Idenprotect for Mobile Configuration

From idenprotect Knowledge Base
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes


There are a number of ways that the process of user-enrollment can be configured to meet different operational requirements.

This article shows you how to configure the behaviour of the idenprotect Client, if you are looking to configure the User Enrollment policies, please see User Enrollment Policies

Note that during the enrollment process, depending on the configuration, emails can be sent to the user. If you have not yet gone through any Email Configuration, see Email SMTP Configuration. This article also has additional links to guide you through configuring the Email Content and Email Templates.

Configuring idenprotect Client behaviour

Applicaton Type

The type of application a user can install is based on their group membership defined under config->Ldap User Sync


If no groups are defined for different mobile client types, then a user can download and enrol any client type.

If at least one group is defined, then a user must be a member of the group associated with that client type in order to enrol that type of client.

If a user attemtps to enrol the wrong client type they will be shown an error and directed to the correct client type if appropriate.

This configuration can be found in: -

  • idenprotect Client Configuration section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/
Parameters for Client
Parameter in Config Tab Parameter in Properties File Description
Application Type policy.application.type This property determines if idenprotect for BlackBerry client should be enrolled as BlackBerry/SAML or BOTH This is only used for client versions before 3.16
Enable SAML policy.application.type.saml.enabled If the Application Type is Blackberry, this policy determines if the client can also act as a SAML Authenticator
CSR Time Slip Limit csr.timestamp.maxerror Allowed error in time stamp (seconds) for CSR Request
Validate CSR Certificate enrolment.cert.checking If set to true, additional checks are done on the of the signature for the ephemeral certificate request
Username login.user The username of the website user the mobile client should use to authenticate to the idenprotect Core Platform
Enable Qr Code Authentication policy.allow.qrcode If set to true, the user will be able to authenticate with a QR code on the idenprotect For Mobile app
Renewal Reminder Days policy.secenc.reminder.days The renewal reminder days, will remind the user that they have to renew a secure enclave certificate prior to its expiry
Password Reset Allowed policy.reset.password If set to true, the user will be able to reset their Active Directory password from within the idenprotect for BlackBerry client. Note that Password Reset is only supported if you are connected to LDAP via Websocket and it must be a secure connection (ldaps://{host}:636)
Authentication Required policy.authentication.required Set to true if the client needs to use basic auth header when accessing APIs. The header will be created using credentials downloaded as part of enrollment
Enable PKI Connector policy.pki.connector.required If this is set to true, idenprotect for BlackBerry client will create a P12 and will send it to the idenprotect Core Platform which then will be retrieved by the UEM server via a PKI connector. If this is set to false, idenprotect for BlackBerry will try to use a device-based certificates from a User credential profile
Enable PIN Reset If set to true, the user will be able to reset their PIN on the idenprotect For Mobile app
Secure Enclave Auto Renewal The secenc auto renewal policy will renew a secure enclave certificate automatically prior to its expiry eg (Certificate expiry date - renewalReminderDays = renewal day)
Authentication Type policy.authentication.type Can be set as "touch", "pin" or "either". If set as "touch" user will not be prompted to create a new PIN.
Enable Debug Mode policy.mode.debug If this is set to true, the user will have access to a debug screen. This screen can show additional information such as details of certificates on the device
Eanble Integrated Browser policy.allow.browsing If this is set to true, the user will have access to the idenprotect mobile client's integrated browser
Integrated Browser Homepage policy.browser.homepage The default webpage / url that the user will be directed to when the user opens the mobile client's integrated browser. It is possible to include the user's username in this url by inserting {username} in this setting
Eanble Mobile One Time Code policy.allow.otp Policy to set if One Time Code authentication is permitted on mobile devices