The following sections describe the user experience:
Note: By default, this feature is enabled with the Secure Microtunnel profile Client certificate provisioning mode checkbox for "Enable automatic client certificate provisioning". To disable this option, clear the checkbox. (In the Secure Microtunnel REST API profile, set vpnCertProvType.) For more details, see Secure Microtunnel.
Setting the local app passcode
This sample procedure assumes that Compass is secured with the Local App Authentication policy, which is configured to required a 6-character PIN. (Other apps secured with Local App Authentication would work the same.) Also, the first time users open an app secured with the Secure Microtunnel policy, they need to enroll to establish their credentials with the gateway.
(Screenshots may differ per device.)
When the user starts the app for the first time, the Create a passcode screen appears. This screen lists any passcode requirements set when securing the app (such as character types, passcode length, and so on). This dialog allows the user to set an app-level passcode, which is used whether the device is connected to a network or not.
The user enters a passcode and verifies it on the next screen.
Upon success, the enrollment screen appears.
Certificate enrollment for app login
Note: The certificate enrollment procedure is a one-time procedure that occurs when launching a secured app (or the first app in a group of apps) for the first time.
After the user sets up a local app passcode, the Authentication Required screen appears for certificate enrollment.
The user enters their Blue Cedar gateway credentials, as provided by the IT department, and taps Login.
The first screen of the app appears.
At this point, the user can use the app as normal. All connections are secure from the app itself to the extended enterprise backend.
Using the app after enrollment
If users close their app or the app times out, they enter their local app passcode or biometric ID to re-authenticate to the app. If the Local App Authentication policy is configured to require re-authentication when switching apps, users must enter their local app passcode or fingerprint each time they return to the app.
On platforms that support Blue Cedar biometric authentication, users see a screen like this when starting an enrolled app with Local App Authentication:
This prompt is looking for a fingerprint or Face ID that matches the one established on the device—no extra Blue Cedar configuration is needed. If the user taps Cancel, the Enter your passcode screen appears. Once the user supplies a valid fingerprint or passcode, they are connected to the app.
If the user's biometric ID fails three times in a row, the Enter your passcode screen appears.
If the user enters the wrong passcode three times in a row, the app is locked. (The administrator can configure the number of invalid attempts.)
When the user chooses "Forgot Password" or reaches the limit of consecutive invalid attempts, this message appears:
Authentication Lockout. Press Continue to re-authenticate and begin recovery.
The user must then re-authenticate to the gateway, using the enrollment procedure as if it were the first time using the app, and then setting a new local app passcode.