DP Altus Client Guide
Transcription
DP Altus Client Guide
DIGITALPERSONA ALTUS 1.2 CLIENT GUIDE Copyright © 2015 Crossmatch. All rights reserved. Specifications are subject to change without prior notice. The Crossmatch logo, Crossmatch™, Cross Match®, L Scan®, D Scan®, I Scan®, Guardian®, SEEK® and Verifier® are trademarks or registered trademarks of Cross Match Technologies, Inc. in the United States and other countries. DigitalPersona®, TouchChip®, Eikon®, U.are.U® and FingerJet™ are trademarks or registered trademarks of DigitalPersona, Inc., which is owned by the parent company of Cross Match Technologies, Inc. All other brand and product names are trademarks or registered trademarks of their respective owners. Published: June 5, 2015 (v1.2.0) Contents O VE R VI EW 6 I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . A l t u s c l i e n t s . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . A l t u s W o r k s t a t i o n . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . A l t u s K i o s k . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . A l t u s A t t e n d e d E n r o l lm e n t . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . A u t h e n t i c at i o n an d C r e d e n t i a l s . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . L i c e n s in g m o d e l . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . S y s t e m R e q u i r e m e n t s . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . S u p p o r t R e s o u r c e s . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . 6 6 7 7 7 7 7 8 8 S E CT I O N O N E: I NS T A L L A T I O N S 10 A LTUS WORK ST ATI ON INSTAL LATI ON 11 I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . S y s t e m r e q u i r e m e n t s . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . D e p l o y m e n t c o n s i d e r a t i o n s - f o r A l t u s L D S W o r k s t a t i o n . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . U p g r a d i n g f r o m p r e v i o u s v e r s i o n s . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C o m p a t i b i l i t y . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . I n s t a l l a t i on . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . L o c al i n s t a l l at i o n . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . R e m o t e i n s t a l l at i o n o f A l t u s W or k s t a t i o n .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . R e m o t e i n s t a l l at i o n o f A l t u s W or k s t a t i o n p a t c h e s . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C o m m a n d l i n e I n s t a l l at i o n . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C o m m a n d l i n e O p t i o n s . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . P a r a m e t e r s . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . A D D L O C A L a n d R E M O V E V al u e s . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . A b o u t T r an s f o r m f i l e s . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . U n i n s t a l l i n g A l t u s W o r k s t at i o n . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 11 11 11 12 12 12 12 16 17 17 17 18 18 18 19 A L T U S KIO SK I N S T ALL AT I O N 20 S y s t e m R e q u i r e m e n t s . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . M i g r a t i o n f r o m D i g i t a lP e r s o n a P r o K i o s k . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C o m p a t i b i l i t y . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . I n s t a l l a t i on . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . L o c al i n s t a l l at i o n . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . R e m o t e I n s t a l l a t i o n o f A l t u s K io s k . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . R e m o t e i n s t a l l at i o n o f A l t u s K i o s k p a t c h e s . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C o m m a n d l i n e i n s t al l a t i o n . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C o m m a n d l i n e O p t i o n s . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . P a r a m e t e r s . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . A D D L O C A L a n d R E M O V E V al u e s . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . A b o u t T r an s f o r m f i l e s . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . U n i n s t a l l i n g A l t u s K i o s k . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 20 20 20 21 21 23 24 25 25 25 25 26 26 A L T U S A T T EN D E D E N R O L L M E N T 27 I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 2 7 S y s t e m r e q u i r e m e n t s . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 2 7 C o m p a t i b i l i t y . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 2 7 DigitalPersona Altus - Client Guide 3 L o c al i n s t a l l at i o n . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 2 7 U n i n s t a l l i n g A l t u s A t t e n d e d E n r o l l m e n t . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 2 8 S E CT I O N T W O : A L T U S C L I E N T F E A T U R ES 29 A LTUS WORK ST ATI ON 30 I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . G e t t i n g S t a r t e d . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . T h e A l t u s C on s o l e . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . W i n d o w s a u t h e n t i c a t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . S m a r t c a r d au t h e n t i c a t i o n . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . O p e n i n g t h e A lt us C on s o l e . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 30 30 31 31 31 32 CRED ENT IAL MA NAGER 33 I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . M a n a g i n g u s e r c r e d e n t i a l s . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . P a s s w o r d c r e d e n t i a l . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . F i n g e r p r i n t c r e d e n t ia l . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . E n r ol l i n g f i n g e r p r i n t s w i t h a f i n g e r p r i n t r e a d e r . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . E n r ol l i n g f i n g e r p r i n t s w i t h a t e n p r i n t s c an n e r . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . S m a r t , C o n t a c t l e s s an d P r o x i m i t y C a r d s c r e d e n t i a l . