DigitalPersona
®Pro Enterprise
Version 5.3DigitalPersona Pro Enterprise FAQ v5.3 Page 2
© 2012 DigitalPersona, Inc. All Rights Reserved.
All intellectual property rights in the DigitalPersona software, firmware, hardware and documentation included with or described in this guide are owned by DigitalPersona or its suppliers and are protected by United States copyright laws, other applicable copyright laws, and international treaty provisions.
DigitalPersona and its suppliers retain all rights not expressly granted.
U.are.U® and DigitalPersona® are trademarks of DigitalPersona, Inc. registered in the United States and other countries. Windows, Windows Server 2003/2008, Windows Vista, Windows 7 and Windows XP are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners.
This DigitalPersona Pro Enterprise FAQ and the software it describes are furnished under license as set forth in the “License Agreement” screen that is shown during the installation process.
Except as permitted by such license, no part of this document may be reproduced, stored, transmitted and translated, in any form and by any means, without the prior written consent of DigitalPersona. The contents of this document are furnished for informational use only and are subject to change without notice.
Any mention of third-party companies and products is for demonstration purposes only and constitutes neither an endorsement nor a recommendation. DigitalPersona assumes no responsibility with regard to the performance or use of these third-party products.
DigitalPersona makes every effort to ensure the accuracy of its documentation and assumes no responsibility or liability for any errors or inaccuracies that may appear in it.
Feedback
DigitalPersona Pro Enterprise FAQ v5.3 Page 3
Contents
Introduction ... 4
Do DigitalPersona Enterprise Products Store Fingerprints? ... 4
Where are DigitalPersona Enterprise Fingerprint Templates Stored? ... 4
How does DigitalPersona Pro Enterprise Licensing Work? ... 5
What is the Pro Enterprise License Activation Manager? ... 5
How are DigitalPersona Pro Enterprise Licenses Activated? ... 5
What is a DigitalPersona Pro Enterprise Server (user) License and why do I need it?... 6
What is a DigitalPersona Pro Enterprise Workstation License and why do I need it? ... 6
What is DigitalPersona Pro Kiosk? ... 6
What is a DigitalPersona Pro ID Server? ... 7
How do Password Manager and Password Manager Pro differ? ... 7
Can I use Password Manager Pro to create templates on a Pro Kiosk client? ... 7
What devices/factors can DigitalPersona Pro Enterprise use to authenticate users? ... 8
Which 3rd Party Fingerprint Readers are Supported by DigitalPersona Pro Enterprise? ... 9
Does DigitalPersona Pro Enterprise support IOS, Android, Windows Mobile or Linux clients? ... 9
How can I use my fingerprints in a remote session?... 9
What is USB Virtualization and is it Supported? ... 9
Which Web Browsers are Supported by DigitalPersona Pro Enterprise? ... 10
With which Citrix products is DigitalPersona Enterprise officially compatible? ... 11
DigitalPersona Pro Enterprise FAQ v5.3 Page 4
DigitalPersona® Pro Enterprise FAQ
Introduction
This document provides the administrator with answers to frequently asked questions regarding the DigitalPersona Pro Enterprise 5.3 release.
If you are in need of product information pertaining to earlier DigitalPersona Pro Enterprise releases, please consult the reference section of the DigitalPersona website at
http://www.digitalpersona.com/support/reference-material/pro-upgrade-notes/.
Do DigitalPersona Enterprise Products Store Fingerprints?
No, DigitalPersona Enterprise software never stores fingerprint images. DigitalPersona software creates a fingerprint template - which is a highly compressed and digitally encodedmathematical representation of fingerprint features.
The fingerprint template is created when a user enrolls a finger and it is stored in an encrypted fashion. When the user later touches the fingerprint reader to authenticate, a newly captured template is created and compared to the previously 'enrolled' template. If there is a match, the authentication is successful.
Templates are created with a proprietary algorithm that works much like a password 'hash' algorithm. It is a one-way conversion (i.e. fingerprint image fingerprint template) that cannot be reversed. This means that fingerprint templates cannot be used to recreate the fingerprint image.
It should also be noted that only enrolled fingerprint templates are stored.
Where are DigitalPersona Enterprise Fingerprint Templates
Stored?
DigitalPersona Pro Enterprise FAQ v5.3 Page 5
in Active Directory on a DigitalPersona Pro Enterprise 5.3 Server.
When DigitalPersona Pro Enterprise workstation is working in standalone mode, fingerprint templates are hashed and stored in the registry. In a DigitalPersona Pro Enterprise 5.3 Server deployment, fingerprints are stored centrally in Active Directory to facilitate user roaming.
