DP Altus Client Guide

Transcription

DIGITALPERSONA
ALTUS 1.2
CLIENT GUIDE
Copyright © 2015 Crossmatch. All rights reserved. Specifications are subject to change without prior notice. The Crossmatch logo,
Crossmatch™, Cross Match®, L Scan®, D Scan®, I Scan®, Guardian®, SEEK® and Verifier® are trademarks or registered
trademarks of Cross Match Technologies, Inc. in the United States and other countries. DigitalPersona®, TouchChip®, Eikon®,
U.are.U® and FingerJet™ are trademarks or registered trademarks of DigitalPersona, Inc., which is owned by the parent company
of Cross Match Technologies, Inc. All other brand and product names are trademarks or registered trademarks of their respective
owners.
Published: June 5, 2015 (v1.2.0)
Contents
O VE R VI EW
6
I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . .
A l t u s c l i e n t s . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . .
A l t u s W o r k s t a t i o n . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . .
A l t u s K i o s k . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . .
A l t u s A t t e n d e d E n r o l lm e n t . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . .
A u t h e n t i c at i o n an d C r e d e n t i a l s . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . .
L i c e n s in g m o d e l . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . .
S y s t e m R e q u i r e m e n t s . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . .
S u p p o r t R e s o u r c e s . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . .
6
6
7
7
7
7
7
8
8
S E CT I O N O N E: I NS T A L L A T I O N S
10
A LTUS WORK ST ATI ON INSTAL LATI ON
11
I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
S y s t e m r e q u i r e m e n t s . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
D e p l o y m e n t c o n s i d e r a t i o n s - f o r A l t u s L D S W o r k s t a t i o n . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
U p g r a d i n g f r o m p r e v i o u s v e r s i o n s . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C o m p a t i b i l i t y . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
I n s t a l l a t i on . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
L o c al i n s t a l l at i o n . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
R e m o t e i n s t a l l at i o n o f A l t u s W or k s t a t i o n .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
R e m o t e i n s t a l l at i o n o f A l t u s W or k s t a t i o n p a t c h e s . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C o m m a n d l i n e I n s t a l l at i o n . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C o m m a n d l i n e O p t i o n s . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
P a r a m e t e r s . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
A D D L O C A L a n d R E M O V E V al u e s . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
A b o u t T r an s f o r m f i l e s . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
U n i n s t a l l i n g A l t u s W o r k s t at i o n . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
11
11
11
12
12
12
12
16
17
17
17
18
18
18
19
A L T U S KIO SK I N S T ALL AT I O N
20
S y s t e m R e q u i r e m e n t s . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
M i g r a t i o n f r o m D i g i t a lP e r s o n a P r o K i o s k . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C o m p a t i b i l i t y . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
I n s t a l l a t i on . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
L o c al i n s t a l l at i o n . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
R e m o t e I n s t a l l a t i o n o f A l t u s K io s k . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
R e m o t e i n s t a l l at i o n o f A l t u s K i o s k p a t c h e s . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C o m m a n d l i n e i n s t al l a t i o n . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C o m m a n d l i n e O p t i o n s . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
P a r a m e t e r s . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
A D D L O C A L a n d R E M O V E V al u e s . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
A b o u t T r an s f o r m f i l e s . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
U n i n s t a l l i n g A l t u s K i o s k . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
20
20
20
21
21
23
24
25
25
25
25
26
26
A L T U S A T T EN D E D E N R O L L M E N T
27
I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 2 7
S y s t e m r e q u i r e m e n t s . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 2 7
C o m p a t i b i l i t y . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 2 7
DigitalPersona Altus - Client Guide
3
L o c al i n s t a l l at i o n . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 2 7
U n i n s t a l l i n g A l t u s A t t e n d e d E n r o l l m e n t . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 2 8
S E CT I O N T W O : A L T U S C L I E N T F E A T U R ES
29
A LTUS WORK ST ATI ON
30
I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
G e t t i n g S t a r t e d . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
T h e A l t u s C on s o l e . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
W i n d o w s a u t h e n t i c a t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
S m a r t c a r d au t h e n t i c a t i o n . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
O p e n i n g t h e A lt us C on s o l e . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
30
30
31
31
31
32
CRED ENT IAL MA NAGER
33
I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
M a n a g i n g u s e r c r e d e n t i a l s . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
P a s s w o r d c r e d e n t i a l . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
F i n g e r p r i n t c r e d e n t ia l . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
E n r ol l i n g f i n g e r p r i n t s w i t h a f i n g e r p r i n t r e a d e r . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
E n r ol l i n g f i n g e r p r i n t s w i t h a t e n p r i n t s c an n e r . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
S m a r t , C o n t a c t l e s s an d P r o x i m i t y C a r d s c r e d e n t i a l . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
P a s s w o r d R e c o v e r y c r e d e n t i a l . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
P I N c r e d e n t i a l . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
B l u e t o o t h c r e d e n t ia l . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
O n e T i m e P a s s w o r d c r e d e n t i al . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
33
34
34
35
36
37
38
39
40
41
42
PASSWORD MANAGER
45
I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
M a n a g e d l o g o n s a n d p e r s o n al l o g o n s . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
B r o w s e r I n t e g r a t io n .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
I n t e r n e t E x p l o r e r . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
G o o g l e C h r o m e . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
F i r e f ox . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
A d d i n g l o g o n s . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
R e m e m b e r a c c o u n t d a t a . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C r e a t i n g l o g o n s . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
E d i t i n g l o g o n s . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
E d i t i n g f r o m t h e P a s s w or d M a n a g e r p a g e . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
E d i t i n g f r o m t h e P a s s w or d M a n a g e r i c o n .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
O r g a n i z i n g l o g o n s in t o c a t e g o r i e s . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
M a n a g i n g y ou r l o g o n s . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
U s i n g t h e L o g o n s M e n u . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
U s i n g m a n a g e d l o g on s . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
L o g g i n g O n . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C h a n g i n g p a s s w o r d s . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
W e b s i t e E x c l u s i o n s . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
B a c k i n g u p P a s s w o r d M a n a g e r D a t a . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
R e s t o r i n g P a s s w o r d M a n a g e r D a t a . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
S e t t i n g s .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
D i f f e r e n c e s i n s u p p o r t e d b r o w s e r s . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
I n t e r n e t E x p l o r e r . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
45
46
46
46
46
46
47
47
47
50
50
51
51
52
52
52
52
53
53
54
54
54
55
55
4
F i r e f ox . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 55
C h r o m e . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 55
Q UICK ACTI ONS
56
I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 5 6
A L T U S A T T EN D E D E N R O L L M E N T
58
I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
S e c u r i t y O f f i c e r i d e n t i f i c a t io n . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
( A l t u s o n l y ) U s e r c r e a t i o n o r s e l e c t i o n . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
A l t u s A D o n l y : U s e r s e le c t i o n . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C r e d e n t i a l e n r o l l m e n t . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
P a s s w o r d c r e d e n t i a l . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
F i n g e r p r i n t s c r e d e n t i al . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
E n r ol l i n g f i n g e r p r i n t s w i t h a f i n g e r p r i n t r e a d e r . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
E n r ol l i n g f i n g e r p r i n t s w i t h a t e n p r i n t s c an n e r . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
S m a r t , C o n t a c t l e s s an d P r o x i m i t y C a r d s c r e d e n t i a l . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
P I N c r e d e n t i a l . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
P a s s w o r d R e c o v e r y c r e d e n t i a l . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
O T P c r e d e n t i a l . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
P h o t o ( A l t u s L D S o n l y ) . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C o m p l e t in g e n r o l l m e n t . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
A d v a n c e d F e at u r e s . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
58
58
59
60
60
61
61
62
63
65
66
66
67
69
70
70
A L T U S KIO SK
71
I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
F e a t u r e o v e r v i e w . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C o m p a r i n g A l t u s W o r k s t a t i o n a n d A l t u s K i o s k . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
L o g g i n g O n t o W i n d ow s . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
L o g g i n g on t o W i n d o w s w i t h o u t K i o s k . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
A u t o m a t i c l o g o n u s i n g t h e S h a r e d K i os k A c c o u n t . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
C h a n g i n g Y o u r P a s s w ord . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
U s e r A c c o u n t C o n t r o l . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
U s i n g t h e P a s s w o r d M a n a g e r A d m i n T o o l w i t h A l t u s K i os k . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
L o g g i n g O n t o P a s s w o r d - P r o t e c t e d P r o g r a m s . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
S w i t c h i n g U s e r s o n A l t u s K i o s k C o m p u t e r s . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . .
71
71
72
72
73
73
73
73
74
74
75
INDEX
76
5
Overview
1
THIS CHAPTER PROVIDES A HIGH-LEVEL OVERVIEW OF THE ALTUS CLIENTS AND CLIENT COMPONENTS THAT ARE PART OF THE
DIGITALPERSONA ALTUS SOLUTION. IT INCLUDES THE FOLLOWING TOPICS.
Main topics in this chapter
Page
Introduction
6
Altus clients
6
Authentication and Credentials
7
Licensing model
7
System Requirements
8
Support Resources
8
I n t ro d u c t i o n
Instructions for installing each client are contained in Section One beginning on page 10. Details on the functions and
features of each client can be found in Section Two, beginning on page 29.
There are two variations of the major Altus clients, one that works with the Altus Server (using AD LDS and does not
require extension of the Active Directory schema) and another that works with the Altus AD Server (which requires
extension of the Active Directory schema). These clients are:
•
•
•
•
Altus Workstation
Altus AD Workstation
Altus Kiosk
Altus AD Kiosk
Each of the above variations has their own unique Windows installer.
Attended Enrollment is treated in a separate chapter, although it is technically an optional component of both Altus
Workstation and Altus AD Workstation and may be selected during a Custom installation.
Any references to procedures or UI elements, and all images included in this guide, are always to the current version of
the product unless another version is specifically referenced.
Procedures and images are for the product as installed on Windows 7 unless otherwise noted.
Altus clients
The DigitalPersona Altus solution supports the following clients:
•
•
•
•
Altus Workstation and Altus AD Workstation- This primary client enforces security and authentication policies on
managed Windows computers while providing intuitive access to end-user features and functionality. It may be
centrally managed by an Altus Sever, or installed as a standalone product.
Altus Kiosk and Altus AD Kiosk - This specialized kiosk client provides DigitalPersona Altus features for
environments where users log on to a shared, common Windows account on a computer managed by Altus Server.
Attended Enrollment - This optional component of Altus Workstation and Altus AD Workstation allows supervised
enrollment of Altus end-users by designated persons.
Mobile Enrollment - This client provides DigitalPersona Altus features that are specifically tailored to creating and
