Local App Authentication profiles (UI)
Configuring the Local App Authentication policy
Use a Local App Authentication profile to set these options with the Local App Authentication policy. (See Policy profiles for general information about managing policy profiles.)
Click Apps, then Android or iOS, then the app you want to secure. The App details screen appears.
Click the settings gear on the Local App Authentication panel. The Policy details page appears, where you can create a new profile or edit an existing profile.
On the Policy details page, click + Local App Authentication Profile to create a new profile, or click the View/Edit profile icon next to an existing profile to edit it.
On the Local App Authentication profile page, enter the Profile name and description, then select the desired policy options.
| Policy option | Description |
|---|---|
| Security Method | Required. Passphrase or PIN. |
| Minimum passphrase/PIN length | Required. The minimum number of characters required for a user passphrase or PIN (as selected in "Security Method"). Longer passphrases and PINs are more secure, but require more effort from the user. |
| Re-authentication | Optional. If selected, the user must enter their local passphrase or PIN whenever switching between apps, or when the secured app is idle for the configured number of minutes. On Android, there is a 3-second grace period when switching apps before re-authentication is required. |
| Passphrase character types | (Passphrase only.) Passphrase must contain at least one of each selected character type:
|
| Passphrase/PIN complexity | Optional. If selected, the user must select a complex passphrase or PIN. Complex passphrases may not contain four or more of each of the following:
|
| Passphrase/PIN history | Optional. If selected, the user cannot repeat a previously used passphrase when setting a new one |
| Maximum age rule | Optional. If selected, the user must change the passphrase at a regular interval. You can set a reminder for the user as well. |
| Invalid passphrase/PIN handling | Enable/disable lockout and select the number of attempts before locking the user out. If this feature is enabled, and the user is locked out after the specified number of invalid attempts, then the app allows the user to re-authenticate with their gateway enrollment credentials and set a new local app passcode. |
| Biometric authentication* | If selected, the user can authenticate with fingerprint or Face ID (as available on the device). |
| Unattended login* | If selected, allow app launched in the background to access information secured by local app authentication. User interactions with the app still require local app authentication. For example, an app may not require the main UI to be available for certain tasks, such as an email client fetching emails and sending notifications for new email. This option allows the app's background processing to perform without having to ask the user to enter local app authentication credentials. Once the user is ready to interact with the app, the app prompts for local app authentication as usual.
|
* Biometric authentication and unattended login are convenience features. Enabling them can weaken the app security.
Applying the Local App Authentication policy
Click Apps, then Android or iOS, then the app you want to secure. The App details screen appears.
Under Policies to apply, click the triangle to expand the Local App Authentication panel.
Select "Enable Local App Authentication policy."
Choose the Local App Authentication profile from the menu.
Click Apply policies.