Local App Authentication profiles (API)
Local App Authentication parameters
Use these parameters in the JSON data structure when you apply the Local App Authentication policy (POLICY_CODE_LOCAL_AUTH) to the app with app-market/policy .
| pass_alpha | Optional. Whether the passphrase must include alphabetic characters.
|
| pass_alpha_lower | Optional. Whether the passphrase must include lowercase alphabetic characters.
|
| pass_alpha_upper | Optional. Whether the passphrase must include uppercase alphabetic characters.
|
| pass_change_reminder | Default number of minutes in advance when users are warned that their passphrases are about to expire. (The Policy Console GUI allows administrators to configure this reminder in days. If you are applying this policy via the REST API directly, set this reminder in minutes.) |
| pass_complexity | Optional. Whether the passphrase or PIN must be complex. Complex passphrases or PINs may not contain four or more of each of the following:
|
| pass_fingerprint | Whether the user can authenticate with fingerprint, given a supported platform. See Local App Authentication for a list of devices supporting fingerprint authentication. |
| pass_history_count | Optional. Number of previous passphrases to store, if pass_history_enabled is set to 1. Valid values: Integers > 0, passed as a string |
| pass_invalid_action | Optional. Action to take when user enters an invalid passphrase:
When a user is locked out, the policies from a backend authentication provider (such as Active Directory) controls the lockout recovery behavior. Refer to your authentication provider's documentation for instructions to set a policy that specifies the actions taken when a user has exceeded the maximum number of consecutive attempts. |
| pass_invalid_retries | Optional. If pass_invalid_action is set to lockout, the number of retries allowed before the user is locked out of the app. Valid values: Positive integers |
| pass_max_age | Optional. The longest time in minutes a user may use a single passphrase. Valid values: Integers > 0, passed as a string. These values correspond to the values available via the policy console. For example, to set the passphrase to expire once a day, set pass_max_age to 1440 (days converted to minutes):
|
| pass_min_length | Optional. The minimum number of characters required for the user passphrase. Longer passphrases are more secure, but require more effort from the user. Valid values: 6, 7, 8, 9, 10, 11, 12 (passed as a string) |
| pass_numeric | Optional. Whether the user's passphrase must include digits.
|
| pass_reauth_appswitch | Optional. Whether to require re-authentication whenever a user switches between apps or returns to the secured app after being idle.
On Android, there is a 3-second grace period when switching apps before re-authentication is required. |
| pass_security_method | Required. Passphrase or PIN. |
| pass_special | Optional. Whether the user's passphrase must include at least one character that is neither a letter nor a numeral.
|
| pass_timeout | Optional. The length of time in minutes the app can stay inactive before the policy prompts again for the passphrase. A value of “0” indicates that no user inactivity timeout is applied. Valid values: Integers > 0, passed as a stringBlue Cedar recommends configuring the pass_timeout parameter for 15 minutes as the session timeout due to user inactivity. If the Blue Cedar Gateway is used as the VPN server, Blue Cedar additionally recommends setting the gateway configuration parameter max-session-duration to a larger value than the pass_timeout parameter. This provides an additional layer of security for an app due to user inactivity. However, if the pass_timeout parameter is set to 0, then the max-session-duration parameter controls the session timeout for an app due to user inactivity. For details about the max-session-duration parameter, see the Gateway IT Administrator's Guide. |
| pass_unattended_login | Optional. Whether to allow the app to perform "unattended login" to run background tasks, while still requiring local app authentication for user-initiated app launches.
|
Local App Authentication API resources
To manage Local App Authentication profiles, use these resources:
- profile : Use type="local_auth" to create a Local App Authentication profile. See example below.
- profile/catalog/{policytype} : Use "local_auth" for "{policytype}". GET returns an array of details for all policy profiles of the specified type.
- profile/{GUID} : Use the profile ID to specify a policy profile. GET returns details for the specified profile, PUT updates the details in the specified profile, and DELETE archives the profile.
- settings/local-auth-default-profile (settings/{policytype}-default-profile): POST sets one of the DAR profiles as the default. GET returns the GUID of the current default profile. DELETE archives the current default.
To retrieve details for the policy:
- app-policy/{GUID} : Use the policy ID to specify a policy. GET returns details for the specified policy.
- app-policy/code/{code} : Use POLICY_CODE_LOCAL_AUTH to specify the policy. GET returns details for the specified policy.
To secure apps with Local App Authentication policy, use these resources:
- app-market/policy : Use the policy GUID to apply the policy to an app.
Creating a Local App Authentication profile
This example creates a Local App Authentication profile with the profile API, specifying all options.
Request
curl -k -v -L -b c.txt -c c.txt -X POST http://bc.qwe.com/mocana-app-control/rest/profile \
-F name="TestProfile" \
-F type="local_auth" \
-F desc="Default Profile" \
-F data="{\"pass_security_method\":\"passphrase\",\"pass_reauth_appswitch\":\"1\",
\"pass_synchronize\":\"0\",\"pass_min_length\":\"16\",\"pass_alpha\":\"1\",
\"pass_alpha_lower\":\"1\",\"pass_alpha_upper\":\"1\",\"pass_numeric\":\"1\",
\"pass_special\":\"1\",\"pass_complexity\":\"1\",\"pass_change_reminder\":\"14400\",
\"pass_invalid_action\":\"lockout\",\"pass_invalid_retries\":\"10\",\"pass_fingerprint\":\"1\",
\"pass_history_count\":\"10\",\"pass_max_age\":\"525949\",\"pass_timeout\":\"60\",\"pass_unattended_login\":\"1\"}"