How does DigitalPersona Pro Enterprise Licensing Work?
The DigitalPersona Pro package you purchased may require that you activate a license for one or more of the modules that are part of DigitalPersona Pro Enterprise. Each module will require its own unique license key and each module will require activation.After completing your purchase, you should have received from DigitalPersona or from a DigitalPersona authorized reseller all of the license activation keys required to activate the modules that will comprise your DigitalPersona Pro Enterprise deployment.
Client, Server (user) and feature licenses may be distributed through Active Directory (as opposed to manually inputting each module license on each client) using the License Activation Manager, however the actual activation will be initiated by the module itself and therefore each client PC where the module is installed will require internet access.
What is the Pro Enterprise License Activation Manager?
The DigitalPersona Enterprise License Activation Manager is a component of theDigitalPersona Enterprise Administration Tools suite. The DigitalPersona Enterprise License Activation Manager is used to input Pro Server (user), Pro Client (computer) and feature licenses into Active Directory for distribution via Group Policy to DigitalPersona Enterprise modules for activation.
How are DigitalPersona Pro Enterprise Licenses Activated?
DigitalPersona Enterprise modules can acquire licenses from Active Directory or they can be inputted manually via the About Dialog box on the computer where they are installed.Once the module has acquired the license information, the module will then attempt to activate the license. When activating a license, the module will require access to URL:
DigitalPersona Pro Enterprise FAQ v5.3 Page 6
What is a DigitalPersona Pro Enterprise Server (user) License
and why do I need it?
Once activated, the DigitalPersona Pro Server (user) license allows users to store fingerprints and other credential data in Active Directory. Storing user fingerprints and other credential data in centrally Active Directory allows users to roam from one DigitalPersona client to another.
What is a DigitalPersona Pro Enterprise Workstation License
and why do I need it?
Whether manually entered or acquired via group policy, DigitalPersona Pro Enterprise clients must be activated to enable DigitalPersona client functionality. Once activated, the
DigitalPersona Pro client license allows users to enroll fingerprints, create and manage personal logons, interact with licensed DigitalPersona servers and much more.
What is DigitalPersona Pro Kiosk?
DigitalPersona Pro Kiosk for Enterprise is a client application specifically designed for environments where users need fast, convenient and secure multi-factor application
authentication installed on Windows clients that are shared by multiple users. Examples of such scenarios would be time clocks, shared nurse’s stations in hospitals and bank teller workstations.
After a user has been authenticated by Active Directory (using a fingerprint, smart card or Windows Password), the DigitalPersona Pro Kiosk client logs on to Windows using a
predefined shared Windows account. This shared Kiosk account must be created specifically for Kiosk use. The Kiosk shared account and its credentials are then detailed in Active Directory and distributed to Kiosk clients via group policy.
DigitalPersona Pro Kiosk client requires the use of DigitalPersona ID Server. DigitalPersona
DigitalPersona Pro Enterprise FAQ v5.3 Page 7
What is a DigitalPersona Pro ID Server?
Activated via Group Policy, DigitalPersona Pro ID Server uses the Biometric Authentication service to quickly identify and authenticate users.
DigitalPersona Pro ID Server performs quick user identification by loading enrolled fingerprint templates stored in Active Directory into RAM at regular intervals and when a user attempts to authenticate, DigitalPersona Pro ID Server quickly compares the fingerprint templates in RAM to those of the user attempting to authenticate. If a match is found, the user is authenticated.
How do Password Manager and Password Manager Pro differ?
Password Manager is a security application included with Pro Enterprise clients that allowsusers to create their own personal logons for programs and websites, in addition to using managed logons created through the Password Manager Pro application. Password Manager personal logons are managed and stored on the PC where they are created and do not roam. Furthermore, users must backup and restore their own Password Manager personal logons. Password Manager Pro is an optional management application that plugs into the
Administrative Console of compatible Enterprise workstation clients to enable the creation, administration and management of logons for password-protected software programs and websites.
Administrators use the Password Manager Pro application to create managed logons by specifying information for program and website logon screens. The logon screen
requirements are then saved in the form of a template. The location of these templates and their use are governed by settings specified in Group Policy.
Can I use Password Manager Pro to create templates on a Pro
Kiosk client?
The Password Manager Pro application allows Administrators to create managed logons for Pro Enterprise clients including DigitalPersona Pro Kiosk for Enterprise.
DigitalPersona Pro Enterprise FAQ v5.3 Page 8
What devices/factors can DigitalPersona Pro Enterprise use to
authenticate users?
