Idenprotect for Mobile Configuration

From idenprotect Knowledge Base
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes

Introduction

There are a number of ways that the process of user-enrollment can be configured to meet different operational requirements.

This article shows you how to configure the behaviour of the idenprotect Client, if you are looking to configure the User Enrollment policies, please see User Enrollment Policies

Note that during the enrollment process, depending on the configuration, emails can be sent to the user. If you have not yet gone through any Email Configuration, see Email SMTP Configuration. This article also has additional links to guide you through configuring the Email Content and Email Templates.


Configuring idenprotect Client behaviour

This configuration can be found in: -

  • idenprotect Client Configuration section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/userenrolment.properties
Parameters for Client
Parameter in Config Tab Parameter in Properties File Description
Application Type policy.application.type This property determines if idenprotect for BlackBerry client should be enrolled as BlackBerry/SAML or BOTH
CSR Time Slip Limit csr.timestamp.maxerror Allowed error in time stamp (seconds) for CSR Request
Validate CSR Certificate enrolment.cert.checking If set to true, additional checks are done on the of the signature for the ephemeral certificate request
Username login.user The username of the website user the mobile client should use to authenticate to the idenprotect Core Platform
Is Qr Code Authentication Allowed? policy.allow.qrcode If set to true, the user will be able to authenticate with a QR code on the idenprotect For Mobile app
Renewal Reminder Days policy.secenc.reminder.days The renewal reminder days, will remind the user that they have to renew a secure enclave certificate prior to its expiry
Password Reset Allowed policy.reset.password If set to true, the user will be able to reset their Active Directory password from within the idenprotect for BlackBerry client. Note that Password Reset is only supported if you are connected to LDAP via Websocket and it must be a secure connection (ldaps://{host}:636)
Authentication Required policy.authentication.required Set to true if the client needs to use basic auth header when accessing APIs. The header will be created using credentials downloaded as part of enrollment
Is PKI Connector Required? policy.pki.connector.required If this is set to true, idenprotect for BlackBerry client will create a P12 and will send it to the idenprotect Core Platform which then will be retrieved by the UEM server via a PKI connector. If this is set to false, idenprotect for BlackBerry will try to use a device-based certificates from a User credential profile
Is PIN Reset Allowed? policy.pin.reset.allowed If set to true, the user will be able to reset their PIN on the idenprotect For Mobile app
Sec Enclave Required? policy.secure.enclave NOT CURRENTLY SUPPORTED
Secure Enclave Auto Renewal policy.auto.secenc.renewal The secenc auto renewal policy will renew a secure enclave certificate automatically prior to its expiry eg (Certificate expiry date - renewalReminderDays = renewal day)
Authentication Type policy.authentication.type Can be set as "touch", "pin" or "either". If set as "touch" user will not be prompted to create a new PIN.
Debug Mode Enabled policy.mode.debug If this is set to true, the user will have access to a debug screen. This screen can show additional information such as details of certificates on the device