Authentication

An Authentication configuration enables you to set minimum requirements for password-based user authentication on a device. You do this when:

Administrator

Device Administrator Password

Use this section to configure an administrator password on the device. You must configure an administrator password before using various security features of SOTI MobiControl. The administrator password disables security feature such as lockdown and application run control, providing unrestricted access to the device.

Advanced

Use this section to configure automatic device-side actions based on defined authentication events. Click Add to open Authentication: Add Event Configurations.

Device

User Authentication

Use this section to configure user authentication settings.

User Authentication Type Select a user authentication type:
  • None: Select this option to specify no user authentication. Any user will be able to access the device without being authenticated.
  • Standard Authentication: Select this option for standard user authentication.
  • Windows User Directory Authentication: Select this option enforce Windows Active Directory-based authentication for users on enrolled devices. The user must enter their Active Directory credentials when trying to log into the device. If you change their Active Directory profile, the change is propagated down to the device with SOTI MobiControl.
Device Password Specify a password for the user to enter to access the device. This password is unique to SOTI MobiControl and can be controlled only with SOTI MobiControl.
Lock Screen on Inactivity Select this option to lock the device screen after the period of inactive time specifed in Inactivity Duration.

Domain User

Note: This section appears only if you select Windows User Directory Authentication as the user authentication type.
Manage Directories If you need to modify a Windows Active Directory connection, or create a new one, click the Manage Directories button to open the Directory Service Configuration dialog box.
User Directory Select the user directory to authenticate the device user.
Restrict Users to a Domain Select this option to force the user to be authenticated against a particular domain controller.

When the domain is known ahead of time this option is recommended as it requires the device user to enter less information.

Notify User of Password Expiry Select this option to set the number of days before password expiry when users start to receive warnings that they must change it.
Force Password Change Before Expiry Select this option to force users to change their password before it expires in the Active Directory.

This option is especially helpful in case your deployment server is located within a DMZ, since in that configuration the deployment server is unable to facilitate the password change if the password has already expired.

Device User Type Select the device user type:
  • Single User: Select this option to lock the device to the first user who successfully logs into the device. Any other user will be unable to log in and use the device.
  • All Domain Users: Select this option to allow all domain users to log in and use the device. This option is suitable only for environments where devices are shared among a group of people and there are no personal settings stored on the device.

Policy

Allow User to Create Simple Password This option will allow the user to create a simplified password and use this password when trying to log into the device instead of using their Active Directory password. This option is handy when the Active Directory password for the user is very complex and it is too tedious to enter on the device.
Allow User to Change Account Passwords Select this option to enable users to enter their own password.
Allow User to Reset Forgotten Passwords Using Questions Select this option to enable users who want to reset their password to be prompted with security questions.
Password Complexity Requirements Select this option to require user passwords to meet complexity requirements.
Minimum Password Length The minimum number of characters or numbers password must have.
Must Contain at Least One Digit The password must contain at least one digit.
Must Contain at Least One Upper Case Letter The password must contain at least one uppercase letter.
Must Contain at Least One Lower Case Letter The password must contain at least one lowercase letter.
Must Contain at Least One Special Character The password must contain at least one special character, such as a punctuation symbol.

Actions

Use this section to configure automatic device-side actions based on defined authentication events. Click Add to open Authentication: Add Event Configurations.

Custom Banner

Use this section to replace the default banners that appear on the device with custom images.

Note: The default dimensions are 214 × 36 pixels, and the image file must be in BMP format.
Login Screen Image This is the image that appears on the device login screen. Select an image file from the list or click Browse to select an image on your file system.
Lock Screen Image This is the image that appears on the device lock screen. Select an image file from the list or click Browse to select an image on your file system.

OS Integration

Use this section to select operating system integration options.

Note: These options are applicable only to Windows Mobile 5 and later devices.
Display Notifications on Locked Device Configures the device to present a clear indication of the device's locked status to users.
Integrate with Windows Mobile Authentication Subsystem When this option is selected, the agent is registered with the operating system authentication subsystem and replaces the standard password prompt with its custom password prompt. This provides maximum security for the device because the password prompt engages immediately on device startup, ensuring the device cannot be accessed without the user first providing the user or administrator password. With this option, the password prompt is automatically re-engaged when the operating system determines that the idle timeout has expired.
Note: This option is applicable only when both an administrator password and a user password have been configured and the device is running the Windows Mobile 5 or later operating system. For devices running other operating systems, the password prompt is handled at the application layer and is not driven directly by the operating system. In some cases you may wish to disable this option to avoid the authentication plug-in from conflicting with other third-party security solutions that may be running on the device.