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . P a s s w o r d R e c o v e r y c r e d e n t i a l . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . P I N c r e d e n t i a l . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . B l u e t o o t h c r e d e n t ia l . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . O n e T i m e P a s s w o r d c r e d e n t i al . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 33 34 34 35 36 37 38 39 40 41 42 PASSWORD MANAGER 45 I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . M a n a g e d l o g o n s a n d p e r s o n al l o g o n s . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . B r o w s e r I n t e g r a t io n .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . I n t e r n e t E x p l o r e r . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . G o o g l e C h r o m e . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . F i r e f ox . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . A d d i n g l o g o n s . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . R e m e m b e r a c c o u n t d a t a . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C r e a t i n g l o g o n s . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . E d i t i n g l o g o n s . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . E d i t i n g f r o m t h e P a s s w or d M a n a g e r p a g e . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . E d i t i n g f r o m t h e P a s s w or d M a n a g e r i c o n .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . O r g a n i z i n g l o g o n s in t o c a t e g o r i e s . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . M a n a g i n g y ou r l o g o n s . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . U s i n g t h e L o g o n s M e n u . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . U s i n g m a n a g e d l o g on s . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . L o g g i n g O n . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C h a n g i n g p a s s w o r d s . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . W e b s i t e E x c l u s i o n s . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . B a c k i n g u p P a s s w o r d M a n a g e r D a t a . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . R e s t o r i n g P a s s w o r d M a n a g e r D a t a . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . S e t t i n g s .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . D i f f e r e n c e s i n s u p p o r t e d b r o w s e r s . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . I n t e r n e t E x p l o r e r . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 45 46 46 46 46 46 47 47 47 50 50 51 51 52 52 52 52 53 53 54 54 54 55 55 DigitalPersona Altus - Client Guide 4 F i r e f ox . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 55 C h r o m e . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 55 Q UICK ACTI ONS 56 I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 5 6 A L T U S A T T EN D E D E N R O L L M E N T 58 I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . S e c u r i t y O f f i c e r i d e n t i f i c a t io n . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . ( A l t u s o n l y ) U s e r c r e a t i o n o r s e l e c t i o n . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . A l t u s A D o n l y : U s e r s e le c t i o n . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C r e d e n t i a l e n r o l l m e n t . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . P a s s w o r d c r e d e n t i a l . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . F i n g e r p r i n t s c r e d e n t i al . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . E n r ol l i n g f i n g e r p r i n t s w i t h a f i n g e r p r i n t r e a d e r . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . E n r ol l i n g f i n g e r p r i n t s w i t h a t e n p r i n t s c an n e r . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . S m a r t , C o n t a c t l e s s an d P r o x i m i t y C a r d s c r e d e n t i a l . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . P I N c r e d e n t i a l . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . P a s s w o r d R e c o v e r y c r e d e n t i a l . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . O T P c r e d e n t i a l . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . P h o t o ( A l t u s L D S o n l y ) . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C o m p l e t in g e n r o l l m e n t . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . A d v a n c e d F e at u r e s . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 58 58 59 60 60 61 61 62 63 65 66 66 67 69 70 70 A L T U S KIO SK 71 I n t r o d u c t i o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . F e a t u r e o v e r v i e w . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C o m p a r i n g A l t u s W o r k s t a t i o n a n d A l t u s K i o s k . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . L o g g i n g O n t o W i n d ow s . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . L o g g i n g on t o W i n d o w s w i t h o u t K i o s k . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . A u t o m a t i c l o g o n u s i n g t h e S h a r e d K i os k A c c o u n t . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . C h a n g i n g Y o u r P a s s w ord . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . U s e r A c c o u n t C o n t r o l . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . U s i n g t h e P a s s w o r d M a n a g e r A d m i n T o o l w i t h A l t u s K i os k . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . L o g g i n g O n t o P a s s w o r d - P r o t e c t e d P r o g r a m s . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . S w i t c h i n g U s e r s o n A l t u s K i o s k C o m p u t e r s . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . 