Fingerprint login for AppConnect apps for Android
Fingerprint login for AppConnect apps gives the device user the convenience of using a fingerprint instead of an AppConnect passcode to access AppConnect apps. When using fingerprint, a user still creates an AppConnect passcode. If entering the fingerprint fails, the user enters the AppConnect passcode to access AppConnect apps.
The Secure Apps Manager gives the device user the choice to use fingerprint or an AppConnect passcode. This choice is useful when a device is shared among multiple users, such as co-workers or even a family, each of whom uses a fingerprint to access the device. Although all the users can access the device with fingerprint, sometimes only one of those users should be allowed to access AppConnect apps. That user can choose to use the AppConnect passcode instead of fingerprint for accessing AppConnect apps. Having a choice therefore ensures that only an appropriate device user accesses AppConnect apps.
Required product versions for fingerprint login for AppConnect for Android
The following table shows the required product versions for fingerprint login for Android secure apps.
Product |
Version |
MobileIron Go for Android |
40 through the most recently released version as supported by MobileIron. |
Secure Apps Manager |
|
Android |
6.0 through the most recently released version as supported by MobileIron |
Requirements for fingerprint login for AppConnect for Android
Device users can use a fingerprint to access AppConnect apps for Android if the following are true:
- The product versions meet the requirements in Required product versions for fingerprint login for AppConnect for Android.
- The device has a fingerprint reader.
-
The fingerprint option is set as follows in the MobileIron Cloud:
- The fingerprint option is enabled in the AppConnect Device configuration for Android.
-
The fingerprint unlock option is enabled in the Passcode Config.
NOTE: If fingerprint unlock option is disabled, enabling the fingerprint option in the AppConnect Device configuration has no impact.
If all of the above are true, Secure Apps Manager gives device users the choice whether to use fingerprint or use an AppConnect passcode to access AppConnect apps.
NOTE: | In addition to choosing fingerprint, device users also create an AppConnect passcode. The AppConnect passcode is necessary if fingerprint login fails. |
Configuring fingerprint login for AppConnect for Android (Cloud)
Configure fingerprint login for AppConnect apps on the MobileIron Cloud.
Procedure
- On MobileIron Cloud, go to Configurations.
- Select the appropriate AppConnect Device configuration for Android.
-
Click Edit.
- For Enable Fingerprint Authentication, drag the slider to the right to ON .
- Click Next and Done.
- Go to Configurations > Passcode Config.
-
Click Edit.
- Scroll down to the Android only section.
- Verify that Fingerprint Unlock is ON.
Device User impact of fingerprint login for AppConnect for Android
If the requirements to use fingerprint login for AppConnect apps are fulfilled, the Secure Apps Manager gives device users the choice to use fingerprint or to use the AppConnect passcode for logging into AppConnect apps.
For more information about device user requirements, see Requirements for fingerprint login for AppConnect for Android
NOTE: | The AppConnect passcode is called the secure apps passcode in the Secure Apps Manager. |
The followig describe the device user experience:
- Device user experience at registration
- Device user experience if already registered
- Device user options for enabling or disabling fingerprint login
Device user experience at registration
The overall device user experience at registration is:
- The Secure Apps Manager prompts the device user to create a secure apps passcode.
-
After creating the secure apps passcode, the Secure Apps Manager gives the user the option to use fingerprint to log into secure apps.
If no fingerprint is available, the Secure Apps Manager prompts the user to add a fingerprint in the device’s settings. The device user can then return to the Secure Apps Manager to enable fingerprint login.
- If the user chooses the fingerprint option, he can use any fingerprint on the device for subsequent logins to secure apps.
- If the user does not choose the fingerprint option, he will use the secure apps passcode for subsequent logins to secure apps.
- The device user can at any time use a menu option in the Secure Apps Manager to change the choice about using fingerprint.
Device user experience if already registered
If you enable fingerprint login on the MobileIron Cloud after a device user is registered and has already created a secure apps passcode:
- The next time the user logs into secure apps, the Secure Apps Manager prompts the device user to change the secure apps passcode.
- After changing the secure apps passcode, the Secure Apps Manager gives the user the option to use fingerprint to log into secure apps.
If no fingerprint is available, the Secure Apps Manager prompts the user to add a fingerprint in the device’s settings. The device user can then return to the Secure Apps Manager to enable fingerprint login. - If the user chooses the fingerprint option, he can use any fingerprint on the device for subsequent logins to secure apps.
- If the user does not choose the fingerprint option, he will use the secure apps passcode for subsequent logins to secure apps.
- The device user can at any time use a menu option in the Secure Apps Manager to change the choice about using fingerprint.
Device user options for enabling or disabling fingerprint login
When the Secure Apps Manager gives the user the option to use fingerprint to log into secure apps:
- If a fingerprint is available on the device, the user chooses one of the following:
- to enable fingerprint login to secure apps immediately
- to be reminded to enable it later
- to never be reminded again
- If no fingerprint exists on the device, the user can choose to go to the device’s settings to add a fingerprint. After adding the fingerprint, the user can return to the Secure Apps Manager to enable fingerprint login.
