Skip Navigation

User authentication

BlackBerry UEM
offers the following options to adjust the user experience for accessing
BlackBerry Dynamics
apps.
Fingerprint and biometric authentication
Various forms of biometric authentication are supported by the
BlackBerry Dynamics
SDK, including fingerprint authentication and for
Android
and
Touch ID
and
Face ID
for
iOS
. The
BlackBerry UEM
administrator can use a
BlackBerry Dynamics
profile (
UEM
) to enable biometric authentication. Contact your organization’s administrator to enable and configure these features.
Authentication delegation
The
BlackBerry UEM
administrator can configure up to three
BlackBerry Dynamics
apps on users’ devices to act as an authentication delegate (a primary, secondary, and tertiary delegate). When a user opens any
BlackBerry Dynamics
app, the device will display the login screen of the authentication delegate app. After the user logs in successfully, all of the
BlackBerry Dynamics
apps on the device are unlocked. The user does not need to enter a password again until the idle timeout is reached.
If you want your custom
BlackBerry Dynamics
app to be an authentication delegate, the
UEM
administrator must specify the app package ID (
Android
) or bundle ID (
iOS
) in the
BlackBerry Dynamics
app settings in the management console. Contact your organization’s administrator to provide this information. For instructions for specifying the package ID or bundle ID for an app, see Manage settings for a BlackBerry Dynamics app in the
UEM Administration Guide
.
The administrator configures one or more authentication delegate using a
BlackBerry Dynamics
profile. It is a best practice to configure the most commonly used app as the authentication delegate. Contact your organization’s administrator to configure one or more authentication delegates.
If the administrator configures a secondary authentication delegate, the administrator must notify users that if they delete the primary authentication delegate app, the user must unlock the secondary delegate app and set the app password again so that it can be used to authenticate any additional
BlackBerry Dynamics
apps. The same requirement applies if a tertiary delegate is configured and the primary and secondary delegate apps are deleted.
Do not require a password
Enabled using a
BlackBerry Dynamics
profile, this setting removes the password login for
BlackBerry Dynamics
apps. Users cannot choose whether to use a password.
Do not enable authentication delegation and this setting in the same profile or policy set. This feature is supported in
UEM
12.7 or later. If the setting is enabled and then disabled at a later date, users are prompted to create a password the next time they log in to a
BlackBerry Dynamics
app.
You can use the GDAndroid.getInstance().canAuthorizeAutonomously() or [GDiOS sharedInstance].canAuthorizeAutonomously method to check if this feature is enabled. See the GDInteraction sample app (Android) or the SecureStore sample app (iOS) for examples of this method.
Bypass the app unlock screen
Enabled in the
UEM Client
settings for a specific
BlackBerry Dynamics
app (
UEM
), this setting allows an app to completely bypass the password login screen.
For more information and programming guidance, see the Bypass Unlock Developer Guide.
Background Authorize for
iOS
This feature is not currently supported for the
BlackBerry Dynamics SDK for Cordova
.
Background Authorize is a restricted API that allows a recently locked
BlackBerry Dynamics
app to use the principal BlackBerry Dynamics APIs (such as secure storage and secure communication) when the app is running in the background.
This feature can be useful in scenarios where the app has stopped unexpectedly and is started in the background in response to an APNS message (for example, a new email). If Background Authorize is enabled, the app can download new data and store it in the secure container. When the user brings the app to the foreground they can authorize and immediately access the data (for example, messages).
To access this restricted API, submit a request to the
BlackBerry Dynamics
Registrar program at BlackBerryDynamicsRegistrar@blackberry.com.
For more information about this feature, see the Background Authorize Developer Guide.
Background Authorize for Android
This feature is not currently supported for the
BlackBerry Dynamics SDK for Cordova
.
GDAndroid.canAuthorizeAutonomously allows
BlackBerry Dynamics
apps to background unlock, receive state callback, and use credential-protected storage. The app can use canAuthorizeAutonomously() to check if it is possible to use background unlock, and if possible, authorize with serviceInit().
Web Authentication
The SDK supports ASWebAuthenticationSession. The
BlackBerry Dynamics
implementation of ASWebAuthenticationSession utilizes
BlackBerry Dynamics
secure communication and secure storage for cookies. To protect enterprise credentials from being stored in the
iOS
keychain, the device user will not be able to use the
Safari
saved passwords feature in the embedded webview.
Initialize an instance of ASWebAuthenticationSession in your app to allow user authentication through a web service, including those operated by a third party. The page will open in a secure, embedded webview in
iOS
, or the users default browser (if it supports web authentication sessions) on
macOS
. For more information, see Authenticating a User Through a Web Service.
You can use Single Sign-On (SSO) with ASWebAuthenticationSession applications by enabling keychain group sharing and using the com.good.gd.data group. The prefersEphemeralWebBrowserSession property will be set to YES by the SDK.