Idenprotect Android

From idenprotect Knowledge Base
Jump to: navigation, search


idenprotect for Blackberry Android

This article explains how to download, configure and use idenprotect for BlackBerry on your Android device (mobile/tablet).

This article is aimed at Helpdesk/Admin users so it covers both the settings required on the server as well as the enrollment user experience.

Requirements

idenprotect Core Platform 3.7 or higher idenprotect User Portal 1.05

The idenprotect Core Platform and idenprotect User Portal must be reachable from the Android device.

Enrollment Policies

For the enrollment policies see User Enrollment Policies configuration on the idenprotect Core Platform

If you are using an email based enrollment please configure the Email Content Configuration on the idenprotect Core Platform

For BlackBerry, UEM policies see UEM Configuration on the idenprotect Core Platform

Installation

The idenprotect for BlackBerry application is available from the Google Play Store. You can click here to open the Google Play Store.

Getting Started

When you first open the idenprotect for BlackBerry you will be taken to a "Permissions" screen which will explain the need for the Location and Camera permissions.

Push notifications are used to open the application when the user is required to authenticate. This is not an essential requirement but it does improve the user experience and is automatically set to enabled on Android devices.

Location is used to inform the server of the user's current country. This may be used to support conditional access, eg access only from certain countries. If this permission is not granted the user may not be able to access applications that have this form of conditional access.

The camera is required to allow for the scanning of QR Codes. Click enable permissions and then grant the on-screen permissions like below:

Grant permissions to use the app.

After granting the permissions you will be taken to the "idenprotect QR" screen which will give you more details on how to enroll your device.

Scan QR Activity

Enrolling idenprotect Device

Before you can use the idenprotect for BlackBerry you need to go through the enrollment process. Please remember that you can only enroll once with the same QR Code.

There are three ways that idenprotect for BlackBerry can enroll:

  • BlackBerry enrollment with Access Key being manually entered by the user
  • BlackBerry enrollment with Access Key with programmatic authentication
  • Non-BlackBerry SAML enrollment

All of these three journeys can be set up via policies on User Enrollment Policies configuration on the idenprotect Core Platform

If you click on the Scan QR Code button camera will be launched and you can scan a QR code provided by via email or onboarding page. After scanning a QR code you will be asked to provide your fingerprint to begin the enrollment process. If you fail your fingerprint more than 5 times, you will need to enter the device security password/pin/pattern to continue.

Enter fingerprint to continue with enrollment.

idenprotect Both (BlackBerry and SAML) Enrollment

After granting the permissions if the idenprotect Core Platform is set up to use an Access Key entered by the user, you will be taken to the BlackBerry Authentication screen, where you have to enter your BlackBerry access key which would be provided to you by your via e-mail ( email field will be prefilled for your) After entering the BlackBerry Access key you will proceed to the BlackBerry enrollment (if idenprotect Core Platform is set up to use programmatic BlackBerry authentication you will be taken to this screen straight away without entering the access key manually)

When BlackBerry enrollment is finished, you would be presented with the idenprotect enrollment screen which tells you what stages of enrollment are complete.

Enrollment Screen

When idenprotect enrollment is complete you will be presented with idenprotect SAML page, which contains a "hamburger" menu and the Scan QR Code button. In the centre, you will see idenprotect unlocked which will mean that you have securely authenticated to Blackberry. Towards the bottom of the screen, you will see the device serial number (app-specific), version information and the Blackberry logo. This screen will also be presented to you if you close the idenprotect for BlackBerry application and re-open it. After clicking the "Click to Authenticate" button in the background idenprotect will generate a new certificate if it is expired or if flight mode is activated. After authenticating with a Fingerprint you will be redirected back to the idenprotect Unlocked screen with a new Ephemeral certificate.


Main activity after enrollment.

idenprotect Blackberry enrollment

The enrollment process for just Blackberry (without SAML capabilities) is identical except for the final completion screen. Here, the Scan QR code button towards the top of the screen will not be visible.

Using idenprotect

Using idenprotect for BlackBerry

The idenprotect client is an Authentication Delegate for Blackberry. This means that when you wish to access Blackberry on your device you will be asked to authenticate to the idenprotect Client. You will see the idenprotect client come to the foreground with a "Click to Authenticate" button.

Press on this button and you can then authenticate via Fingerprint or PIN, depending on your device's configuration.

