this organizational directory only (Single tenant)
- Redirect URI: Public client/native (mobile & desktop) msauth://com.zebra.mdna.els/
- Click Register.
- Navigate to Applications > App registrations > Authentication. Click Add a platform then click Android.
- Enter the following, then click Configure.
- Package name: com.zebra.mdna.els
- Signature hash: KqmK9tYXpw+eW2lke7US3iG9EAQ=
- The Android configuration screen displays. Copy and save the MSAL Configuration and authority_url; they will be needed in a later step. Click Done.
II. Add a 3rd-party Device Compliance Partner
When using Microsoft Authenticator for single sign-on (SSO) in shared device mode, a third-party device compliance partner solution can be integrated with Microsoft Intune. This allows for the collection of device compliance data alongside Intune's own compliance results. The combined data can then be used to develop access policies, offering enhanced protection for the organization and its data. Examples of third-party device compliance partners include solutions such as SOTI MobiControl, VMware Workspace ONE UEM (formerly AirWatch). For guidance on adding a third-party device compliance partner in Intune, consult your EMM or Microsoft's documentation .
III. Configure Microsoft Authenticator App
For optimal use of shared device mode with SSO through Microsoft Authenticator, ensure the Microsoft Authenticator app is installed on the devices. This facilitates automatic SSO single sign-in and single sign-out across apps on the device.
To install and configure Microsoft Authenticator app:
Download and install the Microsoft Authenticator app from Google Play via an EMM, such as SOTI MobiControl or VMware Workspace ONE UEM.
In the EMM, enable Shared Device Mode. Enter the Shared Device Mode Tenant Identifier, retrieved from the Microsoft Entra ID admin center. Navigate to Applications > App registrations > Overview. Retrieve the tenant ID Sample of EMM Managed App Config
Click Save.
IV. Configure Zebra Identity Guardian App
To enable user access to the device through SSO, install and set up Identity Guardian on the devices:
Deploy and install the Zebra Identity Guardian app on the devices.
Launch the app using an EMM. This step must be performed at least once.
Enter the Managed Configuration settings for the app via your EMM:
Select Application Mode: Authentication zDNA Cloud Managed Config
Configure the Verification Setup to validate the user access:
- Primary Authentication Factor: SSO
- Secondary Authentication Factor: [Select FACE, PASSCODE, SSO or NONE]
- Fallback Authentication Factor: [Select FACE, PASSCODE, NONE, SSO or ADMIN BYPASS PASSCODE]
- Primary Authentication Timeout: [Enter value in ms, e.g. "300000"]
- Fallback Authentication Timeout: [Enter value in ms, e.g. "300000"] zDNA Cloud Managed Config
Configure the Lock-screen Event options:
- On Unlock:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On Reboot:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On AC power connected:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On AC power disconnected:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On device manual check in:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On user change:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"] zDNA Cloud Managed Config
Configuration Settings: [Copy the MSAL Configuration from step I.5 and insert it into this field. Then:
• Add the key-value pairs forbroker_redirect_uri_registered
andshared_device_mode_supported
as shown in the sample below. This enables the Microsoft Authenticator app to register the device in shared device mode.
• Remove theaudience
element along with all its child elements and their values.
• Enter theauthority_url
retrieved from Applications > App registrations > Overview. Click on Endpoints to view it.] Retrieveauthority_url
endpoint
{ "client_id" : "[Your client ID populated]", "authorization_user_agent" : "DEFAULT", "redirect_uri" : "msauth://com.zebra.mdna.els/ AbcB123Xab%c123a3xyz123ABCXYZ%12", "account_mode" : "SINGLE", "broker_redirect_uri_registered": true, "shared_device_mode_supported": true, "authorities" : [ { "type": "AAD", "authority_url": "[ENTER YOUR AUTHORITY URL]" } ] }
- Userid identifier: [Enter the claim specifying the value to be displayed as the user name in Identity Guardian, e.g. preferred_username. Retrieve this from the Microsoft Entra ID admin center by navigating to Applications > App Registrations > Token configuration. Click Add optional claim and select ID for the token type.] Claim used to display the user name zDNA Cloud Managed Config
If mapping the SSO response to application-specific roles, enter the following (see Managed Configurations for more information):
- Configuration Role Identification - Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. Click Add Role Identifier as needed.