71 71 72 72 73 73 73 73 74 74 75 INDEX 76 DigitalPersona Altus - Client Guide 5 Overview 1 THIS CHAPTER PROVIDES A HIGH-LEVEL OVERVIEW OF THE ALTUS CLIENTS AND CLIENT COMPONENTS THAT ARE PART OF THE DIGITALPERSONA ALTUS SOLUTION. IT INCLUDES THE FOLLOWING TOPICS. Main topics in this chapter Page Introduction 6 Altus clients 6 Authentication and Credentials 7 Licensing model 7 System Requirements 8 Support Resources 8 I n t ro d u c t i o n Instructions for installing each client are contained in Section One beginning on page 10. Details on the functions and features of each client can be found in Section Two, beginning on page 29. There are two variations of the major Altus clients, one that works with the Altus Server (using AD LDS and does not require extension of the Active Directory schema) and another that works with the Altus AD Server (which requires extension of the Active Directory schema). These clients are: • • • • Altus Workstation Altus AD Workstation Altus Kiosk Altus AD Kiosk Each of the above variations has their own unique Windows installer. Attended Enrollment is treated in a separate chapter, although it is technically an optional component of both Altus Workstation and Altus AD Workstation and may be selected during a Custom installation. Any references to procedures or UI elements, and all images included in this guide, are always to the current version of the product unless another version is specifically referenced. Procedures and images are for the product as installed on Windows 7 unless otherwise noted. Altus clients The DigitalPersona Altus solution supports the following clients: • • • • Altus Workstation and Altus AD Workstation- This primary client enforces security and authentication policies on managed Windows computers while providing intuitive access to end-user features and functionality. It may be centrally managed by an Altus Sever, or installed as a standalone product. Altus Kiosk and Altus AD Kiosk - This specialized kiosk client provides DigitalPersona Altus features for environments where users log on to a shared, common Windows account on a computer managed by Altus Server. Attended Enrollment - This optional component of Altus Workstation and Altus AD Workstation allows supervised enrollment of Altus end-users by designated persons. Mobile Enrollment - This client provides DigitalPersona Altus features that are specifically tailored to creating and enrolling Altus end-users in the field without ongoing access to an Altus Server. Acquired information can be exported and later imported into the Altus Server by an Altus Security Officer. DigitalPersona Altus - Client Guide 6 Authentication and Credentials NOTE: Altus clients may be installed individually on computers or deployed through Active Directory GPO, SMS (Systems Management Server) or logon scripts. They cannot be installed through ghosting or imaging technologies. A l t u s Wo r k s t a t i o n DigitalPersona’s Altus Workstation is the primary full-featured client application for end-users, providing an intuitive means for increasing both security and convenience through a variety of administrator and end-user configurable options including enrollment and use of multiple credentials, and the use of automated logons for enterprise resources, programs and websites. For more details, see the chapter “Altus Workstation” on page 30. Altus Kiosk DigitalPersona’s Altus Kiosk is a client application specifically designed for environments where users need fast, convenient and secure multi-factor identification on workstations shared by multiple users. Although the Kiosk application uses a single Windows account, each Altus user logs in to Kiosk with their own Altus credentials, gaining separately controlled access to resources, applications and data. For a full description of its features, see the chapter “Altus Kiosk” on page 71. A l t u s A t t e n d e d E n ro l l m e n t DigitalPersona’s Attended Enrollment is a client application specifically designed for the supervised creation of Altus users and enrollment of their credentials. For a full description of its features, see the chapter “Altus Attended Enrollment” on page 58. A u t h e n t i c a t i o n a n d C re d e n t i a l s The default, and simplest, means of authentication, i.e. making sure that you are a person authorized to access a computer or other resource, is your Windows account name and password. Authentication is generally required in logging on to Windows, accessing network applications and resources, and logging in to websites. DigitalPersona Altus clients provide a means for the IT Administrator to easily setup and enforce strong authentication such as two-factor and multi-factor authentication using a variety of supported credentials. DigitalPersona Altus supports the use of various credentials for authentication, including Windows passwords, fingerprints, smart cards, contactless cards, proximity cards, PIN, and Bluetooth devices. An additional Password Recovery credential may be used solely for recovering access to a managed client computer when other credentials fail, are forgotten or are unavailable. Note that by default, user credentials are cached on the local Altus Workstation client, and not cached on a computer running the Altus Kiosk client. This means that Altus Workstation users will be authenticated without a connection to the Altus Server, but Altus Kiosk users will not be authenticated if there is no connection to the Altus Server. By default, initial enrollment of end-user credentials is provided through the Altus Attended Enrollment and Altus Mobile Enrollment components. For further details, see the chapter on Attended Enrollment (page 58) in this guide, or the chapter on Mobile Enrollment in the DigitalPersona Altus Administrator Guide. Licensing model DigitalPersona Altus features and functionality as described in this Client Guide are included in the core version of the product, unless otherwise indicated. The basic licensing mechanism is the User license, which permits the enrollment of user credentials by a specified number of DigitalPersona Altus users. The specific DigitalPersona Altus SKU and/or package you purchased may entitle you to licensing of one or more additional modules or components that are integrated with your Altus software. DigitalPersona Altus - Client Guide 7 System Requirements You should have received from DigitalPersona or from a DigitalPersona authorized reseller all of the license activation keys and/or files that are part of the package you purchased. Contact your DigitalPersona representative, should you have any questions. Some modules or optional components may need to be activated individually. For information on other licensed versions of the product which may be available, and licensing for specific features, contact your DigitalPersona Account Manager or Reseller - or visit our website at: http://www.crossmatch.com/altus.aspx Licenses may be activated through Active Directory using the included License Activation Manager. For more information about DigitalPersona Altus license activation, see the Altus LDS or Altus AD Administrator Guide. S y s t e m R e q u i re m e n t s Product/Component Minimum Requirements Altus Workstation, • • • • • • • Altus AD Workstation, Attended Enrollment, Altus Kiosk and Altus AD Kiosk • • • • • • Windows 7 or 8.x, 32/64-bit (Home editions are not supported.) 