Authentication (Android Enterprise Corporate Personal)

The Authentication configuration enables you to set minimum requirements for password-based user authentication on a device. You can apply this configuration when:

Device Administrator Password

Use this section to configure an administrator password on the device. You require this to use various security features in SOTI MobiControl. The administrator password disables security feature such as Lockdown and Application Run Control, providing unrestricted access to the device.

Configure features supported for AMAPI devices only If enabled, allows configuration of features supported for AMAPI-enrolled devices only. Once you assign the profile configuration to a device, the user cannot change this option while editing the profile.
Password Enter an administrator password for the device that turns off security features such as Lockdown or Application Run Control.
Dynamic Password Enable this feature to set a unique one time administrator password for the device(s), allowing seamless switching between user and administrator modes. When you use the password, SOTI MobiControl automatically generates a new password and syncs it with the device. You can view this on the Device Details card.
Note: If the device goes offline and the new password is not synced, the old password continues to work until the new password is successfully synced.

Dynamic admin password
Revert to User Mode Enable this option to automatically switch from Administrator mode to User mode after a specified timeout. Use the slider to set the interval between 5 and 120 minutes, with a default setting of 30 minutes.

Revert to User Mode setting
Restrict Administrator Password Attempts Restrict the number of password attempts a user can make for an administrator account before enforcing a lockout. Specify the number of wrong password attempts allowed before the account is temporarily locked. Set the duration of the account lockout once the user reaches the maximum number of password attempts.

Restrict Administrator Password Attempts
Note: The Device and Work Profile tabs of the Android Enterprise Authentication profile configuration offer similar settings. However, they affect devices differently.

  • Use Device to apply authentication settings to an entire device.

  • Use Work Profile to apply authentication settings to only the Work Profile part of the device.

If you are applying a user password policy to a work profile on an Android Enterprise device, in the Work Profile tab, enable the Enforce Work Profile Password Policy toggle.

Device Password Policy

Choose an option from the dropdown menu to assess how the authentication policy applies.

  • Allow User to Configure: The device user chooses how to secure the device.
  • Disable Lockscreen: Disable all lock screen security settings. This is the same as choosing None as the security type on the device. Setting a password, PIN, or pattern, re-enables the lock screen.
  • Enable Password Enforcement: The device user must follow the requirements as set by this profile configuration.
    Note: You must choose Enable Password Enforcement to apply an authentication policy.

Minimum Complexity

Password Quality Select the minimum password quality. Password quality options listed are in order of security strength, from least to most secure. Device users can use any password type option that is more secure than the selected minimum.
  • Biometric (for example: fingerprint, face recognition, iris recognition)
  • Pattern
  • PIN
  • Alphabetical
  • Alphanumeric
Password/PIN Length Set the minimum password or PIN length.
Complex Characters Set the minimum number of complex (non-alphanumeric) characters required.

History

Maximum Password Age Toggle on Maximum Password Age to enter the number of days before prompting a user to enter a new password.
Unique Passwords Before Reuse Toggle on Unique Passwords Before Reuse to select the number of unique passwords a user must set before reusing an earlier password.

Policy

Screen Timeout Toggle on Screen Timeout to set a maximum inactive time before the screen locks.
Device Authentication Wipe Policy Toggle on Device Authentication Wipe Policy to set a maximum limit on entering wrong passwords before a device is automatically wiped.
Strong Authentication Requirement Enable this option to force device users to enter a strong authentication type (such as a PIN, pattern, or password) to unlock their device. Set an interval (in hours) that specifies how often a device user must use a strong authentication type (such as a PIN, pattern, or password) to unlock their device.