- Role Identifier - Establishes links between roles in SSO responses and their corresponding roles within the Identity Guardian app.
- Identity Guardian Role Name - Enter the Identity Guardian user role to be assigned based on SSO response during user sign-in
- Key-value Pair for Role Assignment - Add one or more SSO key-value pairs to identify and map users to a predefined Identity Guardian user role. Click Add SSO Key-Value Pair as needed.
- SSO Key-Value Pair - Choose whether the SSO response, which contains the user key and values, should be mapped to a corresponding user role in Identity Guardian
- SSO Key - Enter the SSO key to map it to an Identity Guardian role.
- SSO Value - Enter the SSO value(s) to map to the Identity Guardian role. Use commas to separate multiple entries. zDNA Cloud Managed Config
- Configuration Role Identification - Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. Click Add Role Identifier as needed.
See Managed Configurations to configure any other non-SSO settings.
Deploy the Managed Configurations to the devices through your EMM.
When a device receives the new configurations, Zebra Identity Guardian activates the lock screen. The user must then authenticate via Single Sign-On (SSO) to access the device. For more details, see User Guide.
PingID
This section provides guidance to integrate Identity Guardian with PingID.
To enable user access to the device through SSO, install and set up Identity Guardian on the devices:
- Deploy and install Zebra Identity Guardian app on the devices.
- Launch the app using an EMM. This step must be performed at least once.
- Enter the Managed Configuration settings for the app via your EMM:
- Select the application mode:
- Application Mode: Authentication zDNA Cloud Managed App Config
- Configure the Verification Setup to validate the user access:
- Primary Authentication Factor: SSO
- Secondary Authentication Factor: [Select FACE, PASSCODE, or NO_COMPARISON]
- Fallback Authentication Factor: [Select FACE, PASSCODE, NONE, SSO or ADMIN BYPASS PASSCODE]
- Primary Authentication Timeout: [Enter value in ms, e.g. "300000"]
- Fallback Authentication Timeout: [Enter value in ms, e.g. "300000"] zDNA Cloud Managed Config
- Configure the Lock-screen Event options:
- On Unlock:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On Reboot:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On AC power connected:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On AC power disconnected:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On device manual check in:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On user change:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"] zDNA Cloud Managed Config
- On Unlock:
- Configure the SSO Authentication Configuration:
- Single Sign On Provider: PingId
- Authentication Protocol: OAuth 2.0 (OIDC)
- Scope: openid email profile
- Userid Identifier: [Specify the user key for identifying the signed-in user]
- Configuration Settings: [Enter the specified string, but replace the following values with those from your own SSO response: logoutURL, revokeURL, tokenURL, authorizationURL, clientId, userInfoUrl]
zDNA Cloud Managed App Config{ "redirectURI" : "com.zebra.mdna.els:/loginComplete", "logoutURL" : "[enter your logout URL]", "revokeURL" : "[enter your revoke URL]", "tokenURL" : "[enter your token URL]", "authorizationURL" : "[enter your authorization URL]", "clientAuthType" : 0, "clientId" : "[enter your clientID]", "certificatePhrase" : "", "userInfoUrl" : "[enter your userInfo URL]", "certificate" : "" }
- Select the application mode:
- If mapping the SSO response to application-specific roles, enter the following (see Managed Configurations for more information):
- Configuration Role Identification - Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. Click Add Role Identifier as needed.
- Role Identifier - Establishes links between roles in SSO responses and their corresponding roles within the Identity Guardian app.
- Identity Guardian Role Name - Enter the Identity Guardian user role to be assigned based on SSO response during user sign-in
- Key-value Pair for Role Assignment - Add one or more SSO key-value pairs to identify and map users to a predefined Identity Guardian user role. Click Add SSO Key-Value Pair as needed.
- SSO Key-Value Pair - Choose whether the SSO response, which contains the user key and values, should be mapped to a corresponding user role in Identity Guardian
- SSO Key - Enter the SSO key to map it to an Identity Guardian role.
- SSO Value - Enter the SSO value(s) to map to the Identity Guardian role. Use commas to separate multiple entries. zDNA Cloud Managed Config
- Configuration Role Identification - Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. Click Add Role Identifier as needed.