enrolling Altus end-users in the field without ongoing access to an Altus Server. Acquired information can be
exported and later imported into the Altus Server by an Altus Security Officer.
6
Authentication and Credentials
NOTE: Altus clients may be installed individually on computers or deployed through Active Directory GPO, SMS
(Systems Management Server) or logon scripts. They cannot be installed through ghosting or imaging technologies.
A l t u s Wo r k s t a t i o n
DigitalPersona’s Altus Workstation is the primary full-featured client application for end-users, providing an intuitive
means for increasing both security and convenience through a variety of administrator and end-user configurable
options including enrollment and use of multiple credentials, and the use of automated logons for enterprise resources,
programs and websites. For more details, see the chapter “Altus Workstation” on page 30.
Altus Kiosk
DigitalPersona’s Altus Kiosk is a client application specifically designed for environments where users need fast,
convenient and secure multi-factor identification on workstations shared by multiple users. Although the Kiosk
application uses a single Windows account, each Altus user logs in to Kiosk with their own Altus credentials, gaining
separately controlled access to resources, applications and data. For a full description of its features, see the chapter
“Altus Kiosk” on page 71.
A l t u s A t t e n d e d E n ro l l m e n t
DigitalPersona’s Attended Enrollment is a client application specifically designed for the supervised creation of Altus
users and enrollment of their credentials. For a full description of its features, see the chapter “Altus Attended
Enrollment” on page 58.
A u t h e n t i c a t i o n a n d C re d e n t i a l s
The default, and simplest, means of authentication, i.e. making sure that you are a person authorized to access a
computer or other resource, is your Windows account name and password. Authentication is generally required in
logging on to Windows, accessing network applications and resources, and logging in to websites.
DigitalPersona Altus clients provide a means for the IT Administrator to easily setup and enforce strong authentication
such as two-factor and multi-factor authentication using a variety of supported credentials.
DigitalPersona Altus supports the use of various credentials for authentication, including Windows passwords,
fingerprints, smart cards, contactless cards, proximity cards, PIN, and Bluetooth devices.
An additional Password Recovery credential may be used solely for recovering access to a managed client computer
when other credentials fail, are forgotten or are unavailable.
Note that by default, user credentials are cached on the local Altus Workstation client, and not cached on a computer
running the Altus Kiosk client. This means that Altus Workstation users will be authenticated without a connection to
the Altus Server, but Altus Kiosk users will not be authenticated if there is no connection to the Altus Server.
By default, initial enrollment of end-user credentials is provided through the Altus Attended Enrollment and Altus
Mobile Enrollment components. For further details, see the chapter on Attended Enrollment (page 58) in this guide, or
the chapter on Mobile Enrollment in the DigitalPersona Altus Administrator Guide.
Licensing model
DigitalPersona Altus features and functionality as described in this Client Guide are included in the core version of the
product, unless otherwise indicated.
The basic licensing mechanism is the User license, which permits the enrollment of user credentials by a specified
number of DigitalPersona Altus users. The specific DigitalPersona Altus SKU and/or package you purchased may
entitle you to licensing of one or more additional modules or components that are integrated with your Altus software.
7
System Requirements
You should have received from DigitalPersona or from a DigitalPersona authorized reseller all of the license activation
keys and/or files that are part of the package you purchased. Contact your DigitalPersona representative, should you
have any questions. Some modules or optional components may need to be activated individually.
For information on other licensed versions of the product which may be available, and licensing for specific features,
contact your DigitalPersona Account Manager or Reseller - or visit our website at:
http://www.crossmatch.com/altus.aspx
Licenses may be activated through Active Directory using the included License Activation Manager. For more
information about DigitalPersona Altus license activation, see the Altus LDS or Altus AD Administrator
Guide.
S y s t e m R e q u i re m e n t s
Product/Component
Minimum Requirements
Altus Workstation,
•
•
•
•
•
•
•
Altus AD Workstation,
Attended Enrollment,
Altus Kiosk and Altus
AD Kiosk
•
•
•
•
•
•
Windows 7 or 8.x, 32/64-bit (Home editions are not supported.)
50 MB disk space, 100 MB during installation
.NET Framework 4.5
(x86 machines) - Microsoft Visual C++ 2013 SP1 Redistributable package (x86 version)
- Microsoft Visual C++ 2010 SP1 Redistributable package (x86 version)
- Microsoft Visual C++ Redistributable for Visual Studio 2012 Update 1
(x86 version)
(x64 machines)
- Microsoft Visual C++ 2013 SP1 Redistributable package (x86 and x64
versions)
- Microsoft Visual C++ 2010 SP1 Redistributable package (x86 and x64
versions)
- Microsoft Visual C++ Redistributable for Visual Studio 2012 Update 1
(x86 and x64 versions)
Microsoft Internet Explorer or Google Chrome or Firefox browser
required in order to create/use Password Manager personal logons or use
managed logons. See the reademe.txt file for tested browser versions.*
Microsoft Internet Explorer (only) in order to create managed logons
using the optional Password Manager Admin Tool (Workstation products
only). See the reademe.txt file for tested browser versions.
* Personal logons allow end-users to create automated logon to programs, websites and network resources. Managed
logons have the same function but are created by an administrator and deployed to end-users. Personal logons are not
available on Altus Kiosk or Altus AD Kiosk.
NOTE: When using Internet Explorer on Windows 8, Password Manager features are only available when the browser
is launched from the desktop, not from the Windows Modern UI Internet Explorer app.
For a list of compatible fingerprint readers and scanners, see the readme.txt file included with this software.
S u p p o r t R e s o u rc e s
The following resources are provided for additional support.
•
Readme files in the root directory of each product package contain late-breaking product information.
8
Support Resources
•
•
•
AskPersona.com (http://askpersona.com) is a DigitalPersona knowledge portal providing answers to many
frequently asked questions about our products.
Maintenance and Support customers will find additional information about technical support resources in their
Maintenance and Support confirmation email.
Online help is included with each component and application.
All DigitalPersona Altus documentation is available on our website at:
http://www.crossmatch.com/Support/Reference-Material/Altus-Reference-Material/.
9
Section One: Installations
This section of the DigitalPersona Altus Client Guide includes the following chapters:
Chapter Number and Title
Purpose
Page
2 - Altus Workstation installation
Requirements and procedure for installing
DigitalPersona Altus Workstation.
11
3 - Altus Kiosk installation
Requirements and procedure for installing
DigitalPersona Altus Kiosk.
20
4 - Altus Attended Enrollment
Requirements and procedure for installing Altus
Attended Enrollment.
27
10
Altus Workstation installation
2
THIS CHAPTER DESCRIBES INSTALLING THE DIGITALPERSONA ALTUS WORKSTATION CLIENT.
Page
System requirements
11
Deployment considerations - for Altus LDS
Workstation
11
Upgrading from previous versions
12
Compatibility
12
Local installation
12
Remote installation of Altus Workstation
16
Remote installation of Altus Workstation patches
17
Command line Installation
17
About Transform files
18
Uninstalling Altus Workstation
19
Although there are separate installation packages for the Altus and Altus AD versions of Workstation, the installations
are identical and the term Altus Workstation is generally used to refer to either one unless a distinction needs to be made
due to a difference in functionality or features. Screenshots are taken from the installation of the Altus AD Workstation
product.
Altus Workstation will generally be installed remotely using the Remote installation of Altus Workstation procedure
defined on page 16. However, in order to show the complete installation steps most clearly, local installation is
described first.
DigitalPersona Altus and Altus AD Servers will be used for authentication and should be installed and configured
before installing DigitalPersona Pro Workstation for Enterprise.
Note that the Altus Attended Enrollment feature is included in the Altus Workstation client package, but by default is not
installed. To install it, you will need to select the feature as part of a custom install according to instructions given in this
chapter for local, remote or command line installation. More complete details on installing Attended Enrollment are
available beginning on page 27.
S y s t e m re q u i re m e n t s
Before installing DigitalPersona Pro Workstation for Enterprise on a computer, make sure it meets the system
requirements and prerequisites listed on page 8, and that you have Administrative Rights on the computer.
D e p l oy m e n t c o n s i d e ra t i o n s - f o r A l t u s L D S Wo r k s t a t i o n
If your environment includes more than one installation of Altus Server, and if those servers are not part of the same AD
LDS configuration set, then your Altus Workstations should be part of an OU where you can create a GPO defining the
11
Upgrading from previous versions
specific AD LDS instance name where the Altus Server is hosted. See the setting AD LDS instance name in the
POlicies and Settings chapter of the Altus AD or Altus LDS Administrator Guide.
U p g ra d i n g f ro m p re v i o u s ve r s i o n s
To upgrade from a previous version of this software, refer to the Altus AD or Altus LDS Upgrade Notes available at:
http://www.crossmatch.com/Support/Reference-Material/DigitalPersona-Altus-Reference-Material/.
Compatibility
This version of DigitalPersona Altus Workstation is compatible with the following DigitalPersona products.
•
•
DigitalPersona Altus Auth SDK
DigitalPersona Altus Confirm SDK
It is not compatible with any other DigitalPersona products, and cannot be installed on the same computer as any other
DigitalPersona products.
Installation
Local installation
To install Altus Workstation on a local computer
1
2
Launch the installer from the Altus Workstation folder of the product package.
•
Run Setup.exe from the Altus Workstation folder of the product package.
•
Or, for silent mode, enter setup.exe /s /v” /qn” at the command line.
When the Welcome page displays, click Next to proceed with the installation.
12
Installation
3
Read the License Agreement page. If you agree, select the I accept the terms in the license agreement button and
click Next.
4
On the next page, you can specify the folder that DigitalPersona Pro Workstation for Enterprise will be installed in.
If you want to install Altus Workstation to the default location, click Next; otherwise, click Change to specify a
new location and then click Next to continue.
5
Choose one the following options to indicate the type of installation you want to perform.
13
Installation
•
Typical - Installs the most commonly used features.
•
Custom - Allows selection of which features to install. Note that Attended Enrollment is not installed by
default, but must be specifically selected as part of a Custom installation.
If you plan on installing the optional DigitalPersona Altus Large Scale ID wrapper, you should deselect the
Fingerprint Recognition Engine component. For further details, see the DigitalPersona Altus Large Scale ID
wrapper section of the Optional installations chapter in the Altus AD or Altus LDS Administrator Guide.
Make sure that the same recognition engine that was installed on the client is also installed on the server.
6
Click Next and then Install, to begin installation.
14
Installation
7
During installation, progress is shown until the process is completed.
8
When installation is complete, a final page displays. Click Finish.
9
When prompted to do so, reboot the computer.
After the computer restarts, and at every subsequent restart, the DigitalPersona Altus client software automatically uses
the default DNS Server to locate all DigitalPersona Altus Servers for the domain and its site. If more than one Altus
Server is found, the Workstation will choose the Altus Server for authentication that offers the most efficient
connectivity. If no Altus Servers are found, the client will perform authentication locally.
For a description of the features and functions of DigitalPersona Altus Workstation, see the chapter beginning on page
30.
15
Installation
Remote installation of Altus Workstation
For remote installation of Altus Workstation patches, see “Remote installation of Altus Workstation patches” on
page 17.
The installer for Altus Workstation uses Microsoft Windows Installer (MSI) technology, which allows administrators
to remotely install or uninstall the software using Active Directory administration tools, or other software deployment
tools.
Note that this installer is only compatible with program distribution (installation or uninstallation) to computers. It
cannot be used for program distribution to users.
To install Altus Workstation remotely through Active Directory use the following procedure. Some steps will vary
depending on the operating system version.
For mixed 32- and 64-bit environments, follow these steps twice to create an administrative installation file for each
environment.
1
Create an administrative installation package.
a. Open a command prompt session and navigate to the location where you have stored the product package.
Change the directory to “Altus Workstation\x86” for the 32-bit version or “Altus Workstation\x64” for the 64bit version. Note that the 32-bit version will not install on 64-bit computers.
b. Type setup.exe /a
c. The product installation wizard launches and prompts you for a location where you would like the
administrative installation package to be created. Choose a network shared drive that will be accessible to the
computers where you will be installing the software. For example, \\servername\InstallDir, where
