Authentication
An Authentication configuration enables you to set minimum requirements for password-based user authentication on a device. Do this when you perform the following actions:
Administrator
Device Administrator Password
Use this section to configure an administrator password on the device. You must configure an administrator password before using various security features of SOTI MobiControl. The administrator password disables security feature such as lockdown and application run control, providing unrestricted access to the device.
Advanced
Use this section to configure automatic device-side actions based on defined authentication events. Click Add to open Authentication: Add Event Configurations.
Device
User Authentication
Use this section to configure user authentication settings.
User Authentication Type | Select a user authentication type:
|
Device Password | Specify a password for the user to enter to access the device. This password is unique to SOTI MobiControl and can be controlled only with SOTI MobiControl. |
Lock Screen on Inactivity | Select this option to lock the device screen after the period of inactive time specifed in Inactivity Duration. |
Domain User
Manage Directories | If you need to modify a Windows Active Directory connection, or create a new one, click the Manage Directories button to open the Directory Service Configuration dialog box. |
User Directory | Select the user directory to authenticate the device user. |
Restrict Users to a Domain | Select this option to force the user to be authenticated against a particular domain controller.
When the domain is known ahead of time this option is recommended as it requires the device user to enter less information. |
Notify User of Password Expiry | Select this option to set the number of days before password expiry when users start to receive warnings that they must change it. |
Force Password Change Before Expiry | Select this option to force users to change their password before it expires in the Active Directory.
This option is especially helpful in case your deployment server is located within a DMZ, since in that configuration the deployment server is unable to facilitate the password change if the password has already expired. |
Device User Type | Select the device user type:
|
Policy
Allow User to Create Simple Password | This option will allow the user to create a simplified password and use this password when trying to log into the device instead of using their Active Directory password. This option is handy when the Active Directory password for the user is very complex and it is too tedious to enter on the device. |
Allow User to Change Account Passwords | Select this option to enable users to enter their own password. |
Allow User to Reset Forgotten Passwords Using Questions | Select this option to enable users who want to reset their password to be prompted with security questions. |
Password Complexity Requirements | Select this option to require user passwords to meet complexity requirements. |
Minimum Password Length | The minimum number of characters or numbers password must have. |
Must Contain at Least One Digit | The password must contain at least one digit. |
Must Contain at Least One Upper Case Letter | The password must contain at least one uppercase letter. |
Must Contain at Least One Lower Case Letter | The password must contain at least one lowercase letter. |
Must Contain at Least One Special Character | The password must contain at least one special character, such as a punctuation symbol. |
Actions
Use this section to configure automatic device-side actions based on defined authentication events. Click Add to open Authentication: Add Event Configurations.
Custom Banner
Use this section to replace the default banners that appear on the device with custom images.
Login Screen Image | This is the image that appears on the device login screen. Select an image file from the list or click Browse to select an image on your file system. |
Lock Screen Image | This is the image that appears on the device lock screen. Select an image file from the list or click Browse to select an image on your file system. |
OS Integration
Use this section to select operating system integration options.
Display Notifications on Locked Device | Configures the device to present a clear indication of the device's locked status to users. |
Integrate with Windows Mobile Authentication Subsystem | When this option is selected, the agent is registered with the operating system authentication subsystem and replaces the standard password prompt with its custom password prompt. This provides maximum security for the device because the password prompt engages immediately on device startup, ensuring the device cannot be accessed without the user first providing the user or administrator password. With this option, the password prompt is automatically re-engaged when the operating system determines that the idle timeout has expired.
Note: This option is applicable only when both an administrator password and a user password have been configured and the device is running the Windows Mobile 5 or later operating system. For devices running other operating systems, the password prompt is handled at the application layer and is not driven directly by the operating system. In some cases you may wish to disable this option to avoid the authentication plug-in from conflicting with other third-party security solutions that may be running on the device.
|