- See Managed Configurations to configure any other non-SSO settings.
- Deploy the Managed Configurations to the devices through your EMM.
When a device gets updated with the new configurations, Zebra Identity Guardian activates the lock screen. The user is then required to authenticate themselves using Single Sign-On (SSO) to gain access to the device. See User Guide for more information.
Okta
This section provides guidance to integrate Identity Guardian with Okta using OAuth 2.0 (OIDC) protocol.
I. Register Zebra Identity Guardian
II. Configure Zebra Identity Guardian App
I. Register Zebra Identity Guardian
- In the Okta web portal, create a new application. From the left menu, select Applications > Applications. Click on Create App Integration.
- Select OIDC, then select Native Application. Click Next.
- Perform the following:
- Enter the App integration name.
- Select Authorization Code as the Grant type.
- If needed, select Refresh Token. This option renews the access token every hour. Without it, the access token expires after an hour, resulting in a forced logout.
- For Sign-in redirect URIs and Sign-out redirect URIs, enter the following:
com.zebra.mdna.els:/loginComplete
- Perform the following:
- For Controlled access, select Allow everyone in your organization to access. Then select Enable immediate access with Federation Broker Mode.
- Click Save.
- If needed, add an authorization server from Security > API.
- If needed, add scopes in the authorization server.
- Add claims to the authorization server.
- In the Settings tab of the authorization server, click to open the Metadata URI.
- Metadata is displayed, similar to the following:
- Record the following values needed in the next section:
_ authorizationScope
_ end_session_endpoint (logoutURL)
_ token_endpoint (tokenURL)
_ authorization_endpoint (authorizationURL)
_ userInfoUrl
_ revokeURL (revocation_endpoint)
II. Configure Zebra Identity Guardian App
To enable user access to the device through SSO, install and set up Identity Guardian on the devices:
- Deploy and install Zebra Identity Guardian app on the devices.
- Launch the app using an EMM. This step must be performed at least once.
- Enter the Managed Configuration settings for the app via your EMM:
- Select the application mode:
- Application Mode: Authentication zDNA Cloud Managed Config
- Configure the Verification Setup to validate the user access:
- Primary Authentication Factor: SSO
- Secondary Authentication Factor: [Select FACE, PASSCODE, SSO or NONE]
- Fallback Authentication Factor: [Select FACE, PASSCODE, NONE, SSO or ADMIN BYPASS PASSCODE]
- Primary Authentication Timeout: [Enter value in ms, e.g. "300000"]
- Fallback Authentication Timeout: [Enter value in ms, e.g. "300000"] zDNA Cloud Managed Config
- Configure the Lock-screen Event options:
- On Unlock:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On Reboot:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On AC power connected:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On AC power disconnected:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On device manual check in:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"]
- On user change:
- Verification Setup: [Enter the desired authentication scheme, e.g. "Verification Setup1"] zDNA Cloud Managed Config
- On Unlock:
- Configure the SSO Authentication Configuration for the app to communicate with Microsoft SSO to authenticate the user:
- Single Sign On Provider: Okta
- Authentication Protocol: OAuth 2.0 (OIDC)
- Scope: [Enter the string based on the SSO server settings, e.g. "openid email profile offline_access"]
- Configuration Settings: [Enter the following string, but replace "authorizationScope", "logoutURL", "tokenURL", "client_id", "authorizationURL", "userInfoUrl", and "revokeURL" with your values seen from Metadata URI from step I.]
zDNA Cloud Managed Config{ "authorizationScope": "[enter the string based on the SSO server settings, e.g. "openid email profile offline_access"]", "redirectURI" : "com.zebra.mdna.els:/loginComplete", "logoutURL" : "[enter your logout URL]", "tokenURL" : "[enter your token URL]", "authorizationURL" : "[enter your authorization URL]", "clientAuthType" : 0, "clientId" : "[enter your client ID]", "certificatePhrase" : "", "userInfoUrl" : "[enter your userInfo URL]", "revokeURL" : "[enter your revoke URL]", "certificate" : "", "clientSecret":"", "enablePKCE": true }
- Select the application mode:
- If mapping the SSO response to application-specific roles, enter the following (see Managed Configurations for more information):
- Configuration Role Identification - Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. Click Add Role Identifier as needed.
