Enable the Local App Authentication policy in the Blue Cedar Platform to require the user to authenticate to an app using a PIN, passphrase, or fingerprint when the app first launches. You can also configure the policy to require re-authentication after a period of user inactivity or when the user switches between different apps and returns to the original app.
If the user forgets the Local App Authentication passcode, they can be locked out of the app. To allow lockout recovery, you need to enable it on the gateway.
Note: By default, the gateway does not lock out apps if a user exceeds the number of invalid logins that the company policy permits. If you want to lock out users from their apps because of the number of invalid logins, then you must configure your authentication system (such as Active Directory) to do so.
CLI commands for setting lockout recovery
To enable lockout recovery for the Local App Authentication policy, perform these two steps:
Enable lockout recovery on the gateway.
% set aaa auth-group groupname lockout-recovery-enable true
Configure the passphrase for keystore access:
% set aaa lockout-recovery-passphrase <string>
Note: Do not change the value for the lockout-recovery-passphrase after you set it and enable the lockout recovery feature. Changing the passphrase after clients have used it can result in the clients not being able to recover if the passphrases become unsynchronized.
You must also ensure that the same passphrase is set on all gateways clustered for load-balancing purposes.
Clear certificate after lockout recovery
Use this command to clear client certificates from devices after the user performs lockout recovery. With this feature enabled, users must complete the certificate enrollment process again, using their gateway credentials (not their local app authentication credentials).
% set aaa auth-group default wipe-certificate-on-recovery true