Using "idenprotect for Blackberry" on iOS

From idenprotect Knowledge Base
Jump to: navigation, search

The idenprotect client is an Authentication Delegate for Blackberry. This means that when you wish to access Blackberry on your device you will be asked to authenticate to the idenprotect Client. You will see the idenprotect client come to the foreground with a "Click to Authenticate" button.

Press on this button and you can then authenticate via FaceID, Fingerprint, or PIN, depending on your device's configuration.

Once authenticated you will be able to access Blackberry applications. In addition, the idenprotect client also injects personalized, sign keypair into the Blackberry runtime that can be used for Certificate-Based Authentication (Mutual TLS) access to websites and services. This keypair is known as the Ephemeral Key Pair (Certificate) as it generally has a short validity period. For non-Blackberry versions of the app, users can use (Mutual TLS) to access websites and services through the inbuilt browser (in the left-hand menu) if this feature has been set up on your idenprotect server.

Flight Mode

IOS unlocked screen.png

On this screen, you will be able to see a timer (in this case 2.59) which is in Hours and Minutes format (2 hours and 59 minutes). This is also called a Flight Mode. This timer indicates how long the Ephemeral certificate is valid for. If a certificate is expired the Timer will change to 0.00, and the progress bar will be red. This means that some services might not be available. For example BlackBerry Access/BlackBerry Work may need this certificate to authenticate you to your email or to the internal corporate websites.

If you know that you will be offline (without an internet connection) such as on the plane and you have to use your device offline. Please make sure that your certificate will not expire while you will be using your device offline. For this reason, you can press on the timer and you will be presented with a popup message.

IOS flightmode activated.png

If you click on the Yes button you will be logged out from BlackBerry runtime and you will have to login again.

IOS BlackBerry auth.png

This screen will also be presented to you if you close the idenprotect For Mobile application and re-open it. After clicking the "Click to Authenticate" button in the background idenprotect will generate a new certificate if it is expired or if flight mode is activated. After authenticating with a FaceID/TouchID you will be redirected back to the idenprotect Unlocked screen with a new Ephemeral certificate.

Using idenprotect To Authenticate

On the main page, you have an option to open a "hamburger" menu or an option to scan a QR code. If you click on "Scan a QR code" you will be presented with your device's camera. With the camera, you can scan a QR code to authenticate to an idenprotect Authentication Portal that will allow you to access cloud/web services integrated with idenprotect Core Platform.

After scanning a QR code you will be asked to provide a FaceID/TouchID which will then authenticate you to the service provider, with a success popup.

IOS Auth success.png

Push Notifications

To authenticate with a Service Provider / idenprotect Authentication Portal you can also use Push Notifications. When you will follow to your companies Service Provider or idenprotect Authentication Portal after entering the e-mail address you will be sent out a Push Notification automatically if idenprotect Core Platform is set up to send push notification automatically or by pressing a "Push Notification" button.

On your device, if it's open you will receive a popup asking if you would like to proceed with authentication to the service provider in this instance "IDP".

IOS push opened.png

After clicking on the OK button you will be asked to provide a FaceID/TouchID and a success popup will appear to notify the user that authentication succeeded.

IOS Auth success.png

If the idenprotect For Mobile application was closed or in the background, you will receive a Push Notification like any other standard notification in your notification tray. You can click on the notification and it will take you to the application to proceed with authentication.

IOS notification tray.png

Using idenprotect Both

On the main page, you will have an option to Authentication with a QR code. The page will look very similar to the idenprotect use case with BlackBerry but with a central circular button being clickable and show "Authenticate" label.

IOS Both.png

By clicking on the "Authenticate" button you will be presented with your device's camera. With the camera, you can scan a QR code to authenticate to an idenprotect Authentication Portal that will allow you to access cloud/web services integrated with idenprotect Core Platform.

After scanning a QR code you will be asked to provide a FaceID/TouchID which will then authenticate you to the service provider, with a success popup.

IOS Auth success.png

Side Menu

On the top left corner of the screen, you will see a "hamburger" menu button. You can click on this button to view the menu. Alternatively, you can swipe from the left to right to open the menu. To close the menu you can click back on the "hamburger" menu button, swipe or click anywhere on the right side of the screen.

IOS side menu.png

There are a few things that you can do from the side menu. In general, a user will see his device serial number (which can be useful for the support purposes), users email address that this device belongs to, and an idenprotect For Mobile application version number. You can also see a Devices button which lets you view all of the devices that belong to the user and you can manage those devices. If you click on the "Devices" button you will be presented with the Devices table which will show all of the devices belonging to this user.

IOS Devices Screen.png

You can select any device you wish to manage and swipe it to the left or right. This will reveal two options "More" and "Delete". If you click on the "More" button you will be presented with the information popup.

IOS Device Info.png

In the Information popup you will see details in the order below (with provided examples):

  • Device Name (iPhone-iPhone10,6-11)
  • Device Serial Number (AMP002-CkG766Am-241036)
  • Device State (Enrolled)
  • Device Creation Time (2019-05-21 13:55:59)
  • idenprotect for BlackBerry version (BlackBerry 3.7.3)

You can click "OK" to close the information popup. If you would like to remove the device from the idenprotect Core Platform select the device you would like to remove and swipe the cell to the left or right, from the revealed options select the "Delete" button. You will be presented with the Device Deletion popup like below:

IOS Delete Device.png

The presented popup will ask you if you would like to remove the device (with the device name) if you click "OK" you will be asked to provide a FaceID/TouchID to proceed. After successful deletion, you will be presented back the current devices with the removed device taken out of the table. The device will also be removed from the idenprotect Core Platform, which means that the device can be re-enrolled again.