50 MB disk space, 100 MB during installation .NET Framework 4.5 (x86 machines) - Microsoft Visual C++ 2013 SP1 Redistributable package (x86 version) - Microsoft Visual C++ 2010 SP1 Redistributable package (x86 version) - Microsoft Visual C++ Redistributable for Visual Studio 2012 Update 1 (x86 version) (x64 machines) - Microsoft Visual C++ 2013 SP1 Redistributable package (x86 and x64 versions) - Microsoft Visual C++ 2010 SP1 Redistributable package (x86 and x64 versions) - Microsoft Visual C++ Redistributable for Visual Studio 2012 Update 1 (x86 and x64 versions) Microsoft Internet Explorer or Google Chrome or Firefox browser required in order to create/use Password Manager personal logons or use managed logons. See the reademe.txt file for tested browser versions.* Microsoft Internet Explorer (only) in order to create managed logons using the optional Password Manager Admin Tool (Workstation products only). See the reademe.txt file for tested browser versions. * Personal logons allow end-users to create automated logon to programs, websites and network resources. Managed logons have the same function but are created by an administrator and deployed to end-users. Personal logons are not available on Altus Kiosk or Altus AD Kiosk. NOTE: When using Internet Explorer on Windows 8, Password Manager features are only available when the browser is launched from the desktop, not from the Windows Modern UI Internet Explorer app. For a list of compatible fingerprint readers and scanners, see the readme.txt file included with this software. S u p p o r t R e s o u rc e s The following resources are provided for additional support. • Readme files in the root directory of each product package contain late-breaking product information. DigitalPersona Altus - Client Guide 8 Support Resources • • • AskPersona.com (http://askpersona.com) is a DigitalPersona knowledge portal providing answers to many frequently asked questions about our products. Maintenance and Support customers will find additional information about technical support resources in their Maintenance and Support confirmation email. Online help is included with each component and application. All DigitalPersona Altus documentation is available on our website at: http://www.crossmatch.com/Support/Reference-Material/Altus-Reference-Material/. DigitalPersona Altus - Client Guide 9 Section One: Installations This section of the DigitalPersona Altus Client Guide includes the following chapters: Chapter Number and Title Purpose Page 2 - Altus Workstation installation Requirements and procedure for installing DigitalPersona Altus Workstation. 11 3 - Altus Kiosk installation Requirements and procedure for installing DigitalPersona Altus Kiosk. 20 4 - Altus Attended Enrollment Requirements and procedure for installing Altus Attended Enrollment. 27 DigitalPersona Altus - Client Guide 10 Altus Workstation installation 2 THIS CHAPTER DESCRIBES INSTALLING THE DIGITALPERSONA ALTUS WORKSTATION CLIENT. Main topics in this chapter Page System requirements 11 Deployment considerations - for Altus LDS Workstation 11 Upgrading from previous versions 12 Compatibility 12 Local installation 12 Remote installation of Altus Workstation 16 Remote installation of Altus Workstation patches 17 Command line Installation 17 About Transform files 18 Uninstalling Altus Workstation 19 I n t ro d u c t i o n Although there are separate installation packages for the Altus and Altus AD versions of Workstation, the installations are identical and the term Altus Workstation is generally used to refer to either one unless a distinction needs to be made due to a difference in functionality or features. Screenshots are taken from the installation of the Altus AD Workstation product. Altus Workstation will generally be installed remotely using the Remote installation of Altus Workstation procedure defined on page 16. However, in order to show the complete installation steps most clearly, local installation is described first. DigitalPersona Altus and Altus AD Servers will be used for authentication and should be installed and configured before installing DigitalPersona Pro Workstation for Enterprise. Note that the Altus Attended Enrollment feature is included in the Altus Workstation client package, but by default is not installed. To install it, you will need to select the feature as part of a custom install according to instructions given in this chapter for local, remote or command line installation. More complete details on installing Attended Enrollment are available beginning on page 27. S y s t e m re q u i re m e n t s Before installing DigitalPersona Pro Workstation for Enterprise on a computer, make sure it meets the system requirements and prerequisites listed on page 8, and that you have Administrative Rights on the computer. D e p l oy m e n t c o n s i d e ra t i o n s - f o r A l t u s L D S Wo r k s t a t i o n If your environment includes more than one installation of Altus Server, and if those servers are not part of the same AD LDS configuration set, then your Altus Workstations should be part of an OU where you can create a GPO defining the DigitalPersona Altus - Client Guide 11 Upgrading from previous versions specific AD LDS instance name where the Altus Server is hosted. See the setting AD LDS instance name in the POlicies and Settings chapter of the Altus AD or Altus LDS Administrator Guide. U p g ra d i n g f ro m p re v i o u s ve r s i o n s To upgrade from a previous version of this software, refer to the Altus AD or Altus LDS Upgrade Notes available at: http://www.crossmatch.com/Support/Reference-Material/DigitalPersona-Altus-Reference-Material/. Compatibility This version of DigitalPersona Altus Workstation is compatible with the following DigitalPersona products. • • DigitalPersona Altus Auth SDK DigitalPersona Altus Confirm SDK It is not