InstallDir is a predefined shared folder. There is no need to reboot at the end of the wizard.
2
(Optional) To install only to a specific OU, create a Group Policy Object (GPO) that will be used to distribute the
software package.
3
Install any prerequisites (see page 11) on the target computers.
4
Assign the package
a. Start the Group Policy Management snap-in. To do this, from the Windows Server Manager, Tools menu,
select Group Policy Management.
b. In the Group Policy Management tree, under the appropriate domain, right-click Default Domain Policy and
choose Edit from the context menu. This will launch the Group Policy Management Editor.
c. In the Group Policy Management Editor, open Computer Configuration, Policies, Software Settings,
Software installation.
d. Right click Software installation and select New, Package from the context menu.
e. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer
package that you want. For example, \\file server\share\file name.msi. It is important that you do not use the
Browse button to access the location. Make sure that you use the UNC path of the shared installer package.
f.
Click Open.
g. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window.
h. For 32-bit installation packages only - Right-click the newly created package and select Properties. Then, on
the Deployment tab, click Advanced. Deselect the checkbox Make this 32-bit X86 application available on
Win64 machines. If this checkbox remains selected, the application will not install.
5
Installation will begin on each client during the first reboot after the computer obtains the deployment policy, i.e.
during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE on the local computer.
16
Installation
Remote installation of Altus Workstation patches
This topic addresses the remote installation of client patches through slipstreaming. For standard product installation,
see the preceding topic.
The installer for Altus Workstation uses Microsoft Windows Installer (MSI) technology, which allows administrators
to remotely install patches to software using Active Directory administration tools, or other software deployment tools.
For mixed 32- and 64-bit environments, follow these steps twice - patching the administrative installation files for both
environments. Note that this installer only works for computer-based policy installation, not user-based.
To install an Altus Workstation patch remotely through Active Directory, use the following procedure. The following
steps assume that an administrative installation package has been created as described in the previous topic. Some steps
will vary depending on the operating system version.
Update the installation package.
1
Open a command prompt session and type the following command to patch the previously created installation
package.
msiexec.exe /p [path\name of updated MSP file]\ /a [path\name of administrative installation
file]
Redeploy the application
2
b. Right-click the GPO that governs the computers you want to update and select Edit. This will launch the
Group Policy Management Editor.
c. In the Group Policy Management Editor., navigate to Computer Configuration/Policies/Software
Settings/Software Installation.
d. Right-click the previously deployed Altus client software package and select All Tasks\Redeploy application.
Confirm your intent to redeploy the application.
3
Command line Installation
DigitalPersona Altus Workstation can also be installed or uninstalled using MSI at the command line.
The syntax of the msiexec command is shown below and is followed by a description of the command line options,
parameters and values available:
msiexec /i setup.msi INSTALLDIR=[directory] ADDLOCAL=[software] REMOVE=[software]
TRANSFORMS=[Name of transform file]/qn
Command line Options
Options
Description
/i
(Required) Indicates that MSI will be used to install the DigitalPersona Altus
software. It must be followed by the full pathname to the setup.msi file.
/qn
(Optional) Hides the user interface when installing the software on the computer,
allowing a “silent install.” If used, it is placed at the end of the command line.
17
Parameters
The following parameters indicate where the software should be installed on the computer, as well as what components
should be included or removed:
Parameters
Description
INSTALLDIR
(Optional) Specifies the location where the DigitalPersona Altus Workstation
software should be installed. If a folder is not specified, defaults to:
C:\Program Files\DigitalPersona
ADDLOCAL
(Optional) Indicates which DigitalPersona Altus Workstation features to install by
providing one of the values listed below.
REMOVE
(Optional) Indicates which DigitalPersona Altus software features to uninstall by
providing one of the values listed below.
TRANSFORMS
(Optional) Use the TRANSFORMS parameter to specify a UI language other than
U.S. English. Separate multiple transforms with a semicolon. Do not use semicolons
within the name of your transform, as the Windows Installer service will interpret
those incorrectly. See page 18 for a list of the available transform files.
ADDLOCAL and REMOVE Values
The table below lists the values that may be provided with the ADDLOCAL and REMOVE parameters and provides a
description of each value:
Values
Description
ALL
Installs all DigitalPersona Altus software components and features or removes
all of the components and features that are currently installed.
Logon
Installs or removes the Windows Logon feature.
AttendedEnrollment
Installs or removes the Attended Enrollment feature.
PasswordMgr
Installs or removes the Password Manager feature.
FingerprintEngine
Installs or removes the DigitalPersona Fingerprint Engine.
Following are a few rules when using these parameters and their values:
•
•
•
If ADDLOCAL or REMOVE are not specified, msiexec will install all DigitalPersona Altus Workstation features.
Individual software features cannot be installed unless the All value was used with the ADDLOCAL parameter first.
To install DigitalPersona Altus Workstation software for the first time while omitting one or more software
features, use ADDLOCAL=ALL, followed by the REMOVE parameter with each software component you do not want to
install separated by a comma. For example;
msiexec /i setup.msi ADDLOCAL=ALL REMOVE=Logon,PasswordMgr
A b o u t Tra n s f o r m f i l e s
DigitalPersona uses Transform (.mst) files to create an installation package for DigitalPersona Altus components in the
supported languages listed below. These files are located in the Bin directory of your product package.
18
Uninstalling Altus Workstation
When creating a package for a GPO install, select the Advanced option and then add the transform file from the
Modifications tab. Ensure that the transform file is included in a folder that is shareable by the Active Directory server
computer and all target client computers.
Language
Transform file
French
1036.mst
German
1031.mst
Italian
1040.mst
Brazilian Portuguese
1046.mst
Spanish
1034.mst
Chinese Simplified
2052.mst
Chinese Traditional
1028.mst
Japanese
1041.mst
Korean
1042.mst
U n i n s t a l l i n g A l t u s Wo r k s t a t i o n
You can remove the DigitalPersona Altus Workstation software using the Add or Remove Programs Control Panel or
through MSI. In the Control Panel, the Workstation software is listed as DigitalPersona Altus Workstation.
You must have local administrative privileges to modify or uninstall Altus Workstation.
19
Altus Kiosk installation
3
THIS CHAPTER DESCRIBES INSTALLING THE DIGITALPERSONA ALTUS KIOSK CLIENT.
Page
System Requirements
20
Migration from DigitalPersona Pro Kiosk
20
Compatibility
20
Local installation
21
Remote Installation of Altus Kiosk
23
Remote installation of Altus Kiosk patches
24
Command line installation
25
26
Uninstalling Altus Kiosk
26
Although there are separate installation packages for the Altus and Altus AD versions of Kiosk, the installations are
identical and the term Altus Kiosk is used to refer to both in this guide. Screenshots are taken from the installation of the
Altus Kiosk product.
Altus Kiosk will generally be installed remotely using the Remote Installation of Altus Kiosk procedure defined on page
23. However, in order to show the complete installation steps most clearly, local installation is described first.
DigitalPersona Altus or Altus AD Servers will be used for user identification and authentication and should be installed
and configured before installing DigitalPersona Altus Kiosk.
S y s t e m R e q u i re m e n t s
Before installing DigitalPersona Altus Kiosk on a computer, make sure it meets the system requirements and
prerequisites listed on page 8.
M i g ra t i o n f ro m D i g i t a l Pe r s o n a P ro K i o s k
DigitalPersona Altus Kiosk version 1.1 cannot be used to upgrade any previous DigitalPersona Pro or Altus products.
Compatibility
This version of DigitalPersona Altus Kiosk is compatible with the following DigitalPersona products.
•
•
DigitalPersona Altus Auth SDK
DigitalPersona Altus Confirm SDK
20
Installation
Installation
Local installation
To install DigitalPersona Altus Kiosk locally
1
Launch the installer from the Altus Kiosk or Altus AD Kiosk folder of the product package.
•
Run Setup.exe from the Altus Kiosk or Altus AD Kiosk folder of the product package.
•
2
When the Welcome page displays, click Next to proceed with the installation.
3
Read the License Agreement page. If you agree, select the I accept the terms in the license agreement button and
click Next.
4
On the next page, you can specify the folder that Altus Kiosk will be installed in. If you want to install to the
default location, click Next; otherwise, click Change to specify a new location and then click Next to continue.
21
Installation
5
Choose one of the following options to indicate the type of installation you want to perform.
•
Typical - Installs the most commonly used features.
•
Custom - Allows selection of which features to install.
(Altus LDS only) If you plan on installing the optional DigitalPersona Altus Large Scale ID wrapper, you
should deselect the Fingerprint Recognition Engine component. For further details, see the DigitalPersona
Altus Large Scale ID wrapper section of the Optional installations chapter in the Altus LDS Administrator
Guide.
6
22
Installation
7
Click Finish to close the InstallShield Wizard.
8
When prompted to do so, reboot the computer. Click Yes to restart now, or No if you plan to restart later.
After the computer restarts, and at every subsequent restart, Pro Kiosk automatically uses the default DNS Server to
locate all DigitalPersona Altus Servers for the domain and its site. If more than one Altus Server is found, Pro Kiosk
will choose the Altus Server for authentication that offers the most efficient connectivity. For instructions on using Pro
Kiosk, see page 71.
Remote Installation of Altus Kiosk
For remote installation of Altus Kiosk patches, see “Remote installation of Altus Kiosk patches” on page 24.
The installer for Pro Kiosk uses Microsoft Windows Installer (MSI) technology, which allows administrators to
remotely install or uninstall the software using Active Directory administration tools, or other software deployment
tools.
Note that this installer only works for computer-based policy installation, not user-based installations.
To install Altus Kiosk remotely through Active Directory, use the following procedure. Some steps will vary depending
on the operating system version.
For mixed 32- and 64-bit environments, follow these steps twice to create an administrative installation file for each
environment.
1
Create an administrative installation package.
a. Open a command prompt session and change the directory to “DigitalPersona Altus Kiosk \x86” or
“DigitalPersona Altus AD Kiosk \x86”on 32-bit operating systems, or “DigitalPersona Altus Kiosk \x64” or
“DigitalPersona Altus AD Kiosk \x64”on 64-bit operating systems.
b. Type setup.exe /a
c. The product installation wizard launches and prompts you for the location where you would like the
administrative installation file to be created. Choose a network shared drive that will be accessible to the
computers where you will be installing the software. For example \\servername\InstallDir, where InstallDir is a
predefined shared folder. (There is no need to reboot at the end of the wizard.)
2
(Optional) To install only to a specific OU, create a Group Policy Object (GPO) that will be used to distribute the
software package.
3
Assign the package
23
Installation
b. In the Group Policy Management tree, under the appropriate domain, right-click Default Domain Policy and
choose Edit from the context menu. This will launch the Group Policy Management Editor.
c. In the Group Policy Management Editor, open Computer Configuration, Policies, Software Settings,
Software installation.
d. Right click Software installation and select New, Package from the context menu.
e. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer
package that you want. For example, \\file server\share\file name.msi. It is important that you do not use the
Browse button to access the location. Make sure that you use the UNC path of the shared installer package.
f.
Click Open.
g. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window.
h. For 32-bit installation packages only - Right-click the newly created package and select Properties. Then, on
the Deployment tab, click Advanced. Deselect the checkbox Make this 32-bit X86 application available on
Win64 machines. If this checkbox remains selected, the application will not install.
4
Remote installation of Altus Kiosk patches
This topic addresses the remote installation of client patches through slipstreaming. For standard product installation,
see the preceding topic.
The installer for Altus Kiosk uses Microsoft Windows Installer (MSI) technology, which allows administrators to
remotely install patches to software using Active Directory administration tools, or other software deployment tools.
For mixed 32- and 64-bit environments, follow these steps twice - patching the administrative installation files for both
environments. Note that this installer only works for computer-based policy installation, not user-based.
To install an Altus Kiosk patch remotely through Active Directory, use the following procedure. The following steps
assume that an administrative install has been created as described in the previous topic. Some steps will vary
depending on the operating system version.
1
Update the installation package.
Open a command prompt session and type the following command to patch the previously created installation
package.
