Fingerprint login for AppConnect apps for Android

Fingerprint login for AppConnect apps gives the device user the convenience of using a fingerprint instead of an AppConnect passcode to access AppConnect apps. When using fingerprint, a user still creates an AppConnect passcode. If entering the fingerprint fails, the user enters the AppConnect passcode to access AppConnect apps.

The Secure Apps Manager gives the device user the choice to use fingerprint or an AppConnect passcode. This choice is useful when a device is shared among multiple users, such as co-workers or even a family, each of whom uses a fingerprint to access the device. Although all the users can access the device with fingerprint, sometimes only one of those users should be allowed to access AppConnect apps. That user can choose to use the AppConnect passcode instead of fingerprint for accessing AppConnect apps. Having a choice therefore ensures that only an appropriate device user accesses AppConnect apps.

Required product versions for fingerprint login for AppConnect for Android

The following table shows the required product versions for fingerprint login for Android secure apps.

Table 17.   Required product versions for fingerprint login for secure apps

Product

Version

[email protected] for Android

9.5.0.0 and supported newer versions.

Secure Apps Manager

8.0 and supported newer versions.

Android

6.0 and supported newer versions.

Requirements for fingerprint login for AppConnect for Android

Device users can use a fingerprint to access AppConnect apps for Android if the following are true:

  • The product versions meet the requirements in Required product versions for fingerprint login for AppConnect for Android.
  • The device has a fingerprint reader.
  • The fingerprint option is set as follows in the Ivanti UEM:

    On the MobileIron Core Admin Portal,

    • The fingerprint option is enabled in the AppConnect global policy.
    • The block fingerprint option is not enabled in the Security policy.

      If fingerprint in the security policy is blocked, selecting the fingerprint option in the AppConnect global policy has no impact.

If all of the above are true, Secure Apps Manager gives device users the choice whether to use fingerprint or use an AppConnect passcode to access AppConnect apps.

In addition to choosing fingerprint, device users also create an AppConnect passcode. The AppConnect passcode is necessary if fingerprint login fails.

Configuring fingerprint login for AppConnect for Android (Core)

Configure fingerprint login for AppConnect apps on the MobileIron Core Admin Portal.

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Policies.
  2. Select the appropriate AppConnect global policy.
  3. Click Edit.

    The AppConnect global policy displays.

  4. Select Passcode is required for Android devices.
  5. Select Use fingerprint authentication when supported.
  6. Click Save.
  7. Select the appropriate security policy.
  8. Scroll down to the Android section.
  9. Make sure Block Fingerprint (from Android 5.0 or Samsung MDM 5.3) is not selected.
  10. Click Save.

Device User impact of fingerprint login for AppConnect for Android

If the requirements to use fingerprint login for AppConnect apps are fulfilled, the Secure Apps Manager gives device users the choice to use fingerprint or to use the AppConnect passcode for logging into AppConnect apps.

For more information about device user requirements, see Requirements for fingerprint login for AppConnect for Android

The AppConnect passcode is called the secure apps passcode in the Secure Apps Manager.

The followig describe the device user experience:

Device user experience at registration

The overall device user experience at registration is:

  1. The Secure Apps Manager prompts the device user to create a secure apps passcode.
  2. After creating the secure apps passcode, the Secure Apps Manager gives the user the option to use fingerprint to log into secure apps.

    If no fingerprint is available, the Secure Apps Manager prompts the user to add a fingerprint in the device’s settings. The device user can then return to the Secure Apps Manager to enable fingerprint login.

  3. If the user chooses the fingerprint option, he can use any fingerprint on the device for subsequent logins to secure apps.
  4. If the user does not choose the fingerprint option, he will use the secure apps passcode for subsequent logins to secure apps.
  5. The device user can at any time use a menu option in the Secure Apps Manager to change the choice about using fingerprint.

Device user experience if already registered

If you enable fingerprint login on the Ivanti UEM after a device user is registered and has already created a secure apps passcode:

  1. The next time the user logs into secure apps, the Secure Apps Manager prompts the device user to change the secure apps passcode.
  2. After changing the secure apps passcode, the Secure Apps Manager gives the user the option to use fingerprint to log into secure apps.
    If no fingerprint is available, the Secure Apps Manager prompts the user to add a fingerprint in the device’s settings. The device user can then return to the Secure Apps Manager to enable fingerprint login.
  3. If the user chooses the fingerprint option, he can use any fingerprint on the device for subsequent logins to secure apps.
  4. If the user does not choose the fingerprint option, he will use the secure apps passcode for subsequent logins to secure apps.
  5. The device user can at any time use a menu option in the Secure Apps Manager to change the choice about using fingerprint.

Device user options for enabling or disabling fingerprint login

When the Secure Apps Manager gives the user the option to use fingerprint to log into secure apps:

  • If a fingerprint is available on the device, the user chooses one of the following:
    • to enable fingerprint login to secure apps immediately
    • to be reminded to enable it later
    • to never be reminded again
  • If no fingerprint exists on the device, the user can choose to go to the device’s settings to add a fingerprint. After adding the fingerprint, the user can return to the Secure Apps Manager to enable fingerprint login.

The device user can:

  • At any time, use the options menu in Secure Apps Manager to disable or enable fingerprint login to secure apps.
  • When fingerprint login is disabled, tap on Enable Fingerprint Login on the screen for entering the secure apps password.