compatible with any other DigitalPersona products, and cannot be installed on the same computer as any other DigitalPersona products. Installation Local installation To install Altus Workstation on a local computer 1 2 Launch the installer from the Altus Workstation folder of the product package. • Run Setup.exe from the Altus Workstation folder of the product package. • Or, for silent mode, enter setup.exe /s /v” /qn” at the command line. When the Welcome page displays, click Next to proceed with the installation. DigitalPersona Altus - Client Guide 12 Installation 3 Read the License Agreement page. If you agree, select the I accept the terms in the license agreement button and click Next. 4 On the next page, you can specify the folder that DigitalPersona Pro Workstation for Enterprise will be installed in. If you want to install Altus Workstation to the default location, click Next; otherwise, click Change to specify a new location and then click Next to continue. 5 Choose one the following options to indicate the type of installation you want to perform. DigitalPersona Altus - Client Guide 13 Installation • Typical - Installs the most commonly used features. • Custom - Allows selection of which features to install. Note that Attended Enrollment is not installed by default, but must be specifically selected as part of a Custom installation. If you plan on installing the optional DigitalPersona Altus Large Scale ID wrapper, you should deselect the Fingerprint Recognition Engine component. For further details, see the DigitalPersona Altus Large Scale ID wrapper section of the Optional installations chapter in the Altus AD or Altus LDS Administrator Guide. Make sure that the same recognition engine that was installed on the client is also installed on the server. 6 Click Next and then Install, to begin installation. DigitalPersona Altus - Client Guide 14 Installation 7 During installation, progress is shown until the process is completed. 8 When installation is complete, a final page displays. Click Finish. 9 When prompted to do so, reboot the computer. After the computer restarts, and at every subsequent restart, the DigitalPersona Altus client software automatically uses the default DNS Server to locate all DigitalPersona Altus Servers for the domain and its site. If more than one Altus Server is found, the Workstation will choose the Altus Server for authentication that offers the most efficient connectivity. If no Altus Servers are found, the client will perform authentication locally. For a description of the features and functions of DigitalPersona Altus Workstation, see the chapter beginning on page 30. DigitalPersona Altus - Client Guide 15 Installation Remote installation of Altus Workstation For remote installation of Altus Workstation patches, see “Remote installation of Altus Workstation patches” on page 17. The installer for Altus Workstation uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install or uninstall the software using Active Directory administration tools, or other software deployment tools. Note that this installer is only compatible with program distribution (installation or uninstallation) to computers. It cannot be used for program distribution to users. To install Altus Workstation remotely through Active Directory use the following procedure. Some steps will vary depending on the operating system version. For mixed 32- and 64-bit environments, follow these steps twice to create an administrative installation file for each environment. 1 Create an administrative installation package. a. Open a command prompt session and navigate to the location where you have stored the product package. Change the directory to “Altus Workstation\x86” for the 32-bit version or “Altus Workstation\x64” for the 64bit version. Note that the 32-bit version will not install on 64-bit computers. b. Type setup.exe /a c. The product installation wizard launches and prompts you for a location where you would like the administrative installation package to be created. Choose a network shared drive that will be accessible to the computers where you will be installing the software. For example, \\servername\InstallDir, where InstallDir is a predefined shared folder. There is no need to reboot at the end of the wizard. 2 (Optional) To install only to a specific OU, create a Group Policy Object (GPO) that will be used to distribute the software package. 3 Install any prerequisites (see page 11) on the target computers. 4 Assign the package a. Start the Group Policy Management snap-in. To do this, from the Windows Server Manager, Tools menu, select Group Policy Management. b. In the Group Policy Management tree, under the appropriate domain, right-click Default Domain Policy and choose Edit from the context menu. This will launch the Group Policy Management Editor. c. In the Group Policy Management Editor, open Computer Configuration, Policies, Software Settings, Software installation. d. Right click Software installation and select New, Package from the context menu. e. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\file server\share\file name.msi. It is important that you do not use the Browse button to access the location. Make sure that you use the UNC path of the shared installer package. f. Click Open. g. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window. h. For 32-bit installation packages only - Right-click the newly created package and select Properties. Then, on the Deployment tab, click Advanced. Deselect the checkbox Make this 32-bit X86 application available on Win64 machines. If this checkbox remains selected, the application will not install. 5 Installation will begin on each client during the first reboot after the computer obtains the deployment policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE on the local computer. DigitalPersona Altus - Client Guide 16 Installation Remote installation of Altus Workstation patches This topic addresses the remote installation of client patches through slipstreaming. For standard product installation, see the preceding topic. The installer for Altus Workstation uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install patches to software using Active Directory administration tools, or other software deployment tools. For mixed 32- and 64-bit environments, follow these steps twice - patching the administrative installation files for both environments. Note that this installer only works for computer-based policy installation, not user-based. To install an Altus Workstation patch remotely through Active Directory, use the following procedure. The following steps assume that an administrative installation package has been created as described in the previous topic. Some steps will vary depending on the operating system version. Update the installation package. 1 Open a command prompt session and type the following command to patch the previously created installation package. msiexec.exe /p [path\name of updated MSP file]\ /a [path\name of administrative installation file] Redeploy the application 2 a. Start the Group Policy Management snap-in. To do this, from the Windows Server Manager, Tools menu, select Group Policy Management. b. Right-click the GPO that governs the computers you want to update and select Edit. This will launch the Group Policy Management Editor. c. In the Group Policy Management Editor., navigate to Computer Configuration/Policies/Software Settings/Software Installation. d. Right-click the previously deployed Altus client software package and select All Tasks\Redeploy application. Confirm your intent to redeploy the application. Installation will begin on each client during the first reboot after the computer obtains the deployment policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE on the local computer. 3 Command line Installation DigitalPersona Altus Workstation can also be installed or uninstalled using MSI at the command line. The syntax of the msiexec command is shown below and is followed by a description of the command line options, parameters and values available: msiexec /i setup.msi INSTALLDIR=[directory] ADDLOCAL=[software] REMOVE=[software] TRANSFORMS=[Name of transform file]/qn Command line Options Options Description /i (Required) Indicates that MSI will be used to install the DigitalPersona Altus software. It must be followed by the full pathname to the setup.msi file. /qn (Optional) Hides the user interface when installing the software on the computer, allowing a “silent install.” If used, it is placed at the end of the command line. DigitalPersona Altus - Client Guide 17 About Transform files Parameters The following parameters indicate where the software should be installed on the computer, as well as what components should be included or removed: Parameters Description INSTALLDIR (Optional) Specifies the location where the DigitalPersona Altus Workstation software should be installed. If a folder is not specified, defaults to: C:\Program Files\DigitalPersona ADDLOCAL (Optional) Indicates which DigitalPersona Altus Workstation features to install by providing one of the values listed below. REMOVE (Optional) Indicates which DigitalPersona Altus software features to uninstall by providing one of the values listed below. TRANSFORMS (Optional) Use the TRANSFORMS parameter to specify a UI language other than U.S. English. Separate multiple transforms with a semicolon. Do not use semicolons within the name of your transform, as the Windows Installer service will interpret those incorrectly. See page 18 for a list of the available transform files. ADDLOCAL and REMOVE Values The table below lists the values that may be provided with the ADDLOCAL and REMOVE parameters and provides a description of each value: Values Description ALL Installs all DigitalPersona Altus software components and features or removes all of the components and features that are currently installed. Logon Installs or removes the Windows Logon feature. AttendedEnrollment Installs or removes the Attended Enrollment feature. PasswordMgr Installs or removes the Password Manager feature. FingerprintEngine Installs or removes the DigitalPersona Fingerprint Engine. Following are a few rules when using these parameters and their values: • • • If ADDLOCAL or REMOVE are not specified, msiexec will install all DigitalPersona Altus Workstation features. Individual software features cannot be installed unless the All value was used with the ADDLOCAL parameter first. To install DigitalPersona Altus Workstation software for the first time while omitting one or more software features, use ADDLOCAL=ALL, followed by the REMOVE parameter with each software component you do not want to install separated by a comma. For example; msiexec /i setup.msi ADDLOCAL=ALL REMOVE=Logon,PasswordMgr A b o u t Tra n s f o r m f i l e s DigitalPersona uses Transform (.mst) files to create an installation package for DigitalPersona Altus components in the supported languages listed below. These files are located in the Bin directory of your product package. DigitalPersona Altus - Client Guide 18 Uninstalling Altus Workstation When creating a package for a GPO install, select the Advanced option and then add the transform file from the Modifications tab. Ensure that the transform file is included in a folder that is shareable by the Active Directory server computer and all target client computers. Language Transform file French 1036.mst German 1031.mst Italian 1040.mst Brazilian Portuguese 1046.mst Spanish 1034.mst Chinese Simplified 2052.mst Chinese Traditional 1028.mst Japanese 1041.mst Korean 1042.mst U n i n s t a l l i n g A l t u s Wo r k s t a t i o n You can remove the DigitalPersona Altus Workstation software using the Add or Remove Programs Control Panel or through MSI. In the Control Panel, the Workstation software is listed as DigitalPersona Altus Workstation. You must have local administrative privileges to modify or uninstall Altus Workstation. DigitalPersona Altus - Client Guide 19 Altus Kiosk installation 3 THIS CHAPTER DESCRIBES INSTALLING THE DIGITALPERSONA ALTUS KIOSK CLIENT. Main topics in this chapter Page System Requirements 20 Migration from DigitalPersona Pro Kiosk 20 Compatibility 20 Local installation 21 Remote Installation of Altus Kiosk 23 Remote installation of Altus Kiosk patches 24 Command line installation 25 About Transform files 26 Uninstalling Altus Kiosk 26 Although there are separate installation packages for the Altus and Altus AD versions of Kiosk, the installations are identical and the term Altus Kiosk is used to refer to both in this guide. Screenshots are taken from the installation of the Altus Kiosk product. Altus Kiosk will generally be installed remotely using the Remote Installation of Altus Kiosk procedure defined on page 23. However, in order to show the complete