msiexec.exe /p [path\name of updated MSP file]\ /a [path\name of administrative installation
file].
2
Redeploy the application.
b. Right-click the GPO that governs the computers you want to update and select Edit. This will launch the
Group Policy Management Editor.
c. In the Group Policy Management Editor, navigate to Computer Configuration/Policies/Software
Settings/Software Installation.
d. Right-click the previously deployed Altus client software package and select All Tasks\Redeploy application.
Confirm your intent to redeploy the application.
3
24
Installation
Command line installation
DigitalPersona Pro Kiosk can also be installed or uninstalled using MSI at the command line.
The syntax of the msiexec command is shown below and is followed by a description of the command line options,
parameters and values available:
msiexec /i setup.msi INSTALLDIR=[directory] ADDLOCAL=[software] REMOVE=[software]
TRANSFORMS=[Name of transform file]/qn
Command line Options
There are one required and one optional command line options:
Options
Description
/i
(Required) Indicates that MSI will be used to install the DigitalPersona Altus
software. It must be followed by the full pathname to the setup.msi file.
/qn
(Optional) Hides the user interface when installing the software on the computer,
allowing a “silent install.” If used, it is placed at the end of the command line.
Parameters
The following parameters indicate where the software should be installed on the computer, as well as what components
should be included or removed:
Parameters
Description
INSTALLDIR
(Optional) Specifies the location where the software should be installed. If a folder
is not specified, defaults to:
C:\Program Files\DigitalPersona
ADDLOCAL
(Optional) Indicates which Pro Kiosk features to install by providing one of the
values listed below.
REMOVE
(Optional) Indicates which Pro Kiosk features to uninstall by providing one of the
values listed below.
TRANSFORMS
(Optional) Use the TRANSFORMS parameter to specify a UI language other than
U.S. English. Separate multiple transforms with a semicolon. Do not use
semicolons within the name of your transform, as the Windows Installer service
will interpret those incorrectly. See page 26 for a list of the available transform
files for supported languages.
ADDLOCAL and REMOVE Values
The table below lists the values that may be provided with the ADDLOCAL and REMOVE parameters and provides a
description of each value:
Values
Description
ALL
Installs all Pro Kiosk components and features or removes all of the
component and features that are currently installed.
PasswordMgr
Installs or removes the Password Manager application.
FingerprintEngine
Installs or removes the DigitalPersona Fingerprint Engine.
Following are a few rules when using these parameters and their values:
25
•
•
•
If ADDLOCAL or REMOVE are not specified, msiexec will install all Pro Kiosk features.
Individual software features cannot be installed unless the All value was used with the ADDLOCAL parameter first.
To install Pro Kiosk software for the first time while omitting one or more software features, use ADDLOCAL=ALL,
followed by the REMOVE parameter with each software component you do not want to install separated by a comma.
For example;
msiexec /i setup.msi ADDLOCAL=ALL REMOVE=Logon,PasswordManager
A b o u t Tra n s f o r m f i l e s
DigitalPersona uses Transform (.mst) files to create an installation package for DigitalPersona Altus components in the
supported languages listed below. These files are located in the Bin directory of your product package.
When creating a package for a GPO install, select the Advanced option and then add the transform file from the
Modifications tab. Ensure that the transform file is included in a folder that is shareable by the Active Directory server
computer and all target client computers.
Language
Transform file
French
1036.mst
German
1031.mst
Italian
1040.mst
Brazilian Portuguese
1046.mst
Spanish
1034.mst
Chinese Simplified
2052.mst
Chinese Traditional
1028.mst
Japanese
1041.mst
Korean
1042.mst
Uninstalling Altus Kiosk
You can remove the DigitalPersona Altus Kiosk software using the Add or Remove Programs Control Panel or through
MSI. In the Control Panel, the Kiosk software is listed as DigitalPersona Altus Kiosk or DigitalPersona Altus AD
Kiosk.
You must have local administrative privileges to modify or uninstall Altus Kiosk.
26
Altus Attended Enrollment
4
THIS CHAPTER DESCRIBES INSTALLING THE DIGITALPERSONA ALTUS WORKSTATION CLIENT.
Page
System requirements
27
Compatibility
27
Local installation
27
Uninstalling Altus Attended Enrollment
28
This chapter provides instructions for installing Altus Attended Enrollment, a component of the Altus Workstation, used
to enroll user credentials under supervision of a delegated person or group in Altus LDS, or an Altus Security Officer in
Altus AD.
The following topics cover the installation of the Altus Attended Enrollment component.
•
•
•
•
•
System requirements
Compatibility
Local installation
S y s t e m re q u i re m e n t s
Before installing Altus Attended Enrollment on a computer, make sure it meets the system requirements listed on page
8, and that you have Administrative Rights on the computer.
For a list of compatible fingerprint readers and scanners, see the readme.txt file included with this software.
Compatibility
The version of DigitalPersona Altus Attended Enrollment described in this guide is compatible with the following
•
•
•
DigitalPersona Altus or Altus AD Workstation 1.1 or above
DigitalPersona Altus Auth SDK 1.1 or above
DigitalPersona Altus Confirm SDK1.1 or above
Local installation
To install Altus Attended Enrollment on a local computer
1
Launch the installer from the Altus Workstation or Altus AD Workstation folder of the product package, by running
Setup.exe.
27
•
2
From the Setup Type page, select Custom.
(Altus LDS only) If you plan on installing the optional DigitalPersona Altus Large Scale ID wrapper, you
should deselect the Fingerprint Recognition Engine component. For further details, see the DigitalPersona
Altus Large Scale ID wrapper section of the Optional installations chapter in the Altus LDS Administrator
Guide.
3
Click the X next to Attended Enrollment and select This feature will be installed on local hard drive.
4
For a description of the features and functions of Altus Attended Enrollment, see the chapter beginning on page 58.
U n i n s t a l l i n g A l t u s A t t e n d e d E n ro l l m e n t
Since Altus Attended Enrollment is actually a subcomponent of Altus Workstation or Altus AD Workstation, it cannot
be uninstalled separately from the Workstation product.
If you must remove Altus Attended Enrollment from a computer, you will need to uninstall Altus Workstation or Altus
AD Workstation, and then reinstall it without Altus Attended Enrollment.
28
Section Two: Altus Client Features
Section Two of the DigitalPersona Altus Client Guide includes the following chapters:
Chapter Number and Title
Purpose
Page
6 - Altus Workstation
Describes the features and functionality of the Altus
Workstation Console.
30
7 - Credential Manager
Describes the features and functionality of the Credential
Manager component, common to the Altus Workstation
and Kiosk clients.
33
8 - Password Manager
Describes the features and functionality of the Password
Manager component, common to the Altus Workstation
and Kiosk clients.
45
9 - Quick Actions
Describes the Quick Actions page, a component of the
Altus Workstation.
56
10 - Altus Attended Enrollment
Describes the features and functionality specific to the
Altus Attended Enrollment component.
58
11 - Altus Kiosk
Describes the features and functionality specific to the
Altus console provided in the DigitalPersona Altus Kiosk
client.
71
29
Altus Workstation
6
T HIS CHAPTER DESCRIBES THE FEATURES OF THE D IGITAL PERSONA A LTUS WORKSTATION CLIENT .
Page
Getting Started
30
The Altus Console
31
Windows authentication
31
Smart card authentication
31
Opening the Altus Console
32
DigitalPersona Altus Workstation is a robust and fully featured workstation client which allows you to significantly and
easily increase the security of computers in your enterprise. Its specific features, options and behavior can be configured
though Active Directory GPOs and other tools as explained in the DigitalPersona Altus LDS and Altus AD
Administrator Guides.
A companion product, DigitalPersona Altus Kiosk provides users with fast, convenient and secure multi-factor
identification and authentication in environments where users share a common Windows account yet need separately
controlled access to resources, applications and data. (See page 71.)
Attended Enrollment, an optional component of Altus Workstation, allows administrators to assign a specific user or
group to supervise the credential enrollment process. (See page 58.)
This chapter includes the following major topics.
Most of the content in this section is written from the end-user perspective, and is also available through the various
Altus help files.
Note that the availability of some product features described in this chapter may be limited, or behave differently, as
determined by GPO policies and other settings described in the Administration Tools and Policies and Settings chapters
in the DigitalPersona Altus AD and Altus LDS Administrator Guides.
Getting Started
By default, Altus credentials are enrolled through the Altus Attended Enrollment component. However, an Altus
administrator may optionally choose to allow Windows users to self-enroll, i.e. enroll their credentials through Altus
Workstation.
30
The Altus Console
The Altus Console
The Altus Console is the central location for easy access to Altus Workstation features and settings.
Credential Manager - Enroll and manage Altus credentials and their settings.
Password Manager - Create and manage Password Manager logons and accounts.
Quick Actions- Configure the Altus Hot Key sequence, and assign tasks to various credential and key+credential
combinations.
Windows authentication
Once your DigitalPersona Altus Workstation client has been installed, logon to Windows is controlled by the Logon
Authentication Policy set by GPO in Active Directory. For a complete description of logon policies, see the chapter,
Logon Authentication Policy, in the DigitalPersona Altus AD and Altus LDS Administrator Guides.
Credentials that may be used to authenticate for Windows logon will be limited to those specified in the policy and
supported by required hardware or software present on the workstation. Some credentials, such as smart cards, need to
be previously formatted and initialized using the manufacturer’s middleware. Additionally, each credential must be
enrolled by the end-user, on their computer, or through the Altus Attended Enrollment components (see page 58).
The actual process of using your DigitalPersona credentials will vary slightly depending on the type of credential, but
will generally follow Microsoft usage with the following exceptions.
S m a r t c a rd a u t h e n t i c a t i o n
In order to use a contact-type smart card or a Proximity card for logging on to Windows, you must click your user tile
on the Windows Logon screen before presenting the card. Then you can insert your smart card for authentication, or
use a Proximity card in conjunction with another credential as specified by the Logon Authentication Policy in force.
Other types of (non-Proximity) contactless cards may be presented directly from the Logon screen for immediate logon
to Windows.
31
You can open the Altus Console in any of the following ways:
•
•
•
•
•
[Windows 8] From the Apps screen, under DigitalPersona, select Altus Console.
[Windows 7 or Vista] Click Start, click All Programs, click DigitalPersona, and then click Altus Console.
Double-click the DigitalPersona Altus Workstation icon in the notification area, at the far right of the taskbar.
Right-click the DigitalPersona Altus icon, and click Open Altus Console.
Press the hot key combination Ctrl+Win Logo Key+H to open the Logons menu and then click Altus Console
(when no logons have been created yet) or Manage (after logons have been created.)
32
Credential Manager
7
THIS CHAPTER DESCRIBES THE CREDENTIAL MANAGER COMPONENT, WHICH IS PART OF THE DIGITALPERSONA ALTUS CLIENTS.
Page
Managing user credentials
34
Password credential
34
Fingerprint credential
35
Smart, Contactless and Proximity Cards credential
38
Password Recovery credential
39
PIN credential
40
Bluetooth credential
41
One Time Password credential
42
The Credential Manager component is part of the DigitalPersona Altus and Altus AD Workstation and Kiosk clients. It
may be used to enroll, manage, and configure settings for Altus credentials.
33
Launch the Credential Manager by tapping or clicking the Credential Manager tile from the Altus Console home page.
By default, this feature is disabled because the Attended Enrollment component is most often used to enroll user
credentials.
If you want to allow end-users to enroll and manage their own Altus credentials, see the Policies and Settings chapter
in the DigitalPersona Altus LDS and Altus AD Administrator Guides. However, the best practice is to not enable selfenrollment if Attended Enrollment will be used in the enviroment.
M a n a g i n g u s e r c re d e n t i a l s
The credentials that will be available to a user for verifying their identity may be configured through GPO policies and
settings (for managed workstations) by an Altus Administrator or (if not managed) by the local administrator of the
computer.
Some credentials require the presence of built-in or attached hardware. The following steps will help you to enroll or
set up your credentials for use with the product’s features and applications. Unless otherwise specified through a GPO,
any hardware or software credential available will be listed in Credential Manager, and may be managed by the user
when self-enrollment has been enabled by the Altus administrator).
This chapter includes instructions for enrolling and managing of supported Altus credentials
Password credential
Altus Workstation makes changing your Altus password simple.
CAUTION: Windows users should be aware that this will change your Windows password.
34
To change your password, follow these steps.
1
In the Altus Console, select Credential Manager, and then choose Change on the PASSWORD tile.
2
The Password page displays.
3
Enter your current password in the Current password text box.
4
Type a new password in the New password text box, and then type it again in the Confirm new password text
box.
5
Click Save to immediately change your current password to the new one that you entered.
