The Local App Authentication policy protects an app by requiring the user to authenticate to an app using PIN, passphrase, or biometric recognition when the app first launches. You can also configure the policy to require re-authentication after a period of user inactivity or when the user switches between different apps and returns to the original app.
This is an alternative option to using enterprise credentials (such as an Active Directory username and password) to authenticate a Blue Cedar-protected app. The benefit of this feature is that users do not have to remember any complex or "difficult-to-remember" credentials (which can change periodically), or even to be connected to a network to authenticate an app to the gateway.
This feature includes the ability to configure these options:
- Length of the PIN that the user enters
- Required characters for passphrases (must include combinations of letters, numbers, lowercase, uppercase, special characters)
- Re-authentication behavior when the user is idle or switching between apps
- Lockout behavior if a user enters an invalid PIN too many consecutive times
- Maximum number of invalid PIN attempts before a user is locked out of an app
Local App Authentication is supported on all Blue Cedar-supported platforms. Authentication using biometric recognition is supported on these devices:
iOS 9 and later:
- iPhone 5S
- iPhone 6
- iPhone 6 Plus
- iPhone 7
- iPhone 7 Plus
- iPhone 8
- iPhone X (Face ID)
- iPad Air 2
- iPad Mini 3
- iPad Pro
Android Marshmallow (6.0, API version 23) and later:
- Nexus 5X
- Nexus 6P
- Samsung A5 2017
- Google Pixel
Using Local App Authentication with grouped apps
The Data Sharing policy allows you to designate groups of apps. All apps that are secured with this setting must also be configured with the same Local App Authentication and Secure Microtunnel profiles. This combination allows all grouped apps to share a common PIN, one-time enrollment, and Data-at-Rest key.
When the grouped apps option is enabled, the Local App Authentication policy behaves differently than it does for non-grouped apps.
For example, if the Local App Authentication policy requires re-authentication after 5 minutes of inactivity, a user must re-authenticate if re-launching the app after 5 minutes of inactivity. However, if the app is secured as a grouped app with the same re-authentication setting, idle timeout is calculated for the entire group. For example, if a user authenticates with a Local App Authentication PIN to one app, then switches to another app in the group, neither app times out. In other words, even though the first app is idle, the group as a whole is not idle.
Note that a single non-grouped app secured with Local App Authentication may behave differently than a single app secured with Local App Authentication and as a grouped app (that is, the grouped apps option is enabled in the Data Sharing policy, even though the user has no other grouped apps).
Prior to Release 3.19, to update an app secured with Local App Authentication to an app not secured with Local App Authentication, or to update from an app not secured with Local App Authentication to an app secured with Local App Authentication, Blue Cedar recommended asking your users to delete the old version and install the new version rather than updating in place.
Release 3.19+ supports configuration migration, so that users can update in place (without deleting and reinstalling) even if your Local App Authentication configuration changes.
Manage Local App Authentication profiles via the web interface (UI) or the REST API:
Understand the user experience: