|
Authentication |
The Authentication Policy option in the MobiControl Security Center dialog box allows administrators to set up device-side, password-based user authentication. This tab also allows administrators to create authentication actions, device-side scripts that execute when user authentication either succeeds or fails. For example, an administrator might create a script that locks the device for 30 minutes if authentication fails three times in a row.
To enable Authentication Security for a device or group of devices, select Authentication Policy from the MobiControl Security Center. (Please see the Device Security and Control page.)
Device Authentication Configuration dialog box
For assistance with Override Settings Click Here.
Administrators can configure an administrator password and a user password. When the administrator password is entered, the device is unlocked so that the administrator has complete access to the device. When a user password is entered, the user will have access to only those programs that the administrator has configured. An administrator can allow users to run all programs or only specific programs. Please see the Device Lockdown page and Application Run Control page for more details.
Administrator Device Password prompt
Administrator Password
To specify an administrator password, first ensure that the Enable Password Authentication box is checked, and then click the Configure button in the administrator password section. This will bring up the dialog box below. Enter the desired password in the two provided text boxes and click OK. The configuration of the Administrator password is a prerequisite for all the other security configurations. To get to this screen you must click on the Options button, then select Administrator and click OK.
General tab of the Configure Password Settings dialog box
Administrator Authentication Events and Actions
Advanced tab of the Configure Password Settings dialog box
You can specify actions for administrator events. For example, you may wish to wipe all the data on the device if there are 10 consecutive failed log-in attempts. To create, edit, or remove an action, click on the Advanced tab of the Configure Password Settings dialog box. To add an action, click the Add button. MobiControl will prompt you for the event that will trigger the new action. This event can be either a successful login or a certain number of failed attempts. After you have made your selection, click OK to bring up the Action Configuration dialog box. Please see the Configuring Event Scripts page for more details. To edit an existing action, select the action from the list and click Edit. This will bring up a small menu that lets you choose whether to edit the event that triggers the action or the action itself. To delete an action, select it from the list and click Delete.
User Password and Policy
To specify a user password, first ensure that the Enable Password Authentication box is checked, and then click the Configure button in the user password section. You must specify an administrator password before you can specify a user password. MobiControl provides a dialog box similar to that used for administrator passwords. The User Password dialog box also allows you to specify a password policy.
When you have configured a password or chosen Active Directory-based authentication, MobiControl will queue up the delivery of packages and settings targeted to the device, and only install the packages and settings once the user has been authenticated.
There are four options with regard to user authentication:
| Field Name | Description |
|---|---|
| No Authentication | No user authentication is set. Any user can access the mobile device without any authentication. |
| Standard User Authentication |
The administrator must specify a password for the user to enter to access the mobile device. This password is unique to MobiControl and can be controlled only with MobiControl. |
| Windows Active Directory Authentication |
MobiControl now enforces Active Directory authentication for the users on their mobile devices. The end-user must enter their Active Directory credentials when trying to logon to the device. If the administrator changes their Active Directory profile, the changes are propagated down to the mobile device with MobiControl. |
| Prompt for password if device is unused for |
It is necessary for the device to be soft reset (i.e. powered off and back on) for the change to take effect. This option can be used with both Standard and Windows Active Directory Authentication. When this option is enabled, if the mobile device is unused for the specified period of time, then the user will be prompted to enter the password again and authenticate their identity. The time value only works with Windows Mobile 5 (or greater) devices. On all other platforms, enabling this setting will cause the device to prompt for a password after device emerges from sleep mode. |
A user password policy specifies whether or not users can change their passwords and what minimum complexity requirements those passwords must meet (if any). Complexity requirements can include minimum length and uppercase, lowercase, numeric, and special character requirements.
User Device Password prompt
User Password Settings
When Standard Authentication is selected, a password is specified for the user and complexity requirements for the user password is enforced, if the user password does not meet the complexity requirements, MobiControl will prompt you to change the user password within MobiControl Manager.
Note:
When you click the Reset Password button, it will reset the password instantly, so there is no need to click the OK button. Please see the Device Lockdown page if you would like to add a custom bitmap background image to your password prompt banner.
User Password Settings dialog box
Offline User Password Reset
If a user has forgotten his or her password and cannot connect to the Deployment Server, an offline user password reset may be used to change the user password. This feature is only available for standard user authentication.
To do an offline password reset, the user must click the Options button from the password entry screen and select Forgot Password? The user will then be provided with a request code. This code is required to obtain the unlock code.
In order to generate an unlock code within the MobiControl Manager, use the following steps:
- Right-click on the device that requires the unlock code.
- Click Configure Device and then click Security.
- Select Authentication Policy.
- Select Configure from the User Authentication section.
- Click on the Password Management button.
- Select Generate Unlock Code.
When the request code has been entered, an unlock code is automatically generated. This code can then be provided to the user of the device.