Once authenticated you will be able to access Blackberry applications. In addition, the idenprotect client also injects personalized, sign keypair into the Blackberry runtime that can be used for Certificate-Based Authentication (Mutual TLS) access to websites and services. This keypair is known as the Ephemeral Key Pair (Certificate) as it generally has a short validity period. idenprotect for Android requires a PKI connector, so please ensure this is checked to true on the idenprotect Core Platform. Currently, Android does not support the non-PKI method.

Flight Mode

Timer showing remaining Ephemeral certificate validity.

On this screen, you will be able to see a timer (in this case 23.59.40) which is in Hour, Minutes and Seconds format (23 hours, 59 minutes and 40 seconds). This is also called a Flight Mode. This timer indicates how long the Ephemeral certificate is valid for. If a certificate is expired the Timer will change to 0.00, and the progress bar will be red. This means that some services might not be available. For example BlackBerry Access/BlackBerry Work may need this certificate to authenticate you to your email or to the internal corporate websites.

If you know that you will be offline (without internet connection) such as on the plane and you have to use your device offline. Please make sure that your certificate will not expire while you will be using your device offline. For this reason, you can press on the padlock and you will be presented with a popup message.

Renewal Pop Up Message

Once you click yes, a progress spinning bar will show, after which, if successful, a toast message will show like below:

Success toast message

Using idenprotect To Authenticate (SSO)

On the main page, you have an option to open a "hamburger" menu or an option to scan a QR code. If you click on "Scan a QR code" you will be presented with your device's camera. With the camera, you can scan a QR code to authenticate to an idenprotect authentication portal that will allow you to access cloud/web services integrated with idenprotect Core Platform.

After scanning a QR code you will be asked to provide a Fingerprint/PIN which will then authenticate you to the service provider, with a success message at the end.

Authentication Success

Push Notifications

To authenticate with a Service Provider / idenprotect Authentication Portal you can also use Push Notifications. When you will follow to your companies Service Provider or idenprotect Authentication Portal after entering the e-mail address you will be sent out a Push Notification automatically if idenprotect Core Platform is set up to send push notification automatically or by pressing a "Push Notification" button.

Push Notification

On your device, if it's open you will receive a popup asking if you would like to proceed with authentication to the service provider in this instance "IDP".

Pop up asking if you wish to proceed.

After clicking on the OK button you will be asked to provide a Fingerprint and a success popup will appear to notify the user that authentication succeeded.

If idenprotect for BlackBerry application was closed or in the background, you will receive a Push Notification like any other standard notification in your notification tray. You can click on the notification and it will take you to the application to proceed with authentication.

Side Menu

On the top left corner of the screen, you will see a "hamburger" menu button. You can click on this button to view the menu. Alternatively, you can swipe from the left to right to open the menu. To close the menu you can click back on the "hamburger" menu button, swipe or click anywhere on the right side of the screen. There are a few things that you can do from the side menu. You can also see a View Devices button which lets you view all of the devices that belong to the user and you can manage those devices. If you click on the "View Devices" button you will be presented with the Devices table which will show all of the devices belonging to this user.

Side Menu

You can view all devices enrolled under your user on the server. You can tap on a device in the list which will reveal extra information regarding the device as outlined below:

In the Information popup you will see details in the order below (with provided examples):

  • Device Name (iPhone-iPhone10,6-11)
  • Device Serial Number (AMP002-CkG766Am-241036)
  • Device State (Enrolled)
  • Device Creation Time (2019-05-21 13:55:59)
  • idenprotect for BlackBerry version (BlackBerry 3.7.3)

List of Devices

If you would like to remove the device from the idenprotect Core Platform select the device you would like to remove and click delete. A delete pop up window will open like below:

Delete pop up window.

The presented popup will ask you if you would like to remove the device (with the device name) if you click "OK" you will be asked to provide a Fingerprint/PIN to proceed. After successful deletion, you will be presented back the current devices with the removed device taken out of the table. The device will also be removed from the idenprotect Core Platform, which means that the device can be re-enrolled again.

The device management screen, also allows you to unenroll your own device. You can select your device from the list (it will be highlighted in blue) and press on delete this will remove your device from the idenprotect Core Platform. After deleting your device you will be redirected to the "Error" screen which will let you know that you have to reinstall the idenprotect for BlackBerry application and to enroll again.

Debug mode

On the idenprotect Core Platform, you can set a debugMode policy on. This policy allows the user to view extra information on the mobile client for debugging purposes such as certificates and policies.