The device user can:
- At any time, use the options menu in Secure Apps Manager to disable or enable fingerprint login to secure apps.
- When fingerprint login is disabled, tap on Enable Fingerprint Login on the screen for entering the secure apps password.
In both of the above cases, the Secure Apps Manager prompts the device user to enter the secure apps passcode before changing the fingerprint login status.
Less common device user scenarios for fingerprint login for AppConnect for Android
These scenarios describe the device user experience in less common scenarios relating to fingerprint login to Android secure apps.
Scenario |
Behavior on the device |
|||||||||||||||
Device has more than one fingerprint. |
Any fingerprint can log into secure apps when fingerprint login is enabled. |
|||||||||||||||
Fingerprint login to secure apps fails due to too many attempts. |
The Secure Apps Manager prompts the user for the secure apps passcode.
|
|||||||||||||||
The device user taps Cancel on the Fingerprint Login dialog for logging into secure apps. |
The Secure Apps Manager prompts the user for the secure apps passcode. |
|||||||||||||||
A device user adds a fingerprint and a device passcode to the device, but does not enable fingerprint login for the device.
|
Fingerprint login is available for secure apps although it is not available for device login. |
|||||||||||||||
A device user adds a fingerprint to the device, but does not add a device passcode.
|
If you have configured fingerprint login for secure apps, the Secure Apps Manager prompts the user to go to settings. In the settings, the user must add a device passcode. |
|||||||||||||||
A device user adds a fingerprint to the device without enabling fingerprint login for the device.
|
Fingerprint login is available for secure apps although it is not available for device login. |
|||||||||||||||
The device user changes the secure apps passcode while fingerprint login is enabled for secure apps. |
Fingerprint login remains enabled for secure apps. |
|||||||||||||||
The device user changes the secure apps passcode while fingerprint login is available, but disabled, for secure apps. |
The Secure Apps Manager gives the device user the option to enable fingerprint login. |
|||||||||||||||
|
The device user must again choose whether to enable fingerprint login.
|
|||||||||||||||
The device user restarts the device. |
The device user must enter the secure apps passcode on the next secure apps login, even if fingerprint login had been enabled. The device user can use fingerprint login on subsequent logins to secure apps. |
|||||||||||||||
The device user terminates the Secure Apps Manager. |
The device user must enter the secure apps passcode on the next secure apps login, even if fingerprint login had been enabled. The device user can use fingerprint login on subsequent logins to secure apps. |
|||||||||||||||
You enable or disable the Use fingerprint authentication when supported option on the AppConnect global policy. |
The Secure Apps Manager prompts the device user to change the secure apps passcode after the user next logs in. This behavior is similar to changing any of these secure apps passcode characteristics on the AppConnect global policy:
|
|||||||||||||||
You change the Block Fingerprint option on the security policy. |
The Secure Apps Manager prompts the device user to change the secure apps passcode after the user next logs in.
|
Security versus convenience of passcode and fingerprint for AppConnect for Android
AppConnect for Android security involves:
- access to AppConnect apps.
- encrypting AppConnect-related data such as app configurations, certificates, and data that the app saves on the device.
The following table lists possible passcode and fingerprint choices from most secure to least secure, and discusses the level of device user convenience. It compares the choices you can make on MobileIron Cloud involving:
- Whether you require a device passcode .
- Whether you require an AppConnect passcode.
- When requiring an AppConnect passcode, whether you allow fingerprint login to AppConnect apps.
The security level is impacted by the following:
- An AppConnect passcode ensures that AppConnect app data is encrypted and secure if the device is compromised (rooted). Without an AppConnect passcode, AppConnect app data is encrypted, but not secure if the device is compromised.
- A device passcode adds a layer of security.
- Fingerprint login allows all users of the same device who have added fingerprints to access the device and AppConnect apps. This access is a possible security risk.
NOTE: | In all cases, stronger passcodes are more secure than weaker passcodes (such as a 4-digit number). |
Passcode and fingerprint configuration on MobileIron Cloud |
Security of AppConnect apps |
Convenience for device user |
Device passcode: Required AppConnect passcode: Fingerprint: |
Highest |
Least convenient for accessing both the device and AppConnect apps. |
Device passcode: AppConnect passcode: Fingerprint: |
Very High |
Convenient for accessing the device but inconvenient for accessing AppConnect apps. |
Device passcode: AppConnect passcode: Fingerprint: |
High |
Convenient for accessing both the device and AppConnect apps. |
Device passcode: AppConnect passcode: Fingerprint: |
Lower |
Very convenient for accessing the device, and convenient for accessing AppConnect apps. |
Device passcode: AppConnect passcode: Fingerprint: |
Low |
Convenient for accessing AppConnect apps, but inconvenient for accessing the device. |
No passcodes required |
Lowest |
Most convenient for accessing both the device and AppConnect apps. However, unauthorized users also have access. |