- Role Identifier - Establishes links between roles in SSO responses and their corresponding roles within the Identity Guardian app.
- Identity Guardian Role Name - Enter the Identity Guardian user role to be assigned based on SSO response during user sign-in
- Key-value Pair for Role Assignment - Add one or more SSO key-value pairs to identify and map users to a predefined Identity Guardian user role. Click Add SSO Key-Value Pair as needed.
- SSO Key-Value Pair - Choose whether the SSO response, which contains the user key and values, should be mapped to a corresponding user role in Identity Guardian
- SSO Key - Enter the SSO key to map it to an Identity Guardian role.
- SSO Value - Enter the SSO value(s) to map to the Identity Guardian role. Use commas to separate multiple entries. zDNA Cloud Managed Config
- Configuration Role Identification - Enables the recognition and mapping of the Single Sign-On (SSO) response to application-specific roles. Click Add Role Identifier as needed.
- See Managed Configurations to configure any other non-SSO settings.
- Deploy the Managed Configurations to the devices through your EMM.
When a device gets updated with the new configurations, Zebra Identity Guardian activates the lock screen. The user is then required to authenticate themselves using Single Sign-On (SSO) to gain access to the device. See User Guide for more information.
Secure Setup for Faster Logins
Identity Guardian can simplify Single Sign-On (SSO) logins by prompting users for SSO authentication only once, post device enrollment. For frequent situations like device lock, it offers efficient options like biometric or pin-based access, eliminating the need for repeated SSO logins. It maintains the original SSO session's integrity, ensuring exclusive user access and simultaneous logout from all apps, creating a secure and streamlined login process.
To implement this authentication strategy, follow the procedure below based on whether the device model is shared or personally assigned.
Shared Devices
Administrator setup - refer to Managed Configurations:
- Set SSO authentication in the following managed configurations:
- Usage Mode
- Application Mode: Authentication
- Authentication Configuration
- User Verification Methods
- Verification Setup1: [Select or enter all desired options and include SSO as one of the authentication factors.]
- Lock-screen Event Options
- On user change: [Select the verification that includes SSO authentication, e.g. Verification Setup1]
- Usage Mode
- For the rest of the following Lock-screen Event Options, select the verification that does not include SSO authentication, e.g. Verification Setup2 (includes face or passcode):
- On Unlock
- On Reboot
- On AC Power Connected
- On AC Power Disconnection
- In Authentication Configuration, set the following to false under Force Logout Options:
- On Lock
- On Reboot
- On AC Power Connected
- On AC Power Disconnected
End user authentication:
- Enroll the user. Make sure to enter the SSO user ID in the Employee ID field.
- Once the enrollment process is complete, the user is required to authenticate themselves on the device by scanning their user barcode once.
- If the scanned barcode matches with the enrolled user, the SSO session remains active. For subsequent logins, the user is prompted to authenticate via facial biometrics or user passcode, depending on the setup by the administrator.
- If the scanned barcode does not match with the enrolled user, it prompts for SSO credentials since an “On user change” event occurred. These SSO credentials remain active on the device.
- After the user authenticates, the user is no longer required to re-enter their SSO credentials unless one of the following occurs:
- The user logs out manually from the device
- The user is automatically logged out of the device if any of the Force Logout Options are met from Authentication Configuration in the managed configurations.
- The SSO session times out.
Personally Assigned Devices
Administrator setup - refer to Managed Configurations:
- Set SSO authentication in the following managed configurations:
- Usage Mode
- Application Mode: Personally Assigned
- Authentication Configuration
- User Verification Methods
- Verification Setup1: [Select or enter all desired options and include SSO as one of the authentication factors.]
- Lock-screen Event Options
- On user change: [Select the verification that includes SSO authentication, e.g. Verification Setup1]
- Usage Mode
- For the rest of the following Lock-screen Event Options, select the verification that does not include SSO authentication, e.g. Verification Setup2 (includes face or passcode):
- On Unlock
- On Reboot
- On AC Power Connected
- On AC Power Disconnection
- In Authentication Configuration, set the following to false under Force Logout Options:
- On Lock
- On Reboot
- On AC Power Connected
- On AC Power Disconnected
End user authentication:
- Enroll the user. Make sure to enter the SSO user ID in the Employee ID field.