installation steps most clearly, local installation is described first. DigitalPersona Altus or Altus AD Servers will be used for user identification and authentication and should be installed and configured before installing DigitalPersona Altus Kiosk. S y s t e m R e q u i re m e n t s Before installing DigitalPersona Altus Kiosk on a computer, make sure it meets the system requirements and prerequisites listed on page 8. M i g ra t i o n f ro m D i g i t a l Pe r s o n a P ro K i o s k DigitalPersona Altus Kiosk version 1.1 cannot be used to upgrade any previous DigitalPersona Pro or Altus products. Compatibility This version of DigitalPersona Altus Kiosk is compatible with the following DigitalPersona products. • • DigitalPersona Altus Auth SDK DigitalPersona Altus Confirm SDK It is not compatible with any other DigitalPersona products, and cannot be installed on the same computer as any other DigitalPersona products. DigitalPersona Altus - Client Guide 20 Installation Installation Local installation To install DigitalPersona Altus Kiosk locally 1 Launch the installer from the Altus Kiosk or Altus AD Kiosk folder of the product package. • Run Setup.exe from the Altus Kiosk or Altus AD Kiosk folder of the product package. • Or, for silent mode, enter setup.exe /s /v” /qn” at the command line. 2 When the Welcome page displays, click Next to proceed with the installation. 3 Read the License Agreement page. If you agree, select the I accept the terms in the license agreement button and click Next. 4 On the next page, you can specify the folder that Altus Kiosk will be installed in. If you want to install to the default location, click Next; otherwise, click Change to specify a new location and then click Next to continue. DigitalPersona Altus - Client Guide 21 Installation 5 Choose one of the following options to indicate the type of installation you want to perform. • Typical - Installs the most commonly used features. • Custom - Allows selection of which features to install. (Altus LDS only) If you plan on installing the optional DigitalPersona Altus Large Scale ID wrapper, you should deselect the Fingerprint Recognition Engine component. For further details, see the DigitalPersona Altus Large Scale ID wrapper section of the Optional installations chapter in the Altus LDS Administrator Guide. Make sure that the same recognition engine that was installed on the client is also installed on the server. 6 Click Next and then Install, to begin installation. DigitalPersona Altus - Client Guide 22 Installation 7 Click Finish to close the InstallShield Wizard. 8 When prompted to do so, reboot the computer. Click Yes to restart now, or No if you plan to restart later. After the computer restarts, and at every subsequent restart, Pro Kiosk automatically uses the default DNS Server to locate all DigitalPersona Altus Servers for the domain and its site. If more than one Altus Server is found, Pro Kiosk will choose the Altus Server for authentication that offers the most efficient connectivity. For instructions on using Pro Kiosk, see page 71. Remote Installation of Altus Kiosk For remote installation of Altus Kiosk patches, see “Remote installation of Altus Kiosk patches” on page 24. The installer for Pro Kiosk uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install or uninstall the software using Active Directory administration tools, or other software deployment tools. Note that this installer only works for computer-based policy installation, not user-based installations. To install Altus Kiosk remotely through Active Directory, use the following procedure. Some steps will vary depending on the operating system version. For mixed 32- and 64-bit environments, follow these steps twice to create an administrative installation file for each environment. 1 Create an administrative installation package. a. Open a command prompt session and change the directory to “DigitalPersona Altus Kiosk \x86” or “DigitalPersona Altus AD Kiosk \x86”on 32-bit operating systems, or “DigitalPersona Altus Kiosk \x64” or “DigitalPersona Altus AD Kiosk \x64”on 64-bit operating systems. b. Type setup.exe /a c. The product installation wizard launches and prompts you for the location where you would like the administrative installation file to be created. Choose a network shared drive that will be accessible to the computers where you will be installing the software. For example \\servername\InstallDir, where InstallDir is a predefined shared folder. (There is no need to reboot at the end of the wizard.) 2 (Optional) To install only to a specific OU, create a Group Policy Object (GPO) that will be used to distribute the software package. 3 Assign the package a. Start the Group Policy Management snap-in. To do this, from the Windows Server Manager, Tools menu, select Group Policy Management. DigitalPersona Altus - Client Guide 23 Installation b. In the Group Policy Management tree, under the appropriate domain, right-click Default Domain Policy and choose Edit from the context menu. This will launch the Group Policy Management Editor. c. In the Group Policy Management Editor, open Computer Configuration, Policies, Software Settings, Software installation. d. Right click Software installation and select New, Package from the context menu. e. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\file server\share\file name.msi. It is important that you do not use the Browse button to access the location. Make sure that you use the UNC path of the shared installer package. f. Click Open. g. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window. h. For 32-bit installation packages only - Right-click the newly created package and select Properties. Then, on the Deployment tab, click Advanced. Deselect the checkbox Make this 32-bit X86 application available on Win64 machines. If this checkbox remains selected, the application will not install. 