The device management screen, also allows you to unenroll your own device. You can select your device from the list (it will be highlighted in blue) and press on delete this will remove your device from the idenprotect Core Platform. After deleting your device you will be redirected to the "Error" screen which will let you know that you have to reinstall the idenprotect For Mobile application and to enroll again.

Debug mode

On the idenprotect Core Platform, you can set a debugMode policy on. This policy allows the user to view extra information on the mobile client for debugging purposes such as updated location time, certificates, latitude, and longitude updates in real-time.

Location Updates

When debug mode is on and you open idenprotect For Mobile application you will see a login screen like below:

IOS Debug login.png

At the top part of the page, you will see a country code that the idenprotect was able to retrieve (location is retrieved via Apple standard APIs) as well as a timestamp of when it was retrieved (on the page load) like in the above example it was retrieved at 8:42. When a user clicks on the Click to Authenticate button the location is re-checked and the latest location will be used.

After an authentication user will see an "idenprotect Unlocked" but due to being in the debug mode, you will be able to see location updates in real-time (every 15 seconds).

IOS unlocked location.png

At the bottom of the screen, you will see a simple label stating Latitude and Longitude (in the example above as Lat:53.798737, Long:-1.425547). This label will change the background color (random color) every 15 seconds to indicate that the latest location has been retrieved. Latitude and Longitude mostly will change every time even when the device isn't moved due to inaccuracy in the location retrieval (bad signal, using wifi, or A-GPS). This label also provides a user with an option to view this latitude and longitude on Apple Maps. You can click on the latitude and longitude label and you will be forwarded to Apple Maps.

IOS Apple Maps.png

In Apple Maps, the latitude and longitude will be set as the destination. This will help the user to view if the location retrieved by idenprotect For Mobile application is correct.

Certificates

After you have authenticated to the idenprotect For Mobile application you can view certificates that belong to the device the user is using. On the idenprotect Unlocked screen reveal the side menu (by swiping or by clicking on the hamburger icon) and you will see a "Certificates" button.

IOS side menu debug.png

From the side menu, you can click on the "Certificates" button and you will be asked to provide a FaceID/TouchID biometrics. This will retrieve the data from the secure storage on your device (secure enclave). You will be shown a "Certificates" table which includes all of the users' certificates/signatures on the device.

IOS Certificates Screen.png

Every row has a title such as Ephemeral Certificates, Signature, Secure Enclave Certificate, etc. if you scroll down you will be able to see the data as below:

IOS policies debug.png

This part of the table shows the current policies that are active on a device, more explanation can be viewed on the idenprotect Core Platform user enrollment properties. This will let the user know what policies are currently active, these policies will be updated and refreshed every time the user authenticates on the idenprotect For Mobile application.

If you scroll back up and click on the Ephemeral or Secure Enclave certificate you will see a Certificate Details screen which is useful in debugging, to see if certificates are correct (issued to the right user), have the correct country code, and are valid as expected.

IOS cert details.png

On this screen you will be able to see:

  • DN - which shows the full domain name
  • Start Date - start date for a certificate
  • Expiry Date - the expiry date of a certificate
  • Public algorithm - public key algorithm
  • Sign algorithm - signing algorithm

Location Services

To use idenprotect For Mobile application you need to grant permissions for the Location Services. idenprotect will not use your exact location such as latitude and longitude and will only use the country code which would be used for the certificate creation, ie the Country Code on the signed certificate will reflect your current location. This may be used to support conditional access whereby data is only accessible from certain "white-listed" countries or accessed is prohibited from certain "black-listed" countries

idenprotect For Mobile checks the locations Country Code in these three instances:

  • When the user opens the application and sees an Authentication Screen the country code will be visible on the screen.
  • When the user clicks on the "Click to Authenticate" button
  • When the application is unlocked and in foreground or background.

Unlocked Application

While the application is unlocked, idenprotect For Mobile will check users' location every 15 seconds. This means that if the location has changed (cross border traveling) idenprotect For Mobile will create a new ephemeral certificate in the background and will inject a new P12 into the BlackBerry runtime. This may mean that your BlackBerry Access/Work applications will start using a new certificate.

IOS location change notification.png

Users will be notified about the location update (and a new certificate creation) by an internal local notification like above. This notification will appear whenever a location has changed and a certificate is re-created.

PIN Policy

Pin policy is the policy that is set on the idenprotect Core Platform user enrollment configuration. If this policy is set to true, then it means that additionally to the FaceID/TouchID authentication a user will also have to provide a pin that he should create at the enrollment stage. When a user enrolls his device with the PIN policy, the last step of enrollment is to create a PIN.

IOS pin create.png

Users will be asked to create a new idenprotect PIN like on a screenshot above. The user has to enter a 4 digit PIN and click on a "Continue" button this will ask you to confirm the PIN that you have created. Enter your PIN again and your device should be fully enrolled.

IOS pin screen.png

Every time when you will be asked to authenticate with a FaceID/TouchID you will then followed the PIN screen as above, where you will also have to provide a PIN to proceed.