Authentication Policy

Use this dialog box to configure Windows Active Directory user authentication.

User Directory Options

Use this tab to specify options for Windows Active Directory-based authentication.

When you choose Windows Active Directory-based authentication, the SOTI MobiControl agent will directly authenticate the user's credentials with the Active Directory server associated with the configured domain. The Active Directory server requires SSL security to be enabled, and ports 636 and 443 to be open between the SOTI MobiControl deployment server and the Active Directory server. If your organization is using a non-standard port to communicate over SSL with your Active Directory server, then a colon ":" must be used to indicate the port being used (for example, mydomain.com:1234). If no other connections are available, the agent will attempt to initiate a data connection if one has already been configured. For information about how to configure an Active Directory connection, see LDAP Connections Manager.

Select a Windows Active Directory connection from the list. If you need to modify a connection, or create a new one, click the Manage button next to the list to open the LDAP Connections Manager.

Restrict users to this domain Select this option to force the user to be authenticated against a particular domain controller.

When the domain is known ahead of time this option is recommended as it requires the device user to enter less information.

Warn users when their passwords will expire within number day(s) Select this option to set the number of days before password expiry when users start to receive warnings that they must change it.
Force users to change their passwords number day(s) before expiry Select this option to force users to change their password before it expires in the Active Directory.

This option is especially helpful in case your deployment server is located within a DMZ, since in that configuration the deployment server is unable to facilitate the password change if the password has already expired.

Actions

Use this tab to configure automatic device-side actions based on defined authentication events.

Add Opens the Event Configuration dialog box in which you can select an authentication event and specify the action you want to execute when the event occurs.
Edit Opens the Event Configuration dialog box in which you can edit the select authentication event and its associated action.
Delete Deletes the selected action.

User

Allow only a single device user Select this option to lock the device to the first user who successfully logs into the device. Any other user will be unable to log in and use the device.

This option must be selected if you are using Microsoft Exchange ActiveSync, since a Windows Mobile device is only capable of synchronizing with the account of a single user.

If you wish to reset which device user is bound to a given device: While the device is online, right-click on it in the device tree, and click Configure Devices, then click Security, click Authentication Policy and click Configure to open a dialog box in which you can click the Reset User Binding button.

Note: When you click the Reset User Binding button it will reset the binding instantly, so there is no need to click the OK button.
Allow all domain users to log on the device Select this option to allow all domain users to log in and use the device.

This option is suitable only for environments where devices are shared among a group of people and there are no personal settings stored on the device.

Allow users to create a simple authentication password This option will allow the user to create a simplified password and use this password when trying to log into the device instead of using their Active Directory password. This option is handy when the Active Directory password for the user is very complex and it is too tedious to enter on the device.

To set password length and complexity requirements, click the Policies button.

Banner

Use this tab to replace the default banners that appear on the device with custom images.

Note: The default dimensions are 214 × 36 pixels, and the image file must be in BMP format.
Login Screen This is the image that appears on the device login screen. Select an image file from the list or click Browse to select an image on your file system.
Device Lock Screen This is the image that appears on the device lock screen. Select an image file from the list or click Browse to select an image on your file system.

OS Integration

Use this tab to select operating system integration options.

Note: These options are applicable only to Windows Mobile 5 and later devices.
Display notification screen when device is locked Configures the device to present a clear indication of the device's locked status to users.
Integrate with Windows Mobile device authentication subsystem When this option is selected, the agent is registered with the operating system authentication subsystem and replaces the standard password prompt with its custom password prompt. This provides maximum security for the device because the password prompt engages immediately on device startup, ensuring the device cannot be accessed without the user first providing the user or administrator password. With this option, the password prompt is automatically re-engaged when the operating system determines that the idle timeout has expired.
Note: This option is applicable only when both an administrator password and a user password have been configured and the device is running the Windows Mobile 5 or later operating system. For devices running other operating systems, the password prompt is handled at the application layer and is not driven directly by the operating system. In some cases you may wish to disable this option to avoid the authentication plug-in from conflicting with other third-party security solutions that may be running on the device.