Fingerprint credential
If there is a fingerprint reader or ten print scanner built into or connected to your computer, you can enroll and manage
your fingerprints. Select the Fingerprints tile to display the Fingerprints page, where you can enroll your fingerprints
credential.
The process of enrolling your fingerprints is slightly different depending on whether you are using a single print
fingerprint reader, or a ten-print fingerprint scanner such as one of the Crossmatch Guardian products. See the
following two sections for descriptions of the steps for each of the hardware devices.
35
Enrolling fingerprints with a fingerprint reader
To enroll your fingerprints or manage your fingerprints credential
1
In the Altus Console, select Credential Manager, and then choose Add, Change or Delete on the
FINGERPRINTS tile.
•
Change and Delete buttons display on the FINGERPRINTS tile only after the first fingerprint has been enrolled
and saved.
The Delete button will delete all enrolled fingerprints for the logged on user. To delete a single fingerprint, choose
Change and then select a highlighted fingerprint on the Fingerprints page.
•
2
The Fingerprints page displays.
3
An outline of two hands is displayed. Fingers that have been previously enrolled are highlighted.
4
•
To enroll a fingerprint, click the image of any finger not previously enrolled.
•
To delete a single previously enrolled fingerprint, click a highlighted finger on the outline.
After selecting a finger to enroll, you are prompted to scan the finger until its fingerprint is successfully enrolled.
36
Upon completion, that finger image will be highlighted.
Index or middle fingers are preferable.
5
Click Save. Note that fingerprint information is not saved until you click Next. If you leave the computer inactive
for a while, or close the program, the changes you made are not saved.
WARNING: Users should never enroll the same finger under multiple Windows accounts. Doing so will cause the
finger to be rejected as a valid credential in any Windows account where it has been enrolled.
Enrolling fingerprints with a ten print scanner
For a list of supported ten print scanners, see the readme.txt file included with this software package. Additional files
may need to be installed before use. See the Optional installations chapter of the Altus AD or Altus LDS Administrator
Guide for further details.
The ten print scanner captures fingerprints in three segments, often described as 4-4-2, that is four fingers of the left
hand, four fingers of the right hand, and the two thumbs together.
1
Click the Fingerprints tile to display the Fingerprints pages.
2
Select which segment to enroll. In the displayed image, choose the left hand, right hand or thumbs.
3
Scan the selected fingers or thumbs as many times as requested to enroll them. If the user is missing any fingers,
click the associated finger in the smaller image in the upper right.
4
Each successful enrollment will result in one of the scan numbers turning blue.
37
5
When enrollment of the segment is complete, the screen shows the fingerprint segment in blue.
6
Select another segment until the fingerprints of both hands and thumbs have been captured. Then click Save.
To delete a partial fingerprint segment
1
Once the credential has been enrolled, a Delete button is added to its tile..
2
Select the previously enrolled left or right hand or thumbs. Then confirm the deletion.
3
On the image, select the left or right hand or thumbs.
4
Click Delete.
5
Verify your identity to confirm the deletion.
Authentication
To authenticate with the ten-print scanner, use only a single finger or thumb and use only the front half of the scanner
screen to read the fingerprint.
This tile provides a means for enrolling a user’s Smart, Contactless or Proximity Card credential.
To enroll a card credential
1
Click the Smart, Contactless and Proximity Cards tile to display the corresponding pages.
38
2
Insert a Smart Card into the card reader or place a Contactless or Proximity Card very close to the reader.
3
Click Enroll and then click Save.
To delete all enrolled cards, click Delete on the Cards tile. To delete a single card when more than one card is enrolled,
click Change on the Cards tile and then click Delete on the specific card image.
Password Recovery allows users to regain lost access to their computer when they can’t log on with any other
credentials. They simply need to answer the three security questions selected during this enrollment process.
This feature is optional and is not available in the Altus Kiosk products. For Altus Workstation, it must be explicitly
configured by the Altus Administrator through the Enable Self Password Recovery setting. See Enable Self Password
Recovery in the DigitalPersona Altus LDS and Altus AD Administrator Guides.
On the Password Recovery page, you can enroll or manage your Password Recovery credential; for example, change
your recovery questions or the associated answers.
In order to use this recovery credential to gain access to a computer, the user must have previously logged on to the
same computer at least once with another valid credential.
To set up Password Recovery
1
In the Altus Console, select Credential Manager, and then choose Add, Change or Delete on the PASSWORD
RECOVERY tile.
2
The Password Recovery page displays.
3
On the Password Recovery page, select three security questions, and then enter an answer for each question. You
can also choose to write your own security questions by selecting that option from the dropdown menu.
4
After completing the questions and answers, select Save.
Administrators can configure the list of security questions displayed or create custom questions through the Enable
Self Password Recovery setting (See the DigitalPersona Altus LDS or Altus AD Administrator Guide.)
After your Password Recovery credential has been enrolled, you can access your computer using your personal
questions from the Windows Logon screen.
39
Smart, Contactless & Proximity Cards credential
Altus supports a wide variety of identity cards and card readers, including Smart cards, Contactless cards and
Proximity cards.
To enroll or manage a Card credential
1
In the Altus Console, select Credential Manager, and then choose Add, Change or Delete on the CARDS tile.
•
•
To delete all enrolled cards, click Delete on the CARDS tile.
To delete a single card when more than one card is enrolled, click Change on the CARDS tile and then click Delete
on the specific card image.
2
Insert a card into the card reader or place a Contactless or Proximity Card very close to the reader.
3
The Cards page displays.
4
5
Once the card has been identified, its name will display on the screen with an Enroll button next to it.
6
Click Enroll. For Smart Cards, enter a Smart Card PIN. Then click Enroll.
PIN credential
An Altus PIN is a credential composed of a series of characters (numbers or letters). A PIN is often used in
combination with another credential to enhance its security. This PIN should not be confused with a Smart Card PIN
which is used as part of a Smart Card credential.
On the PIN page, you can create a new PIN or change your existing PIN.
To enroll or manage a PIN
1
In the Altus Console, select Credential Manager, and then choose Add, Change or Delete on the PIN tile.
40
2
The PIN page displays.
•
Add - Choose Add on the PIN tile. Then enter and confirm the characters that you want to use as your PIN and
select Save.
Change - Choose Change on the PIN tile. Then enter and confirm the characters that you want to use as your PIN
and select Save.
Delete - Choose Delete on the PIN tile. Then confirm the deletion by verifying your identity.
•
•
Bluetooth credential
Any Bluetooth-enabled device discoverable by this software may be used as a credential for authentication, when
combined with an additional supported credential as defined by the Logon or Session Policy in force.
Enrolling a Bluetooth credential does not automatically make it available on every Altus client. This is because
Bluetooth enrollment pairs the associated device with the machine where it is enrolled initially. To use their Blueooth
credential on another machine than the one where it was originally enrolled, users will need to pair their device with
each Workstation or Kiosk where they expect to use their Blueooth creedential.
All unenrolled and discoverable Bluetooth devices within range are displayed in the bottom portion of the page.
To enroll, pair or manage a Bluetooth credential
1
In the Altus Console, select Credential Manager, and then choose Add, Change or Delete on the BLUETOOTH
DEVICES tile.
1
The Bluetooth Devices page displays.
41
•
•
2
Add - To add a new Bluetooth credential, or pair your previously enrolled device on this computer, choose Add on
the BLUETOOTH DEVICES tile. Then on the Bluetooth Devices page, select a device and choose Enroll. If an
expected device is not displayed, ensure that the device is set to be discoverable. If the device has not previously
been paired with this computer, you will be asked to pair it, and then the device will be enrolled as a credential.
Devices previously paired with the computer will simply be enrolled.
Change - To enroll an additional Bluetooth device, change your current Bluetooth device, or delete a specific
Bluetooth device, choose Change on the Bluetooth Devices tile. Then on the Bluetooth Devices page, select Enroll
or Delete.
Delete - To delete all enrolled Bluetooth devices, choose Delete on the Bluetooth Devices tile. Then confirm the
deletion by verifying your identity.
One Time Password credential
A One Time Password (OTP) is a credential composed of a time-sensitive 6-digit code automatically generated by a
special Authenticator app on a user’s mobile device.
Once enrolled, this credential can be used for authentication at Windows logon and within a Windows session as
defined by the Logon or Session Policy in force.
On the Credential Manager, One Time Password page, you can
•
•
•
Download the Google Authenticator app for your smartphone or tablet that generates the One Time Password
which you then enter on your Windows workstation for authentication.
Scan a QR code with your device that automatically creates a OTP account token linked to your OTP credential.
Enter the OTP verification code generated by the device.
To download the OTP application for your smartphone
1
From the Altus Workstation user console, click Credential Manager, and then click ADD on the OTP tile.
2
Verify your identity with any enrolled credential.
3
In the upper right area of the screen select the tile that represents your smartphone's app store. Supported stores are:
Apple App, Windows Phone, Google Play and Blackberry world.
42
4
A QR code displays on your screen. Open a QR reader app on your mobile device and scan the QR code. This will
download the app to your device.
To setup an Altus account on your device
1
Launch the downloaded app on your device.
2
Select Begin Setup.
3
Select Scan Barcode.
4
Scan the QR code that displays on the One Time Password Page.
Do not scan the QR code again that was used to download the app.
5
You can also set up an Altus account in the Authenticator app by
selecting the [+] sign in the app and entering the Altus account
information manually.
6
To display the information in Credential Manager that needs to be
entered on your device, select the Can't scan the barcode link on
the One Time Password page.
To enroll your OTP credential
1
From the Altus Workstation user console, click Credential Manager, and then click ADD or CHANGE on the One
Time Password tile.
2
3
With your device, scan the QA code that displays on the One Time Password Page. Do not scan the QR code again
that was used to download the app.
4
In the Altus Console, enter the One Time Password displayed on your device.
5
Click Verify and Save.
To authenticate with your One Time Password
1
At Windows logon or on any Verify your Identity screen, select the One Touch Password tile.
2
Launch the OTP app on your device.
43
3
Enter the One Time Password displayed on your device into the OTP field on your workstation screen and select
the arrow button.
To delete your OTP credential
1
Once the credential has been enrolled, a DELETE button is added to its tile.
2
Click Delete.
3
44
8
Password Manager
THIS CHAPTER DESCRIBES PASSWORD MANAGER, A CORE COMPONENT OF DIGITALPERSONA ALTUS WORKSTATION AND KIOSK
CLIENTS.
Page
Page
Managed logons and personal logons
45
Using managed logons
52
Browser Integration
46
Website Exclusions
52
Adding logons
47
Backing up Password Manager Data
53
Editing logons
50
Restoring Password Manager Data
54
Organizing logons into categories
51
Settings
54
Managing your logons
52
Differences in supported browsers
54
Using the Logons Menu
52
Logging on to Windows, websites, and applications is easier and more secure when you use Password Manager. You
can use it to create stronger passwords that you don't have to write down or remember, and then log on easily and
quickly with Altus enrolled credentials such as a fingerprint, smart/proximity/contactless card, or your Windows
password. Additional auxiliary credentials can also be used in multi-factor authentication.
Password Manager allows you to:
•
•
•
•
•
Personal logons - Add, edit, or
delete personal logons and
logon account data.
Managed logons - Add, edit or
delete logon account data for
managed logons provided by
your administrator. This feature
may optionally be disabled by
the administrator.
Use personal or managed
logons to launch your default
browser and log on to any
website or program.
Organize your logons into
categories.
See at a glance whether any of
your passwords are a security
risk.
45
Managed logons are created, administered and deployed by an administrator using the Password Manager Admin Tool,
which is a separate installation from your DigitalPersona Altus product package. For instructions on using the
Password Manager Admin Tool, see the chapter in the DigitalPersona Altus LDS or Altus AD Administrator Guide.
In most cases, the first time a managed logon is used, you will be asked for your personal account logon data for a
resource. Whether account data is requested, and what type of data is required is determined when the managed logon
is created, and also governed by settings described in the DigitalPersona Altus LDS or Altus AD Administrator Guide.
If account data is required, it is only entered once. On subsequent use of the logon, account data will be filled in
automatically.
Additionally, many options are provided for customizing the use of managed logons for your environment. See the
Settings described in the DigitalPersona Altus LDS or Altus AD Administrator Guide.