- Once the enrollment process is complete, the user is required to authenticate themselves on the device by facial biometrics or passcode entry once. If successful, the SSO session remains active.
- After the user authenticates, the user is no longer required to re-enter their SSO credentials unless one of the following occurs:
- The user logs out manually from the device
- The user is automatically logged out of the device if any of the Force Logout Options are met from Authentication Configuration in the managed configurations.
- The SSO session times out.
EMM
Deploy and configure Identity Guardian on devices using an Enterprise Mobility Management (EMM) system, such as Zebra DNA Cloud or a third party system, which supports Managed Configurations.
After installation, Identity Guardian must be launched for the configurations to take effect.
The EMM system may offer the option to auto-launch the app. If this option is not available, the following commands may be used to launch Identity Guardian:
For Android, such as from another app, use this command:
adb shell am start -n com.zebra.mdna.els/com.zebra.mdna.els.userEnrollment.activity.EnrollmentActivity
For an EMM, such as VMware Workspace ONE UEM (AirWatch), use this command to launch via intent:
mode=explicit,broadcast=false,action=android.intent.action.MAIN,package=com.zebra.mdna.els,class=com.zebra.mdna.els.userEnrollment.activity.EnrollmentActivity
Generic Procedure to setup Identity Guardian using an EMM:
- Enroll the devices to the EMM.
- Upload the Identity Guardian APK to the EMM, for example via Android Enterprise or the EMM's App Store. Ensure the app is set to auto-launch after installation.
- Create a new application policy using Managed Configurations to configure the appropriate Identity Guardian settings. Consider the following:
- For shared devices:
- Enrollment Profile - Generates unique user barcodes for authentication and is required when implementing facial biometrics. Navigate to Usage Mode > Application Mode and select Enrollment.
- Authentication Profile - Configures the authentication methods for users to sign into the device. Navigate to Usage Mode > Application Mode and select Authentication.
- For personally assigned devices: A single profile encompasses both enrollment and authentication configurations. Navigate to Usage Mode > Application Mode and select Personally Assigned.
- For shared devices:
- Assign and apply the application policy to the devices - For shared devices, apply the Enrollment profile first.
- User Enrollment - Users proceed through the enrollment process on the device by following the displayed instructions. These steps are based on the Enrollment Configuration settings from step 3.
- For shared devices, refer to shared device user enrollment.
- For personally assigned devices, refer to personl device user enrollment.
- Create and apply the Authentication policy (for shared devices). For personally assigned devices, skip to step 7.
- User authentication - After user enrollment, the Identity Guardian authentication screen is displayed. The user can sign into the device based on the Authentication Configuration settings from step 3. Refer to Device Sign In.
The following subsections provide video demonstrations tailored for specific EMMs. Within the videos, profiles are created based on user access:
- Shared devices - Create two separate profiles based on the Application Mode selected under the Usage Mode section:
- Enrollment - This creates unique user barcodes for authentication and is required when implementing facial biometrics.
- Authentication - This configures the authentication methods employed for users to sign into the device.
- Personally assigned devices - Create a profile by selecting Personally Assigned from Application Mode under the Usage Mode section. This creates a profile encompassing both enrollment and authentication configurations for personally assigned devices.
Zebra DNA Cloud
This section provides video demonstrations to guide through the process of setting up Identity Guardian using the Zebra DNA Console.
Create and Deploy Enrollment Profile
This first video guides through the process of creating and deploying an enrollment profile, specifically for a shared device. Learn how to define configurations for a user's first-time enrollment, including registering facial features, obtaining user role data, setting up a pin code, and more.
Note: For personally assigned devices, select Personally Assigned from Application Mode under the Usage Mode section. This creates a profile encompassing both enrollment and authentication configurations.
Create and Deploy Authentication Profile
This second video walks through the process of creating and deploying an authentication profile, specifically for a shared device. It guides through the process of establishing configurations for user authentication each time a user signs into the device. These configurations include scanning a barcode, setting up SSO, defining the passcode, among others. The enrollment profile, created from the previous video, can be used as a template to modify and create this authentication profile.