Certificates

After you have authenticated to the idenprotect for BlackBerry application you can view certificates that belong to the device the user is using. On the idenprotect Unlocked screen reveal the side menu (by swiping or by clicking on the hamburger icon) and you will see a "View Certificates" button. From the side menu, you can click on the "View Certificates" button and you will be asked to provide Fingerprint biometrics. This will retrieve the data from the secure storage on your device (secure enclave). You will be shown a "Certificates" table which includes all of the users certificates/signatures on the device.

Certificates Screen

Every row has a title such as Ephemeral Certificates, Signature, Secure Enclave Certificate, etc. if you scroll down you will be able to see more data, with a policies button at the bottom. Clicking on the certificate text will show enhanced details about the certificate.

On this screen you will be able to see:

  • DN - which shows the full domain name
  • Start Date - start date for a certificate
  • Expiry Date - the expiry date of a certificate
  • Public algorithm - public key algorithm
  • Sign algorithm - signing algorithm

Clicking on the policies button will show the current policies that are active on a device, more explanation can be viewed on the idenprotect Core Platform user enrollment properties. This will let the user know what policies are currently active, these policies will be updated and refreshed every time the user authenticates on the idenprotect for BlackBerry.

Policies Screen

PIN Policy

Pin policy is the policy that is set on the idenprotect Core Platform user enrollment configuration. If this policy is set to true, then it means that additionally to the Fingerprint authentication a user will also have to provide a pin that he should create at the enrollment stage. When a user enrolls their device with the PIN policy, the last step of enrollment is to create a PIN.

Create PIN for additional security.

User will be asked to create a new idenprotect PIN like on a screenshot above. User has to enter a 4 digit PIN and click on a "Continue" button this will ask you to confirm the PIN that you have created. Enter your PIN again and your device should be fully enrolled. Every time when you will be asked to authenticate with a Fingerprint you will then followed with the PIN screen as above, where you will also have to provide a PIN to proceed.

Troubleshooting

You might face a few issues while using idenprotect for BlackBerry application. These issues are usually explained to the user with an Error message / Error alerts.

XB country code

When you authenticate with idenprotect for BlackBerry you may notice an XB country code like below:

If you see an XB code that means that idenprotect for BlackBerry is unable to determine your country code. In this case, you should check:

  • Location Services are enabled for idenprotect for BlackBerry (Navigate to your Android device's Settings -> Apps -> idenprotect for BlackBerry -> Location -> should be set to Always)
  • Check that you don't have airplane mode on
  • Check your network connection
  • Check your wifi connection
  • If you don't have a network connection or WiFi connection, please check that you have a clear sky to use just a GPS module to find the location.

If the issue still persists please contact your administrator.

Unable To Verify Your Identity

This error may appear if you cancel your Fingerprint authentication or have entered your Fingerprint incorrectly too many times. Alternatively, this could mean that there is an issue with the idenprotect Framework which cannot be initialized if there was a data cleanup and temp folder of the application was removed. If this error happens any time after authentication please contact your administrator.

Online services are unavailable

This type of error means that you have successfully authenticated with idenprotect for BlackBerry, but online services will be unavailable due to network issues.

  • Please check that your Network data is enabled (if roaming, check that roaming for data is on)
  • Please check that you are on the WiFi network if not using mobile data.
  • Please verify that you can open any website via your mobile browser. If the website opens, please restart idenprotect for BlackBerry.

If the issues still persist please contact your administrator.

Unable to update policies

If when you try to authenticate to idenprotect for BlackBerry you see an error as above it means:

  • Unable to reach the idenprotect Core Platform
  • Device or the user might be removed from the idenprotect Core Platform

In both instances please contact your administrator.

Some SSO services are unavailable

If after authenticating with idenprotect for BlackBerry you see a screen similar to the one above that means that there were issues with the certificate creation. This could be due to the CA timing out, or due to the connection issue with the idenprotect Core Platform.

If this issue persists please contact your administrator. The administrator should be able to check on the server logs if ephemeral certificate requests were made from the device. If the error above is also shown with an error alert as below.

Unable to import P12 Certificate

That means that ephemeral certificate was successfully created but idenprotect for BlackBerry was unable to import the P12 into the BlackBerry runtime. If in the error message you can see that "a user profile with id: (null)" please let your administrator know, as there might be few configuration issues on the idenprotect Core Platform for the UEM User credential profile name.

Unable to retrieve list of devices

This error can happen if there is a connection issue between your phone and the server or if this feature is not supported by the current server version. Please try again, if the problem persists contact your administrator.

Reset Password Failed

idenprotect for BlackBerry supports resetting your Active Directory password. This feature must also be enabled in Active Directory for the user to successfully reset their AD password. An error will otherwise be thrown that the password could not be reset.