Personal logons are created by an individual for their own use. Account data is entered during the creation of the
logon, and filled in automatically during subsequent use of the logon. This chapter primarily addresses the use of
personal logons, although much of the information also applies to the use of managed logons.
Browser Integration
To use Password Manager with your web browser, follow the steps listed below for integrating your browser with
Password Manager.
Internet Explorer
Internet Explorer for the desktop does not require any additional configuration. Password Manager does not support
the Internet Explorer Modern UI app.
Google Chrome
1
Install the Password Manager Extension for Google Chrome by clicking the following link or pasting it into your
Chrome browser.
http://secure.digitalpersona.com/passwordmanager/dp/altus/chrome/extension/
2
Follow the instructions that are displayed.
3
Then enable the DigitalPersona Chrome plug-in.
•
Copy the following text and paste it into the Chrome internet address field.
chrome://plugins
4
Find the Altus Password Manager plug-in and make sure that Always Allowed is selected.
If you do not want Password Manager to continue showing notifications about integration problems, deselect the Show
Integration problem notifications checkbox.
Firefox
1
From the Firefox menu, select Add-ons.
2
On the resulting page, select Extensions.
3
Find the DigitalPersona Altus extension, and tap or click Enable.
4
Select Plugins.
46
Adding logons
5
Find the DigitalPersona Altus plugin and choose Always Activate.
6
Close and restart Firefox.
If you do not want Password Manager to continue showing notifications about Firefox integration problems, deselect
the Show Integration problem notifications checkbox.
Adding logons
There are two ways to add a logon for a website or program to Password Manager.
•
•
Remember - Log in to a website or program and Password Manager will offer to remember your account
information.
Create - With a website or program logon screen displayed in your browser, scan an enrolled fingerprint or present
an enrolled card to display the Create Logon dialog.
Once the logon is added to Password Manager, from then on, your logon information can be automatically filled in and
optionally submitted as well.
You can use these logons after browsing to the website or program, or click a logon from the Logons menu to have
Password Manager open the website or program and log you on.
Remember account data
Simply log in to a website or program as usual and Password Manager will offer to remember your account
information.
Click Remember and your logon information is saved. Next time you can log in with any enrolled credential.
If you do not want to see the Password Manager reminder each time you visit this site, select Never for this site.
Creating logons
To add a logon from the Create Logon dialog
47
Adding logons
1
With a website or program logon screen displayed in your browser, scan an enrolled fingerprint or present an
enrolled card to display the Add Logon dialog.
2
Enter your logon data.
•
To populate the Email/User ID field with a preformatted Windows credential, click the arrow to the right of the
field and select one of the displayed options.
Windows User Name
Windows User Principal Name
Windows Domain\User Name
Windows Domain
•
To populate the Password field with a preformatted credential, click the arrow to the right of the field and
select one of the displayed options. Note the colored line under the Password field. This indicates password
strength from red, through yellow to green for optimum strength.
Windows User Password
Use previous password ... -Sometimes, you may modify a password in Password Manager, but this password is
rejected by the application. In this case, the software allows you to use a previous password (i.e. a password
previously entered for this logon page) instead of the most recent one.
If you select Use previous Password, after authentication you will be prompted to choose a previous password
in the Choose Password dialog (shown below). The list includes up to seven passwords and can be cleared
(deleted) permanently by clicking the Clear list button.
48
Adding logons
•
To view the password for this logon, click Show password.
•
To have the logon fields filled in, but not submitted, clear the Automatically submit account data check box.
3
If Password Manager does not display the required logon fields, click More fields. Then select the check box for
each field that is required for logon, or you can clear the check box for any fields that are not required for logon.
4
If Password Manager cannot detect all of the required logon fields, a message is displayed asking if you want to
continue. Click Yes to enter manual mode.
Each time that you access the now “trained” website, program or network resource, the Password Manager icon shown
below is displayed on the screen (Internet Explorer) or to the right of the first recognized entry field (Firefox and
Chrome), indicating that you can use any of your enrolled credentials to log on. An administrator can also create
managed logons for resources, including Change Password screens (see the Password Manager Admin Tool
chapter in the Altus LDS or Altus AD Administrator Guide.
Password Manager Icon for Internet Explorer
Password Manager Icon for Internet Explorer as displayed on a
recognized Change Password screen
Password Manager Icon for Firefox and Chrome
as displayed on a recognized Change Password screen
49
Editing logons
Manual mode
A dialog is displayed with your logon fields filled in. Click the icon for each field and drag it to the appropriate logon
field, and then click the button to sign into the website.
Once you use the manual mode of entering the logon data for a site, you must continue to use this method to log on to
the same website in the future.
The manual mode of entering logon data is available only with Internet Explorer 8.
Editing logons
You can edit a logon from the Password Manager page, or from the Edit Logon dialog, whichever is more convenient
at the time.
Editing from the Password Manager page
To edit a previously created logon from within the main Password Manager page
1
Tap or click the buttons to the right of a logon name to select from the editing options. Select Edit.
2
A new dialog displays on top of the page, to show previously saved logon information and additional options.
3
The account data includes the following editable fields:
•
•
Account name – The name used on the main Password Manager page to identify this account.
Category - The name used for categorizing accounts on the main Password Manager page. Tap or click the
Category field to choose a previously entered category, or None.
50
Organizing logons into categories
•
•
•
Login - This is the website label discovered by Password Manager as most likely indicating the login field. The
actual label name may very from website to website, as this label is controlled by the website and not by Password
Manager.
Password – This is the website label discovered by Password Manager as most likely indicating the
password field. The actual label name may vary from website to website, as this label is controlled by the
website and not by Password Manager. The actual password is hidden by default. To show the password,
click the Show button.
Any optional additional fields and data saved for this account may be displayed in this area.
Editing from the Password Manager icon
To edit logon information from the Password Manager icon
1
Open the logon screen for a website or program.
2
Click the arrow on the Password Manager icon, and then click Edit logon to display a dialog for editing your
account information.
3
Edit your logon information. See the topic Editing from the Password Manager page on page 50 for further details.
4
Click Save.
O rg a n i z i n g l o g o n s i n t o c a t e g o r i e s
Keep your logons in order by assigning them to custom categories.
Logons can be added to a category by selecting the category from the Category dropdown menu when editing the
logon. A logon may belong to only one category.
However, when creating additional logons for the same web domain,
•
•
If there are two or more accounts belonging to the same web domain, which do not belong to any custom category,
then they will be categorized by their domain name (defined as the characters appearing after "http(s)://" and
before the domain zone.)
If an account is already assigned to a custom category, there is no nested category for it based on the domain name.
To create a new category - Tap or click Manage Categories. Then select Add Category and enter a category name in
the resulting dialog.
51
Managing your logons
To Edit a category name - Tap or click Manage Categories. Then double-click the category and type a new name in the
Category Name field.
To Remove a category, tap or click the
at the end of the line that contains the category.
M a n a g i n g yo u r l o g o n s
Password Manager makes it easy to manage your logon information for user names, passwords, and multiple logon
accounts, from one central location.
Your logons are listed on the Password Manager page in the Altus user console. Each logon includes an entry for the
website, program or other resource, and an indented entry for each set of account data created for the resource.
To manage your logons:
From the user console, click Password Manager
Log in—Log in to a website or program for which you have an existing logon.
Edit—Edit a logon.
Add—Add a new account for an existing logon.
Remove—Delete a logon or account.
Using the Logons Menu
Password Manager provides a fast, easy way to launch the
websites and programs for which you have created personal
logons. Double-click a program or website logon from the
Logons Menu to open the logon screen and automatically fill in
your logon data.
Managed logons may also be created by your administrator, and
may display on the Logons menu.
When you create a logon, it is automatically added to your
Password Manager Logons Menu.
To display the Logons Menu, do one of the following:
•
•
Press the Password Manager hot key combination.
Ctrl+Win+H is the factory setting. You can change the Hot Key combination from the Quick Actions page,
accessed by clicking the Quick Actions tile in the Altus Console.
Scan your fingerprint (on computers with a built-in or connected fingerprint reader).
Using managed logons
If you are deploying managed logons to your users, this topic contains information that you will want to make sure is
passed on to them. The same information is also included in the end-user help file included with compatible clients.
Logging On
After creating managed logons and deploying them to users, users will be able to launch a logon screen and verify their
identity with their specified credentials.
52
Website Exclusions
Logon screens that have a logon created for them display the Password Manager icon on the screen.
Depending on the attributes defined by the logon administrator, the logon process may vary.
•
•
•
A user can be automatically logged on, with all fields populated and submitted, simply by verifying their identity.
The user may need to supply information for required fields the first time they use the logon, but be automatically
logged on subsequently.
If a user has multiple sets of account data, they will be prompted to select the account they wish to log on to in the
Select Account Data dialog box.
Changing passwords
After creating logons and deploying them to users, managed password screens display the Password Manager icon on
the screen. After verifying their identity, the user is asked to provide an old password, a new password and to confirm
the new password.
Depending on the logon attributes, the change password process may vary.
•
The user can be allowed to choose a new password with or without constraints on the password content.
A new random password can be automatically generated, in which case the user must log on with alternate credentials.
We b s i t e E x c l u s i o n s
The Website Exclusions list displays websites that are excluded from being managed by Password Manager. There are
two ways that a website ends up on this list.
•
•
When Password Manager prompted to remember logon credentials, you selected Never for this site.
You manually added the website's URL to the list.
To access the Website Exclusions list
•
From the Altus Workstation user console, click Password Manager, and then click Website Exclusions.
To add a website to the Website Exclusions list
1
On the Website Exclusions page, select Add Website.
2
Enter the URL for a website that you want to add to the Website Exclusions list. Click Save.
To edit a website on the Website Exclusions list
1
On the Website Exclusions page, click the Edit (
2
Enter your changes and click Save.
) icon for the entry that you want to change.
To delete a website from the Website Exclusions list
•
On the Website Exclusions page, click the Delete (
) icon for the entry that you want to delete.
53
Backing up Password Manager Data
To search for websites in the Website Exclusions list
1
Enter the text to search for in the Search field.
2
Click the Search (
) icon.
B a c k i n g u p Pa s sw o rd M a n a g e r D a t a
It is recommended that users back up their Password Manager data on a regular basis. How often they back it up
depends on how often the data changes. For instance, if a user adds new logons on a daily basis, they should probably
back up their data daily.
Note that only their Password Manager data is backed up by this feature, not their enrolled credentials or the Altus
Workstation software.
Backups can also be used to migrate Password Manager data from one computer to another. Altus Workstation must be
installed on any computer that is to receive backed up data before the data can be restored from the backup file.
To back up Password Manager data:
1
Open the Altus Workstation console.
2
On the console Home page, choose Password Manager and then select Backup.
3
Enter a name for the backup file. By default, the file will have a .dpb file extension. Click Browse to specify a
location for the backup file.
4
Enter and confirm a password to protect the file. Then select Backup.
5
Verify your identity with any enrolled credential. Then click OK.
R e s t o r i n g Pa s sw o rd M a n a g e r D a t a
Password Manager data previously backed up through the Backup feature (as a .dpb file) can be restored to the same
computer or another computer where Altus Workstation is installed.
Note that only a user’s Password Manager data is restored by this feature, not their enrolled credentials or the Altus