DigitalPersona Pro for Enterprise can use a wide variety of devices and factors to authenticate users including:
Supported Primary credentials include:
Fingerprints
Smart Cards and Contactless Cards
Windows Passwords
Facial Recognition
NOTE: While Facial Recognition is a Primary credential, it cannot be the sole factor used in a Windows logon authentication policy. If Facial Recognition is a factor available in your
Windows logon authentication policy, an alternate Primary credential must be available as well. DigitalPersona Pro for Enterprise also supports Secondary credentials. Secondary credentials are authentication factors that must be paired with a primary credential (see list above). Supported Secondary credentials include:
Proximity Cards
PIN Bluetooth
DigitalPersona Pro Enterprise can also use a combination of these authentication
DigitalPersona Pro Enterprise FAQ v5.3 Page 9
Which 3
rdParty Fingerprint Readers are Supported by
DigitalPersona Pro Enterprise?
DigitalPersona Pro Enterprise clients support a variety of 3rd party readers manufacturers include:
Authentec
Broadcom USH
Validity
UPEK
For information regarding compatibility of specific reader models, please contact your DigitalPersona account representative.
Does DigitalPersona Pro Enterprise support IOS, Android,
Windows Mobile or Linux clients?
At this time, DigitalPersona Pro Enterprise does not support IOS, Android clients, Windows Mobile or Linux. Please consult your DigitalPersona Account Manager or DigitalPersona authorized reseller for future developments in this area.
How can I use my fingerprints in a remote session?
Activated by Group Policy, Fingerprint Data Redirection is a DigitalPersona Pro Enterprise client feature that allows a fingerprint scanned by fingerprint reader connected to a host to be used in Remote Desktop\ Terminal Services Session or with supported Citrix products. Fingerprint Data Redirection requires that DigitalPersona Enterprise client be installed on both the host and remote PC. It should also be noted that Zero clients and SSL VPN are not supported.
What is USB Virtualization and is it Supported?
Regretfully, at this writing, USB Virtualization is not supported by DigitalPersona fingerprint readers.
DigitalPersona Pro Enterprise FAQ v5.3 Page 10
Rather than directly interacting with a Windows host computer via a keyboard, mouse and monitor connected to it, VDI allows a user to interact with a host computer over a network connection (such as a LAN, Wireless LAN or even the Internet) using a thin client. Typically, the host computer in this scenario is a server computer capable of hosting multiple virtual machines at the same time for multiple users.
Along with the keyboard, mouse and monitor, VDI supports the virtualization of other USB connected devices such as flash drives, USB printers, USB software dongles, webcams, etc. Again, at this writing, USB Virtualization is not supported by DigitalPersona fingerprint readers.
Which Web Browsers are Supported by DigitalPersona Pro
Enterprise?
DigitalPersona Pro Enterprise FAQ v5.3 Page 11
With which Citrix products is DigitalPersona Enterprise
officially compatible?
Using the Fingerprint Data Redirection feature, DigitalPersona Pro Enterprise provides support for contactless cards, proximity cards as well as fingerprints in sessions hosted by compatible Citrix products.
Using Fingerprint Data Redirection, once a remote session has been established using a compatible Citrix client, DigitalPersona client can redirect fingerprint or card data captured by the local host to the remote Citrix session. This also includes support for locking and unlocking the remote Citrix session.
Note: While Citrix products were ‘Unofficially Supported’ in earlier Pro Enterprise releases, anecdotal evidence of compatibility has been provided. While customers may have successfully deployed DigitalPersona for authentication of Citrix hosted applications, DigitalPersona will not offer support for Citrix related bugs or unexpected behaviors reported against releases preceding Pro Enterprise 5.3.
What is the best way to contact DigitalPersona Technical
Support?
You can reach DigitalPersona’s Technical Support department by completing a support request form at http://www.digitalpersona.com/support/overview/. Technical Support requires an active Maintenance and Support subscription (M&S).
If you are in need of M&S, please contact sales@digitalpersona.com for information & pricing for our Maintenance & Support plans.
Pro Supported in
version
Citrix Online Plugin/ ICA client
Citrix Receiver XenApp/Presentation Server
XenDesktop
5.3.0 11, 12 3.1.0, 3.2.0 6.5.0 NO
5.2.x Unofficially Supported Unofficially Supported Unofficially Supported NO
5.1.x Unofficially Supported Unofficially Supported Unofficially Supported NO
5.0.1 Unofficially Supported Unofficially Supported Unofficially Supported NO
5.0.0 Unofficially Supported Unofficially Supported Unofficially Supported NO
4.4.0 and higher 10,11 NO 4.x NO
4.3.0 and higher 10,11 NO 4.x NO