User Authentication
This video demonstrates various scenarios of user device authentication. In this example, one group of authentication settings is applied to a shared device with the following configurations:
- Comparison source: Barcode
- Primary authentication: SSO
- Secondary authentication: Passcode
- Fallback authentication: Admin bypass passcode
SOTI MobiControl
This video provides step-by-step instructions for setting up Identity Guardian on shared devices using SOTI MobiControl. It covers:
- Deploying the Identity Guardian APK file
- Automatically launching the app
- Creating and applying an enrollment profile
- Creating and applying an authentication profile
Note: For personally assigned devices, select Personally Assigned from Application Mode under the Usage Mode section. This creates a profile that includes both enrollment and authentication configurations.
VMware Workspace ONE UEM
This video provides step-by-step instructions for setting up Identity Guardian on shared devices using VMware Workspace One UEM. This guide covers the following:
- Deploying the Identity Guardian APK file
- Creating and applying an enrollment profile
- Automatically launching Identity Guardian
After applying an enrollment profile, this next video continues with:
- Creating and applying an authentication profile
- Automatically launching Identity Guardian to implement the changes
Note: For personally assigned devices, select Personally Assigned from Application Mode under the Usage Mode section. This creates a profile that includes both enrollment and authentication configurations.
Microsoft Intune
This video provides step-by-step instructions for installing and setting up Identity Guardian with Microsoft Intune, demonstrating the following:
- Deploying the Identity Guardian APK file
- Creating and applying an enrollment profile
- For the app configuration policy, first modify the sample Microsoft Intune JSON file according to your desired settings. Refer to Managed Configurations to update the "value" field in the JSON file for each configuration option based on its key. For example, for the key
APPLICATION_MODE
, enter the valueENROLLMENT
to enroll shared devices. Then, copy and paste the entire JSON content into the designated field as instructed in the video.- For SSO Authentication Configuration, in addition to replacing the appropriate value for the key
ssoProvider
, enter the appropriate values for the following keys:ssoScope
,client_id
,redirect_uri
,authority_url
, andssoUseridIdentifier
.
- For SSO Authentication Configuration, in addition to replacing the appropriate value for the key
- For the app configuration policy, first modify the sample Microsoft Intune JSON file according to your desired settings. Refer to Managed Configurations to update the "value" field in the JSON file for each configuration option based on its key. For example, for the key
- Launching Identity Guardian - Copy the XML content to launch Identity Guardian via OEMConfig
Although this applies to shared devices, similar instructions can be followed personally assigned devices by setting Personally Assigned for Application Mode under the Usage Mode section. This creates a profile that includes both enrollment and authentication configurations.
After applying an enrollment profile, this next video continues with:
- Creating and applying an authentication profile for shared devices
- For the app configuration policy, first modify the sample Microsoft Intune JSON file according to your desired settings. Refer to Managed Configurations to update the "value" field in the JSON file for each configuration option based on its key. For example, for the key
APPLICATION_MODE
, enter the valueAUTHENTICATION
to authenticate shared devices. Then, copy and paste the entire JSON content into the designated field as instructed in the video.- For SSO Authentication Configuration, in addition to replacing the appropriate value for the key
ssoProvider
, enter the appropriate values for the following keys:ssoScope
,client_id
,redirect_uri
,authority_url
, andssoUseridIdentifier
.
- For SSO Authentication Configuration, in addition to replacing the appropriate value for the key
- For the app configuration policy, first modify the sample Microsoft Intune JSON file according to your desired settings. Refer to Managed Configurations to update the "value" field in the JSON file for each configuration option based on its key. For example, for the key
- Launching Identity Guardian to implement the changes - Copy the XML content for launching Identity Guardian via OEMConfig
42Gears SureMDM
This videos walks through the process of setting up Identity Guardian using SureMDM by 42Gears, specifically for personally assigned devices. It covers:
- Deploying the Identity Guardian APK file
- Automatically launching the app
- Creating a policy to configure the desired settings for enrollment and authentication
Note: For shared devices, create two separate configuration profiles according to the selected Application Mode under the Usage Mode section:
- Enrollment - Creates unique user barcodes for authentication and is required when implementing facial biometrics.
- Authentication - This configures the authentication methods employed for users to sign into the device.