Workstation software.
To restore Password Manager data:
1
Open the Altus Workstation console.
2
On the console Home page, choose Password Manager and then select Restore.
3
Select the previously created backup (.dpb) file. You can enter the path in the field provided or click Browse to
locate the file.
4
Enter the password used to protect the file.
5
Select Restore.
6
Verify your identity with any enrolled credential. Then click OK.
Settings
On the Password Manager Settings page, you can personalize your experience of Password Manager. The Settings
page can be accessed by clicking the Settings link at the bottom of the Password Manager page.
54
Differences in supported browsers
Prompt to remember logon credentials - By default, prompts you to use Password Manager to save your logon
credentials, on screens recognized as containing logon fields.
D i f f e re n c e s i n s u p p o r t e d b ro w s e r s
Internet Explorer
All features described in this Application Guide are supported in those versions of Microsoft Internet Explorer that are
listed in the System Requirements.
Firefox
When used with supported versions of the FireFox browser, all Password Manager features are available except for
Manual Mode and the following Logon properties used in creating managed logons. Lock out logon fields and Monitor
screen changes. See the Password Manager Admin Tool chapter in the Altus LDS or Altus AD Administrator
Guide.
Chrome
When used with supported versions of the Chrome browser, all Password Manager features are available except for
Manual Mode and the Lock out Logon Fields property used in creating managed logons See the Password Manager
Admin Tool chapter in the Altus LDS or Altus AD Administrator Guide.
When logging in to a website with a managed logon that was created with the Start Authentication Immediately
property set, after logging out or canceling the authentication dialog and being returned to the login page, the
authentication dialog is not redisplayed.
55
Quick Actions
9
THIS CHAPTER DESCRIBES QUICK ACTIONS, A FEATURE OF ALTUS AD AND ALTUS LDS WORKSTATIONS.
On the Quick Actions page, you can change the DigitalPersona Hot Key sequence and configure Quick Actions,
operations performed automatically in response to the use of the Altus Workstation Hot Key, a credential or a
Key+Credential combination.
This feature is available in DigitalPersona Altus Workstation and Altus AD Workstation. It is not available in
DigitalPersona Altus Kiosk or Altus AD Kiosk.
To manage Quick Actions settings
1. Launch the Altus Console
2. Tap or click the Quick Actions tile.
Only fingerprint and supported smart (contact, contactless and proximity) card credentials will initiate a Quick Action.
Specific Quick Actions may be disabled by your administrator.
Available Quick Actions are:
Password Manager Action - Initiates a specific action depending on context.
When the active window has an associated Password Manager personal logon or managed logon, fills-in account
data.
56
Introduction
If the window is determined to be a logon screen that does not have an associated personal logon or managed
logon, and the Allow creation of personal logons setting is enabled or not configured, the Add Logon dialog
displays.
If none of the above cases are true, the Logons Menu or user dashboard is shown.
Fast Connect - Connects to a Citrix session or runs a XenApp Published Application.
It also fills in specified credentials and logs into an application. If a connection is already active, disconnects from
the session.
Lock Computer - Locks the computer.
The assignment of the Altus Workstation Hot Key, and the Quick Actions performed by presenting a credential or
Key+Credential combination, may have been configured by your administrator. If so, you will not be able to
change them.
57
Altus Attended Enrollment 10
THIS CHAPTER DESCRIBES ALTUS ATTENDED ENROLLMENT, AN OPTIONALLY INSTALLED COMPONENT OF THE DIGITALPERSONA
ALTUS WORKSTATION CLIENT.
Page
Security Officer identification
58
(Altus only) User creation or selection
59
Altus AD only: User selection
60
Credential enrollment
60
Completing enrollment
70
Advanced Features
70
Altus Attended Enrollment allows the Altus administrator to delegate a user or group to supervise the credential
enrollment process. It is not installed as part of the typical (default) installation, but must be selected as part of a Custom
installation of Altus Workstation. See page 27 for installation details.
Supervised (attended) enrollment is the default method of creating Altus users and enrolling their credentials. However,
self-enrollment of user credentials is also an option. See the Altus LDS or Altus AD Administrator Guide for
details.
Much of the behavior of the Altus Attended Enrollment UI is configurable through an XML file,
DPAttendedEnrollment.exe.xml, which is located in the BIN folder of the DigitalPersona installation directory.
Available configuration options and parameters are explained within the XML file.
There are a few small differences in functionality depending on whether the Altus solution you are using is the Altus
LDS or Altus AD product. These differences will be noted within the content that follows.
Security Officer identification
When launching Attended Enrollment, the first
screen requires authentication by an Altus
Security Officer.
The Security Officer submits any of their
enrolled credentials. When using a Windows
password, they can simply click the arrow to the
right of the password field. The User Selection
page displays.
Additionally, by default, the Security Officer will
need to authenticate after enrollment of each
credential. This feature can be configured
through the governing XML file. Also, the user
being enrolled will need to authenticate at the end
of the enrollment process. The user selection/
creation process is different in Altus LDS and
Altus AD as shown in the following pages.
58
(Altus only) User creation or selection
( A l t u s o n l y ) U s e r c re a t i o n o r s e l e c t i o n
For Altus AD user selection, see page 60.
1
On the User selection page, select whether the user is an Altus LDS User or Altus AD User, enter their user name
and click OK.
When an entered user name is not found in the Altus database, you have the option of creating the user at this point.
If you think you have simply misspelled the name, you can edit the name directly on this page. and click OK to
search for the user again.
2
To create a new Altus user
•
•
Click the Create this user link.
On the User creation page, have Altus LDS Users enter and confirm an Altus password. Altus AD Users will need
to enter their Windows password. Then click OK.
59
3
The Credential Enrollment page displays. Credential Enrollment is the same in both Altus LDS and Altus AD, and
is described beginning on page 60.
To select a user for Attended Enrollment
•
On the User selection page, enter the name of the Windows user that you want to enroll credentials for, and click
OK.
C re d e n t i a l e n ro l l m e n t
Once a user is selected, the Credential enrollment page displays.
This is the central location within Attended Enrollment where a user’s credentials and other identifying information
can be enrolled and managed. Credential Enrollment is the same in both Altus LDS and Altus AD, but the UI and the
user experience is different depending on whether a single print fingerprint reader is being used for enrollment or a 10
print scanner.
60
The tiles on the page, representing credentials and other information that may be captured by Altus in relation to a
specific user, give access to pages where this information may be provided. The Altus administrator can configure
which specific tiles appear on the page, so there may be more or less tiles than shown in the above image. See the Altus
LDS or Altus AD Administrator Guide for details.
Note that the Bluetooth credential is not available during Attended Enrollment. This is because Bluetooth enrollment
pairs the associated device with the machine wherer it is enrolled, and most users will not be using their Bluetototh
device to authenticate on the Attended Enrollment machine.
In order to complete enrollment for a user, all tiles on the page must be visited, and will then indicate that they are
either enrolled or have been intentionally omitted. Enrolled tiles will be checked, and omitted tiles will show an arrow.
When information is omitted, the Security Officer must enter a reason for the omission, which is then made part of the
user record in the Altus database.
Password credential
The Password credential is automatically enrolled for Altus Users during the initial creation of the user. For Altus AD
users, the Password Credential is part of their Active Directory profile.
The Password tile provides a means to change the user’s password, by entering their current password, and then
entering and confirming a new password.
Fingerprints credential
If there is a fingerprint reader or ten print scanner built into or connected to your computer, you can enroll and manage
a user’s fingerprints. Select the Fingerprints tile to display the Fingerprints page, where you can enroll a user’s
fingerprints credential.
61
The process of enrolling a user’s fingerprints is slightly different depending on whether you are using a single print
fingerprint reader, or a ten-print fingerprint scanner such as one of the Crossmatch Guardian products. See the
following two sections for descriptions of the steps for each of the hardware devices.
Enrolling fingerprints with a fingerprint reader
To enroll a fingerprint
1
2
Click on a finger in the displayed hand image.
62
3
Scan the selected finger as many times as requested to enroll the fingerprint.
4
Click Save.
To delete a fingerprint, click any highlighted finger and confirm the deletion by clicking Yes.
Enrolling fingerprints with a ten print scanner
For a list of supported ten-print scanners, see the readme.txt file included with this software package. Additional files
may need to be installed before use. See the Optional installations chapter of the Altus AD or Altus LDS Administrator
Guide for further details.
The ten-print scanner captures fingerprints in three segments, often described as 4-4-2, that is four fingers of the left
hand, four fingers of the right hand, and the two thumbs together.
1
63
2
Select which segment to enroll. In the displayed image, choose the left hand, right hand or thumbs.
3
Scan the selected fingers or thumbs as many times as requested to enroll them. If the user is missing any fingers,
click the associated finger in the smaller image in the upper right.
4
Each successful enrollment will result in one of the scan numbers turning blue.
5
When enrollment of the segment is complete, the screen shows the fingerprint segment in blue.
64
6
Select another segment until the fingerprints of both hands and thumbs have been captured. Then click Save.
To delete a partial fingerprint segment
1
Once the credential has been enrolled, a Delete button is added to its tile..
2
Select the previously enrolled left or right hand or thumbs. Then confirm the deletion.
3
On the image, select the left or right hand or thumbs.
4
Click Delete.
5
Authentication
To authenticate with the ten-print scanner, use only a single finger or thumb. Use only the front half of the scanner
screen to read the fingerprint.
This tile provides a means for enrolling a user’s Smart, Contactless or Proximity Card credential.
To enroll a card credential
1
Click the Smart, Contactless and Proximity Cards tile to display the corresponding pages.
2
3
Click Enroll and then click Save.
To delete all enrolled cards, click Delete on the Cards tile. To delete a single card when more than one card is enrolled,
click Change on the Cards tile and then click Delete on the specific card image.
65
PIN credential
This tile provides a means for enrolling a user’s PIN credential.
To enroll a PIN credential
1
Click the PIN tile to display the PIN page.
1
Enter and confirm a PIN. The system default requires a PIN between 6 and 12 alphanumeric characters, however
the minimum and maximum PIN length may be specified through a GPO setting by the Altus administrator.
2
Click Save.
Te Password Recovery credential allows the user to regain access to their Windows account by answering a series a
questions that have been previously configured. The Password Recovery tile provides a means to set up a user’s
Password Recovery Questions.
To set up a user’s Password Recovery Questions
1
Click the Password Recovery tile to display the Password Recovery page.
66
2
The user selects their questions from those available from the dropdown menus, and enters their unique answers.
They can also write their own security questions by selecting that option.
3
Click Save.
OTP credential
A One Time Password (OTP) is a credential composed of a time-sensitive 6-digit code automatically generated by a
special Authenticator app on a user’s mobile device.
Once enrolled, this credential can be used for authentication at Windows logon and within a Windows session as
defined by the Logon or Session Policy in force.
On the One Time Password page, you can
•
•
•
Download the Google Authenticator app for your smartphone or tablet that generates the One Time Password
which you then enter on your Windows workstation for authentication.
Scan a QR code with your device that automatically creates a OTP account token linked to your OTP credential.
Enter the OTP verification code generated by the device.
To download the OTP application for the user’s smartphone
1
From the Credential enrollment page, click Add on the One Time Password tile.
2
67
3
In the upper right area of the screen select the tile that represents the app store for the user’s device. Supported
stores are: Apple App, Windows Phone, Google Play and Blackberry world.
4
A QR code displays on the screen. Have the user open a QR reader app on their mobile device and scan the QR
code. This will download the app to their device.
To setup an Altus account on the device
1
Launch the downloaded app on the device.
2
Select Begin Setup.
3
Select Scan Barcode.
4
Scan the QR code that displays on the One Time Password Page.
Do not scan the QR code again that was used to download the app.
5
The user can also set up an Altus account in the Authenticator app
by selecting the [+] sign in the app and entering the Altus account
information manually.
6
To display the information in Credential Manager that needs to be
entered on the device, select the Can't scan the barcode link on the
One Time Password page.
To enroll the One Time Password credential
1
From the Credential enrollment page, click Add or CHANGE on the One Time Password tile.