Once the user enters the unlock code, they will be prompted to enter a new user
password. The new password cannot match the old password.
|
|
|
|
|
Entering a new password, notification that setting the new password was successful,
and the Active Directory login prompt
Windows Active Directory Authentication
When you choose Windows Active Directory-based authentication, the MobiControl Agent will directly authenticate the user's credentials with the Active Directory server
associated with the configured domain. The Active Directory Server requires
SSL security to be enabled, and ports 636 and 443 to be open between the Deployment Server and Active Directory Server. If your organization is using a non-standard
port to communicate over SSL with your Active Directory Server, then a colon ":"
must be used to indicate the port being used in the Specify domain controller field
(i.e. Mydomain.com:1234). If no other connections are available, the MobiControl agent will attempt to initiate a data connection if one has already been configured.
Configure Active Directory Settings dialog box
| Field Name | Description |
|---|---|
| Restrict users to this domain | Select this option to force the user to be authenticated against a particular domain controller. When the domain is known ahead of time this option is recommended as it requires the device user to enter less information. |
| Specify UPN domain |
Select this option to specify the domain portion of the UPN (User Principal Name) that should be used to identify users in the Active Directory system. This
name typically takes the form of |
| Specify Domain Controller | This is where you can specify a domain controller to use when your Deployment Server resides in a DMZ (Demilitarized Zone). This is also useful if you have more than one Domain Controller and want to specify a single one. |
| Warn Users when their password will expire | Advises the user that his or her password is about to expire, and requests that he or she changes it |
| Force Users to change their password | Forces the users to change their password before it expires in the Active Directory. This option is especially helpful in case your Deployment Server is located within a DMZ since in that configuration, the Deployment Server is unable to facilitate the password change if the password has already expired. |
| Allow only a single device user |
When you click the Reset User Binding button it will reset the binding instantly, so there is no need to click the OK button. This option will lock the device to the first user that successfully logs on to the device. Another user will be unable to login and use the device. This option must be selected if you are using Microsoft Exchange ActiveSync, since a Windows Mobile device is only capable of synchronizing with the account of a single user. If you wish to reset which device user is bound to a given device: While the device is online, right-click on it in the device tree, and click Configure Devices, then click Security, click Authentication Policy and click Configure to get to the dialog box displayed above. Then, click the Reset User Binding button. |
| Allow all domain users to log on to the device |
Allows for all domain users to log on to the device and use the device This option is suitable only for environments where devices are shared amongst a group of people, and there are no personal settings stored on the device. |
| Allow users to create a simple authentication password |
This option will allow the user to create a simplified password and use this password when trying to log on to the device instead of using their Active Directory password. This option is handy when the Active Directory password for the user is very complex and it is too tedious to enter on the device. Although called "simple," you may force the user to use a password of a given complexity by clicking on the Policies button. |
User Authentication Events and Actions
You can specify actions for user authentication events. For example, you may wish to wipe all the data on the device if there are 10 consecutive failed log-in attempts. To create, edit, or remove an action, click the Advanced tab of the Configure Password Settings dialog box. This will bring up the following screen:
Password Settings (Advanced)
To add an action, click the Add button. MobiControl will prompt you for the event that will trigger the new action. This event can be either a successful login or a certain number of failed attempts. After you have made your selection, click OK to bring up the Action Configuration dialog box. Please see the Configuring Event Scripts page for further details. To edit an existing action, select the action from the list and click Edit. This will bring up a small menu that lets you choose whether to edit the event that triggers the action or the action itself. To delete an action, select it from the list and click Delete.
Custom Banner
You have the option of replacing the default banners that appear on your device with custom images(The default dimension is 214x36 Pixels and the image file must be of .BMP format.). Next to the Login Screen drop-down menu, click on the Import button to browse to the desired .BMP file that you'd like to replace the default banner with. For the Device Lock Screen drop-down menu you can do the same. Simply click on the Import button to browse to your .BMP file and -once selected- it will be available as an option in the drop-down menu for the Device Lock Screen feature.
Operating System Integration
The Display notification screen when device is locked(Pocket PC only) check box option configures the device to present clear indication of the device's locked status to users.
Windows Mobile Authentication Plug-in
When the Integrate with Windows Mobile device authentication subsystem option is selected, the MobiControl agent is registered with the operating system authentication subsystem, and replaces the standard password prompt with its custom password prompt. This provides maximum security for the device because the password prompt engages immediately on device startup, ensuring the device cannot be accessed without the user first providing the user or administrator password. With this option, the password prompt is automatically re-engaged when the operating system dictates the idle timeout has expired.
This option is only applicable when both an administrator and a user password have been configured and the device is running the Windows Mobile 5 or later operating system. For devices running other operating systems, the password prompt is handled at the application layer and is not driven directly by the operating system. In some cases you may wish to disable this option to avoid the authentication plug-in from conflicting with other third-party security solutions that may be running on the mobile device.