By default, Symantec App Center provides a simple, local identity provider (IDP) for user authentication. The local IDP is ideal for smaller environments or trial users because it is easy to use and requires no integration. The local IDP provides authentication for access to the Admin Console, the End-User Portal, the App Center App, and any wrapped apps that require authentication. The local IDP not only provides authentication, it also provides for application single sign-on. App Center can also handle group management through the local IDP.
See“Creating app policies that allow for single sign-on”on page 80.
See“Creating roles and groups”on page 27.
The password policies that you configure in App Center only apply when you use the local IDP. If you have enabled an external IDP for authentication, the external IDP enforces its password policies. The ability to change or reset password is only available for the local IDP.
This workflow assumes you have met the following prerequisite:
■ Roles and groups are set up.
You should set up your roles and groups in App Center before you configure your IDP so that when you configure the IDP, you can map users to the App Center groups that you created. Thereafter, you can create, delete, or modify roles and groups as needed.
See“Creating roles and groups”on page 27.
Configuring the local IDP consists of the following workflow:
■ Configure the user authentication settings.
See“To configure the user authentication settings for the local IDP”on page 46.
■ Specify password lockout criteria.
See“To specify password lockout criteria for the local IDP”on page 47.
■ Set the administrator password policy.
If you enable either MDM or an app policy for the administrator, all of the options on the Admin Password Policy page are checked. The minimum password length is set to 8 characters.
All of the controls on this page become disabled in the following instances:
■ If you use app policies
■ If you enable Mobile Device Management (MDM)
In both instances, App Center sets the policy and cannot be modified by an administrator.
See“To set the admin password policy for the local IDP”on page 47.
■ Set the user password policy.
See“To set the user password policy for the local IDP”on page 48.
■ Specify the offline PIN policy.
The offline PIN policy is enforced when the user selects an offline PIN in the App Center App. The PIN is used for theApp Center App and applications that have offline authentication permitted in their app policy. App Center only supports latin letters, digits, and punctuation characters for the offline PIN.
See“To specify the offline PIN policy for the local IDP”on page 48.
To configure the user authentication settings for the local IDP 1 In the Admin Console, click Settings > User Authentication.
2 Check Use email address as user name to let users login with their email addresses.
This eliminates the need for users to remember their user names.
If you already have an external IDP enabled, this option does not appear.
3 Check Have mobile login screens remember user names to let users mobile devices remember their user names.
This setting only remembers the user's login name — not the user's password.
4 Check Allow client download without authentication to let anonymous users download the App Center App without authentication.
Some organizations are comfortable with anonymous users downloading their App Center App since the clients themselves perform user
authentication. Enabling this feature lets any user visit the App Center URL and download the App Center App client without the user being authenticated.
However, the iOS Web clip app still requires user credentials before installation.
If Allow client download without authentication is enabled for an on-premises installation, you can only download the native iOS App Center App. This issue does not occur with an SaaS installation.
5 Specify the Password reset requests expire after <n> days.
6 Click Save.
To specify password lockout criteria for the local IDP 1 On the center pane, click Password Lockout.
2 To lockout a user, check Lockout user after <n> failed login attempts in <n>
minutes, and specify the number of failed attempts and the number of minutes.
3 In the Lockout user for <n> minutes field, specify how long to lock out the user after the failed login attempts that you configured in step2.
4 Click Save.
To set the admin password policy for the local IDP 1 On the center pane, click Admin Password Policy.
2 Specify the Minimum length of password in characters.
3 Check Enable password lifetime to enable the password lifetime feature.
4 Specify the Number of days after which a password expires.
5 Check Enable password history depth to restrict how frequently a user can reuse a password.
6 Specify the Password history depth.
7 Specify the password criteria by checking the following options that you want to enforce when administrators create their passwords:
■ Prohibit user names and email addresses in the password.
Case-insensitive search is used.
■ Require password to have at least one uppercase letter.
■ Require password to have one lowercase letter.
■ Require password to have at least one number.
■ Require password to have at least one non-alphanumeric characters.
■ Require first three characters to be unique.
8 Click Save.
To set the user password policy for the local IDP 1 On the center pane, click User Password Policy.
2 Specify the Minimum length of password in characters.
3 Check Enable password lifetime to enable the password lifetime feature.
4 Specify the Number of days after which a password expires.
5 Check Enable password history depth to restrict how frequently a user can reuse a password.
6 Specify the Password history depth.
7 Specify the password criteria by checking the following options that you want to enforce when users create their passwords:
■ Prohibit user names and email addresses in the password.
Case-insensitive search is used.
■ Require password to have at least one uppercase letter.
■ Require password to have at least one lowercase letter.
■ Require password to have at least one number.
■ Require password to have at least one non-alphanumeric characters.
■ Require first three characters to be unique.
8 Click Save.
To specify the offline PIN policy for the local IDP 1 On the center pane, click Offline PIN Policy.
2 Specify the Minimum length of PIN in characters.
3 Check Enable PIN history depth to restrict how frequently a user can reuse a password.
4 Specify the PIN history depth.
5 Specify the PIN criteria by checking the following options that you want to enforce when users create their offline PINs:
■ Prohibit user names and email addresses in the PIN. Case-insensitive search is used.
■ Require PIN to have at least one uppercase letter.
■ Require PIN to have at least one lowercase letter.
■ Require PIN to have at least one number.
■ Require PIN to have at least one non-alphanumeric characters.
■ Require first three characters to be unique.
6 Click Save.
Now you are ready to enroll your users in App Center.
See“Enrolling end users for the local IDP”on page 49.