2
3
With your device, scan the QA code that displays on the One Time Password Page. Do not scan the QR code again
that was used to download the app.
4
In Credential enrollment, enter the One Time Password displayed on the device.
5
Click Save.
To delete an OTP credential
1
Once the credential has been enrolled, a DELETE button is added to its tile.
2
Click Delete.
3
Verify the user’s identity to confirm the deletion.
68
To authenticate with a One Time Password
1
At Windows logon or on any Verify your Identity screen, select the One Touch Password tile.
2
Launch the OTP app on the device.
3
Enter the One Time Password displayed on the device into the OTP field on the workstation screen and select the
arrow button.
Photo (Altus LDS only)
This tile provides a means for taking a photograph of the user. Note that this photograph is not an Altus credential and
cannot be used for verifying your identity when authentication is required for login to Windows, websites or programs.
This page does not display in the Altus AD Console.
To take a photograph of the user
1
Position the user in front of the camera.
2
If necessary, use the slider bar to adjust the brightness of the image.
69
Completing enrollment
3
Click Take photo. Then click Save.
C o m p l e t i n g e n rol l m e n t
Once all displayed tiles have either been enrolled or omitted, the Security Officer clicks Complete enrollment and the
program returns to the User selection page.
A d v a n c e d F e a t u res
Altus Advanced Features can be accessed by clicking the Advanced button on the Credential enrollment page.
The Altus Advanced Features page displays.
The behavior of the page will vary depending on the value of the PasswordRandomization tag in the file,
DPAttendedEnrollment.exe.xml. See the Altus LDS or Altus AD Administrator Guide for further details.
70
Altus Kiosk 11
THIS CHAPTER DESCRIBES THE MAIN FEATURES OF THE DIGITALPERSONA ALTUS KIOSK CLIENT.
Page
Feature overview
71
Comparing Altus Workstation and Altus Kiosk
72
Logging On to Windows
72
Using the Password Manager Admin Tool with Altus Kiosk
74
Logging On to Password-Protected Programs
74
Switching Users on Altus Kiosk Computers
75
DigitalPersona Pro Kiosk for Enterprise provides users with fast, convenient and secure multi-factor identification and
authentication in environments where users share a common Windows account yet need separately controlled access to
resources, applications and data.
F e a t u re o ve r v i e w
Altus Kiosk provides these features:
Single Sign-On to enterprise applications - Simplifies user logon to enterprise applications, including traditional
Windows applications, web applications and Terminals. No changes to those applications are required and setup takes
only a few minutes per application.
Multi-factor authentication - Further enhances convenience and security by providing administrators with a choice of
credentials (such as fingerprints, smart cards or Windows Passwords, etc.) that can be required in any combination to
authenticate users logging on to the PC, to enterprise applications, or for fast user switching between users on the same
workstation.
Ability to roam and share user credentials across computers - If your environment requires users to gain access to
multiple workstations or kiosks, they do not need to re-enroll their credentials at each computer. Altus Kiosk can
automatically make users' authentication credentials and other data, such as managed logons to enterprise applications,
available at each computer within the domain.
Attended or unattended credential enrollment - By default, Altus Kiosk is configured for centralized enrollment
through one or more supervised computers using the Altus Attended Enrollment component, an optional component of
Altus Workstation and Altus AD Workstation
This chapter describes the similarities and differences between DigitalPersona Altus Workstation and Altus Kiosk
functionality from the point of view of the administrator. Most of the basic functionality is common to both Altus
Workstation and Altus Kiosk. Additional details on user tasks are provided in the DigitalPersona Altus Kiosk Help file.
In the following topics, the term “kiosk” refers to one or more Kiosk Workstations which are tied to a shared Kiosk
account.
71
Comparing Altus Workstation and Altus Kiosk
C o m p a r i n g A l t u s Wo r k s t a t i o n a n d A l t u s K i o s k
This section describes the similarities and differences between DigitalPersona Altus Workstation and DigitalPersona
Altus Kiosk.
Both DigitalPersona Altus Kiosk and DigitalPersona Altus Workstation include the following features:
•
•
•
•
•
Multifactor and alternative authentication credentials
Password Manager - Altus Kiosk supports both personal and managed logons. Personal logons are created by an
individual user providing quick and secure logon to resources, programs and websites. Managed logons provide
the same functionality but are created by an administrator using the Password Manager Admin Tool. Use of
personal logons may be prohibited by the Altus administrator.
Like DigitalPersona Altus Workstation, Altus Kiosk’s default configuration provides centralized enrollment
through one or more supervised computers using Altus Attended Enrollment, an optional component of Altus
Workstation or Altus AD Workstation.
If enabled, Altus Kiosk users can enroll their credentials in the same manner as in Altus Workstation. The one
exception is that the Password Recovery credential is not available in Altus Kiosk. Even if a user has created their
Password Recovery credential in Altus Workstation, the credential cannot be used in Altus Kiosk, since by design
Kiosk does not have a way to login with the Password Recovery credential.
Both clients require DigitalPersona Altus Server Version 1.1 or above.
When comparing Altus Kiosk to Altus Workstation, Altus Kiosk differs in the following ways:
•
•
•
•
•
•
A specified Shared Account is always used for Windows logon that is independent of the user account being
authenticated. This affects account profile and user preferences.
By default, all Altus users are granted Kiosk access. However, in order to logon to Altus Kiosk, each user must
first be created through Attended Enrollment or through Self Enrollment on an Altus Workstation.
Any authorized Altus Kiosk user can unlock a kiosk computer. For example, a user may log on and lock the kiosk
computer. Then, a second user can unlock it without performing log off and log on.
The name of the last user is not shown in Logon or Unlock dialogs regardless of security settings.
A kiosk user can enroll their own credentials, regardless of which user account was logged on to the kiosk, without
logging on to their Windows account. The administrator must have allowed permissions for the user to enroll and
delete their fingerprints.
Altus Kiosk does not allow use of a Password Recovery credential for accessing your Kiosk account.
Altus Kiosk allows users to log on to Windows with any enrolled Altus credential, such as their Altus password, their
fingerprint or various types of smart cards.
All kiosk users share the same Windows session. If the computer becomes locked, any authorized kiosk user will be
able to unlock it, view the desktop, and run programs. Users may also have the option to not log into the kiosk session,
but instead to log on to their own Windows account instead of the Shared Account, although this is recommended for
administrators only.
Computers where Altus Kiosk is installed will display an additional Kiosk User tile on the Logon Screen.
72
The user name for the Windows shared account that Altus Kiosk uses cannot be used to log on to a kiosk session. All
Kiosk users must use their own Altus credential to log on.
Logging on to Windows without Kiosk
To log on to a computer without using a kiosk session, select Other User and enter your Windows user name and
password.
When logging in to a computer outside of a kiosk session, the designated Shared Account for the kiosk is not used and
therefore Altus Kiosk features are not available. Specifically, access to the Altus Console, and the use of Password
Manager logons are disabled.
This feature is intended for administrators who might need to access a computer for administrative purposes, and
without kiosk features enabled. Non-administrators can be prohibited from logging on to the computer outside of a
kiosk session by enabling a DigitalPersona setting in the controlling GPO. See Prevent users from logging on outside
of a Kiosk session in the Altus LDS or Altus AD Administrator Guide.
CAUTION: If you lock the computer outside of a kiosk session, other kiosk users will not be able to unlock it, so be
sure to log out of a local session on any kiosk workstation.
Automatic logon using the Shared Kiosk Account
Kiosk can be configured to automatically logon to the Shared Kiosk account when Windows starts or restarts. The
Windows Logon screen will not be displayed.
The automatic logon setting will allow any user to access a Windows session without interactive authentication when
the Kiosk computer is restarted.
This option is controlled by the Allow automatic logon using Shared Kiosk Account setting described in the Altus AD
or ALtus LDS Administrator Guides.
Changing Your Password
The process of changing your WIndows password on a computer with DigitalPersona Altus Kiosk installed is the same
as on a computer without Altus Kiosk installed.
To change your Windows password:
1
Press Ctrl+Alt+Delete.
2
Select Change a Password.
3
Enter your Windows user name and your old password.
4
Enter and confirm a new password.
User Account Control
An administrator may use any authorized and enrolled credential instead of their user name and password, to give a
standard user permission to perform an activity that is restricted by User Account Control.
When the User Account Control dialog displays, a local administrator with an authorized credential can use their
credential to permit the activity.
73
Using the Password Manager Admin Tool with Altus Kiosk
U s i n g t h e Pa s sw o rd M a n a g e r A d m i n To o l w i t h A l t u s K i o s k
The Password Manager Admin Tool is an administrative tool that allows an administrator to provide automated logon
to password-protected resources, programs and websites.
With Altus Kiosk, Password Manager includes the following differences when compared to Altus Workstation
implementations:
•
•
Managed logons created with the Password Manager Admin Tool must be deployed to the Shared Account instead
of to user accounts.
Kiosk users do not need to log on to Windows to use managed logons. Their identity is verified each time they log
on to the resource. For kiosk users, the Password Manager logon data is never cached locally.
Only managed logons created using the Altus Password Manager Admin Tool, version 1.0 or higher, are compatible
with the current version of Altus Kiosk.
For additional information on the Password Manager Admin Tool and the creation and use of managed logons, see the
Altus LDS or Altus AD Administrator Guide.
L o g g i n g O n t o Pa s sw o rd - P ro t e c t e d P ro g ra m s
DigitalPersona Altus Kiosk lets a kiosk user log on to password-protected resources, programs and websites with any
enrolled credential. As an administrator, you must enable this feature for specific programs by creating managed
logons for them. Password-protected resources with managed logons display a Password Manager icon, shown below,
in the upper left corner of the screen (Internet Explorer) or to the right of the first recognized entry field (Firefox and
Chrome).
Password Manager Icon for Internet Explorer as displayed on
Change Password screens
Password Manager Icon for Firefox and Chrome as displayed
on Change Password screens
Administrators can also add a logon for a change password screen to a managed logon.
Users are prompted for their account data the first time they log on to a resource. Then, on subsequent logons, they
only need to launch the program, and submit their enrolled credential. DigitalPersona Altus Kiosk automatically enters
the user name, domain and password and any other necessary account data in the appropriate logon screen text boxes
and, if so configured, submits the account data.
For further information on Password Manager, see the Altus LDS or Altus AD Administrator Guide.
74
You can log on, unlock or gain access to a password-protected resource on a kiosk computer by using your enrolled
credentials. After your work is finished, you can do one of the following:
•
•
•
•
Close the resource and leave the kiosk computer unlocked. The next user can approach the kiosk computer and
provide their credentials to gain access to the password-protected resource.
Close the resource and lock the kiosk computer. The next user can approach the kiosk computer and provide
their credentials to unlock the computer. They can then open any password-protected resource with their
credentials.
Close the resource and log off from the kiosk computer. The next user can approach the kiosk computer and
provide their credentials to log on to the computer. The user is logged into the Shared Account for the kiosk.
The installation and configuration of DigitalPersona Altus Kiosk is covered in the chapter “Altus Kiosk
installation” on page 20.
All other functionality is the same as described in the chapter “Altus Workstation” on page 30.
75
Index
Altus Workstation 11 , 20 , 27
A
ADDLOCAL 18 , 25
Altus
Attended Enrollment 7
Kiosk 7
Workstation 7 , 11
Altus clients 6
Attended Enrollment 58
Automatic logon using the Shared Kiosk Account 73
T
Transform files 18 , 26
U
users, switching 75
using logon screens 53
C
changing passwords 53 , 73
Chrome browser 8
D
Deployment considerations for Altus AD Workstation 11
G
ghosting 7
I
imaging 7
installing
Altus client software 12 , 21 , 27
L
local installation of Altus Workstation 11 , 20 , 27
logging on 52
logging on to programs 74
M
manual mode 50
Migration
from DigitalPersona Pro Kiosk 20
from DigitalPersona Pro Workstation 12
O
online help 9
R
REMOVE 18 , 25
S
slipstreaming 17 , 24
support
online help 9
readme file 8
support resources 8
system requirements 8
76

DP Altus Client Guide

Transcription

Similar documents

Drawing Held Saturday, December 13th

baytown - Altus Health System

handmade flutes - MUSIK MEYER BENELUX

Brochure Sacoa Mini

Setting up Accounting information from PrintNet

Clik here to open the Sterkinekor Moviestop: Membership Card Guide

DVU Log-in Credentials

2013 Alumni Hall of Fame and Foundation Banquet

Teacher Pages

4. Select the “My Lexile Range” drop down. Now, click search. 2