In both of the above cases, the Secure Apps Manager prompts the device user to enter the secure apps passcode before changing the fingerprint login status.

Less common device user scenarios for fingerprint login for AppConnect for Android

These scenarios describe the device user experience in less common scenarios relating to fingerprint login to Android secure apps.

Table 18.   Less common device user scenarios relating to fingerprint login

Scenario

Behavior on the device

Device has more than one fingerprint.

Any fingerprint can log into secure apps when fingerprint login is enabled.

Fingerprint login to secure apps fails due to too many attempts.

The Secure Apps Manager prompts the user for the secure apps passcode.

The Android OS controls the number of fingerprint login attempts.

The device user taps Cancel on the Fingerprint Login dialog for logging into secure apps.

The Secure Apps Manager prompts the user for the secure apps passcode.

A device user adds a fingerprint and a device passcode to the device, but does not enable fingerprint login for the device.

This scenario is possible only on some device models, such as some Samsung devices.

Fingerprint login is available for secure apps although it is not available for device login.

A device user adds a fingerprint to the device, but does not add a device passcode.

This scenario is possible only on some device models, such as some Samsung devices.

If you have configured fingerprint login for secure apps, the Secure Apps Manager prompts the user to go to settings. In the settings, the user must add a device passcode.

A device user adds a fingerprint to the device without enabling fingerprint login for the device.

This scenario is not possible on some device models.

Fingerprint login is available for secure apps although it is not available for device login.

The device user changes the secure apps passcode while fingerprint login is enabled for secure apps.

Fingerprint login remains enabled for secure apps.

The device user changes the secure apps passcode while fingerprint login is available, but disabled, for secure apps.

The Secure Apps Manager gives the device user the option to enable fingerprint login.

1. Fingerprint login is available for secure apps.
2. A device user creates a new secure apps passcode because the user forgot the passcode.

The device user must again choose whether to enable fingerprint login.

This case applies when the device user initiates the “forgot passcode” scenario or the administrator unlocks the AppConnect container from the Admin Portal.

The device user restarts the device.

The device user must enter the secure apps passcode on the next secure apps login, even if fingerprint login had been enabled. The device user can use fingerprint login on subsequent logins to secure apps.

The device user terminates the Secure Apps Manager.

The device user must enter the secure apps passcode on the next secure apps login, even if fingerprint login had been enabled. The device user can use fingerprint login on subsequent logins to secure apps.

You enable or disable the Use fingerprint authentication when supported option on the AppConnect global policy.

The Secure Apps Manager prompts the device user to change the secure apps passcode after the user next logs in.

This behavior is similar to changing any of these secure apps passcode characteristics on the AppConnect global policy:

  • passcode type

  • minimum passcode length

  • minimum number of complex characters

  • passcode strength usage or level changes

The device user can use a fingerprint to log in one last time when you disable the Use fingerprint authentication when supported option. After logging in, the Secure Apps Manager notifies the device user that the administrator disabled fingerprint login.

You change the Block Fingerprint option on the security policy.

The Secure Apps Manager prompts the device user to change the secure apps passcode after the user next logs in.

If your change is to block fingerprint, when the device user next logs into secure apps, the user cannot use a fingerprint to login. The Secure Apps Manager notifies the device user that the administrator disabled fingerprint login.

Security versus convenience of passcode and fingerprint for AppConnect for Android

AppConnect for Android security involves:

  • access to AppConnect apps.
  • encrypting AppConnect-related data such as app configurations, certificates, and data that the app saves on the device.

The following table lists possible passcode and fingerprint choices from most secure to least secure, and discusses the level of device user convenience. It compares the choices you can make on the Ivanti UEM involving:

  • Whether you require a device passcode.
  • Whether you require an AppConnect passcode.
  • When requiring an AppConnect passcode, whether you allow fingerprint login to AppConnect apps.

The security level is impacted by the following:

  • An AppConnect passcode ensures that AppConnect app data is encrypted and secure if the device is compromised (rooted). Without an AppConnect passcode, AppConnect app data is encrypted, but not secure if the device is compromised.
  • A device passcode adds a layer of security.
  • Fingerprint login allows all users of the same device who have added fingerprints to access the device and AppConnect apps. This access is a possible security risk.

In all cases, stronger passcodes are more secure than weaker passcodes (such as a 4-digit number).

 

Table 19.   Security versus device user convenience of passcode and fingerprint options

Passcode and fingerprint configuration on Ivanti UEM

Security of AppConnect apps

Convenience for device user

Device passcode: Required

AppConnect passcode:
Required

Fingerprint:
Not allowed

Highest

Least convenient for accessing both the device and AppConnect apps.

Device passcode:
Not required

AppConnect passcode:
Required

Fingerprint:
Not allowed

Very High

Convenient for accessing the device but inconvenient for accessing AppConnect apps.

Device passcode:
Required

AppConnect passcode:
Required

Fingerprint:
Allowed

High

Convenient for accessing both the device and AppConnect apps.

Device passcode:
Not required

AppConnect passcode:
Required

Fingerprint:
Allowed

Lower

Very convenient for accessing the device, and convenient for accessing AppConnect apps.

Device passcode:
Required

AppConnect passcode:
Not required

Fingerprint:
Not allowed

Low

Convenient for accessing AppConnect apps, but inconvenient for accessing the device.

No passcodes required

Lowest

Most convenient for accessing both the device and AppConnect apps.

However, unauthorized users also have access.