To enable the Smart Identity feature on one or more ThinOX/Agile devices you must create a Device Policy in order to define:
- devices enabled for the Smart Identity authentication (endpoint login through an identification device)
- devices enabled for the enrollment of the identification devices.(enrollment means to associate a smart card to a user).
Note that, a device enabled for the enrollment, is also enabled for the Smart Identity authentication.
¶ Creating the Smart Identity Policy
¶ Step 1
Right-click on Devices Policies and select Add Policy.
¶ Step 2
Enter the name of the policy and optionally, the description. Click on Next to proceed.
¶ Step 3
-
The Enable ThinMan Smart Identity enables the associated devices to login through an identification device.
-
The Enable Enrollment of the identification devices will enable the associated devices to enroll new Identification Devices (smart cards). For more information, read How to enroll an Identification Device (smart card). Select:
- The Device Mode parameter to define the behaviour of the smart card reader.
- If you are using a reader where the card has to be inserted then select the Contact option.
- If instead, you are using RFID reader you can choose between Contact or Contactless. Contact means that the card has to rest on the reader while you are using the endpoint and removing it will trigger the Exit Action(read below). Contactless means that the user has to tap the card on the reader to enter and tap it again to trigger the Exit Action(read below). Be aware, certain readers are not suitable for the Contact mode but only for the Contactless mode. For this reason, we highly recommend to test your reader with the choosen mode.
- The Exit Action to define the behavior of the device when the user removes the card (for Contact device mode) or tap the card for the second time (for Contactless device mode):
- User Logout: in this case, the endpoint closes all the sessions (disconnect) when the user removes the smart card. The endpoint returns to the Smart Identity login screen (as Logging out from the endpoint)
- Lock screen: in this case, the endpoint locks the device but the connections remain active on the endpoint. This option is valid only on ThinOX devices.
- The Device Mode parameter to define the behaviour of the smart card reader.
Select the above explained parameters according to the context. For more information, read Device Policy - Settings.
Click on Next to proceed.
Smart Card Enrollment Modes
- Restricted enrollment: when a restricted number of users is authorized to enroll the cards. In this case, you need to define two distinct device policies:
- One to define the endpoints authorized to perform the enrollment, you need to select the Enable Enrollment of the identification devices parameter and associate the policy to the endpoints used by the users authorized to do the enrollment(administrators). The administrators will then deliver the Identification Device to the user.
- Another Device Policy with the Enable ThinMan Smart Identity parameter selected but the enable enrollment of the identification devices parameter unselected, in order the user to be able to access the endpoint with the card.
- Free enrollment: this mode allows each user to do the enrollment of his card. In this case, you need to define only a single device policy to define the endpoints authorized to perform the enrollment and the authentication:
- Create a Device Policy with both parameters (Enable ThinMan Smart Identity, Enable Enrollment of the identification devices) selected and associate it to all the endpoints used by the users. The first time that the user tries his Identification Device, the endpoint asks to enroll the Identification Device by inserting the username, the password, and if requested, the PIN. You do not need to create another Device Policy.
¶ Step 4
Optionally, indicate a device profile to be apply. For more information, read Devices Policy - Devices Profile.
¶ Step 5
Use the Classifier, Groups and Devices tab to select which are the endpoints that will use and perform the "Smart Identity" feature. For more information, read Devices Policy - Classifier/Groups/Devices