Touch ID or Face ID for accessing secure apps

The option to enable Touch ID or Face ID is available in the AppConnect Device configuration or the Default iOS AppConnect configuration.

See Quick start configuration AppConnect for iOS for information on editing an AppConnect device configuration and enabling the Touch ID option. Enabling the option automatically also enables Face ID. Secure apps passcode must be enabled to enable the Touch ID option.

Enabling the Touch ID option gives the device user the convenience of using Touch ID or Face ID rather than an AppConnect passcode to access secure apps. If entering the Touch ID or Face ID fails, the user enters (falls back to) the device passcode to access secure apps.

Device user experience with Touch ID or Face ID

The following is the device user experience for a newly registered user:

1. After device users register with Go, they are prompted to create an AppConnect passcode.
2. After creating the AppConnect passcode, Go gives users the option to use Touch ID or Face ID to access secure apps.
3. If users choose the Touch ID or Face ID option, they can use Touch ID or Face ID when accessing secure apps after the auto-lock time has expired.
4. Device users can later change their choice about using Touch ID or Face ID in Go in Settings > Secure Apps > Authentication.

See also Touch ID or Face ID – device user perspective.

Security versus convenience of passcode and Touch ID or Face ID options

AppConnect security involves:

• access to AppConnect apps.
• encrypting AppConnect-related data such as app configurations and certificates.
• encrypting data that the app saves on the device.

The following table lists possible passcode and Touch ID/Face ID choices from most secure to least secure, and discusses the level of device user convenience.

In all cases, stronger passcodes are more secure than weaker passcodes (such as a 4-digit number).

Table 19.   Security vs device user convenience of passcode and Touch ID/Face ID options

Passcode and Touch ID/Face ID configuration on Ivanti Neurons for MDM	Security of AppConnect apps	Convenience for device user
Require both: a device passcode an AppConnect passcode	Highest	Least convenient for accessing both the device and AppConnect apps.
Require only a device passcode	Very high Once the device is unlocked, unauthorized users can access AppConnect apps.	Convenient for accessing AppConnect apps, but inconvenient for accessing the device. However, the device user can make accessing the device more convenient by setting up Touch ID or Face ID for unlocking the device.
Require only an AppConnect passcode	High Data that the app saves to the device is not encrypted unless the app uses the secure file I/O provided in the AppConnect for iOS SDK.	Convenient for accessing the device but inconvenient for accessing AppConnect apps.
Require both: a device passcode Touch ID or Face ID for AppConnect apps	High Other device users who have added fingerprints or Face IDs, such as family members, can also access AppConnect apps.	Very convenient for accessing both the device and AppConnect apps.
No passcodes required	Lowest Note the following: Unauthorized users can access the device and AppConnect apps. AppConnect-related data, such as app configurations and certificates, is encrypted but the encryption key is not protected by a passcode. Data that the app saves on the device is encrypted but the encryption key is not protected by a passcode.	Most convenient for accessing both the device and AppConnect apps.