4 Installation will begin on each client during the first reboot after the computer obtains the deployment policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE on the local computer. Remote installation of Altus Kiosk patches This topic addresses the remote installation of client patches through slipstreaming. For standard product installation, see the preceding topic. The installer for Altus Kiosk uses Microsoft Windows Installer (MSI) technology, which allows administrators to remotely install patches to software using Active Directory administration tools, or other software deployment tools. For mixed 32- and 64-bit environments, follow these steps twice - patching the administrative installation files for both environments. Note that this installer only works for computer-based policy installation, not user-based. To install an Altus Kiosk patch remotely through Active Directory, use the following procedure. The following steps assume that an administrative install has been created as described in the previous topic. Some steps will vary depending on the operating system version. 1 Update the installation package. Open a command prompt session and type the following command to patch the previously created installation package. msiexec.exe /p [path\name of updated MSP file]\ /a [path\name of administrative installation file]. 2 Redeploy the application. a. Start the Group Policy Management snap-in. To do this, from the Windows Server Manager, Tools menu, select Group Policy Management. b. Right-click the GPO that governs the computers you want to update and select Edit. This will launch the Group Policy Management Editor. c. In the Group Policy Management Editor, navigate to Computer Configuration/Policies/Software Settings/Software Installation. d. Right-click the previously deployed Altus client software package and select All Tasks\Redeploy application. Confirm your intent to redeploy the application. 3 Installation will begin on each client during the first reboot after the computer obtains the deployment policy, i.e. during the next scheduled AD policy refresh or as a result of running GPUPDATE\FORCE on the local computer. DigitalPersona Altus - Client Guide 24 Installation Command line installation DigitalPersona Pro Kiosk can also be installed or uninstalled using MSI at the command line. The syntax of the msiexec command is shown below and is followed by a description of the command line options, parameters and values available: msiexec /i setup.msi INSTALLDIR=[directory] ADDLOCAL=[software] REMOVE=[software] TRANSFORMS=[Name of transform file]/qn Command line Options There are one required and one optional command line options: Options Description /i (Required) Indicates that MSI will be used to install the DigitalPersona Altus software. It must be followed by the full pathname to the setup.msi file. /qn (Optional) Hides the user interface when installing the software on the computer, allowing a “silent install.” If used, it is placed at the end of the command line. Parameters The following parameters indicate where the software should be installed on the computer, as well as what components should be included or removed: Parameters Description INSTALLDIR (Optional) Specifies the location where the software should be installed. If a folder is not specified, defaults to: C:\Program Files\DigitalPersona ADDLOCAL (Optional) Indicates which Pro Kiosk features to install by providing one of the values listed below. REMOVE (Optional) Indicates which Pro Kiosk features to uninstall by providing one of the values listed below. TRANSFORMS (Optional) Use the TRANSFORMS parameter to specify a UI language other than U.S. English. Separate multiple transforms with a semicolon. Do not use semicolons within the name of your transform, as the Windows Installer service will interpret those incorrectly. See page 26 for a list of the available transform files for supported languages. ADDLOCAL and REMOVE Values The table below lists the values that may be provided with the ADDLOCAL and REMOVE parameters and provides a description of each value: Values Description ALL Installs all Pro Kiosk components and features or removes all of the component and features that are currently installed. PasswordMgr Installs or removes the Password Manager application. FingerprintEngine Installs or removes the DigitalPersona Fingerprint Engine. Following are a few rules when using these parameters and their values: DigitalPersona Altus - Client Guide 25 About Transform files • • • If ADDLOCAL or REMOVE are not specified, msiexec will install all Pro Kiosk features. Individual software features cannot be installed unless the All value was used with the ADDLOCAL parameter first. To install Pro Kiosk software for the first time while omitting one or more software features, use ADDLOCAL=ALL, followed by the REMOVE parameter with each software component you do not want to install separated by a comma. For example; msiexec /i setup.msi ADDLOCAL=ALL REMOVE=Logon,PasswordManager A b o u t Tra n s f o r m f i l e s DigitalPersona uses Transform (.mst) files to create an installation package for DigitalPersona Altus components in the supported languages listed below. These files are located in the Bin directory of your product package. When creating a package for a GPO install, select the Advanced option and then add the transform file from the Modifications tab. Ensure that the transform file is included in a folder that is shareable by the Active Directory server computer and all target client computers. Language Transform file French 1036.mst German 1031.mst Italian 1040.mst Brazilian Portuguese 1046.mst Spanish 1034.mst Chinese Simplified 2052.mst Chinese Traditional 1028.mst Japanese 1041.mst Korean 1042.mst Uninstalling Altus Kiosk You can remove the DigitalPersona Altus Kiosk software using the Add or Remove Programs Control Panel or through MSI. In the Control Panel, the Kiosk software is listed as DigitalPersona Altus Kiosk or DigitalPersona Altus AD Kiosk. You must have local administrative privileges to modify or uninstall Altus Kiosk. DigitalPersona Altus - Client Guide 26 Altus Attended Enrollment 4 THIS CHAPTER DESCRIBES INSTALLING THE DIGITALPERSONA ALTUS WORKSTATION CLIENT. Main topics in this chapter Page System requirements 27 Compatibility 27 Local installation 27 Uninstalling Altus Attended Enrollment 28 I n t ro d u c t i o n This chapter provides instructions for installing Altus Attended Enrollment, a component of the Altus Workstation, used to enroll user credentials under supervision of a delegated person or group in Altus LDS, or an Altus Security Officer in Altus AD. The following topics cover the installation of the Altus Attended Enrollment component. • • • • • System requirements Compatibility Local installation About Transform files Uninstalling Altus Attended Enrollment S y s t e m re q u i re m e n t s Before installing Altus Attended Enrollment on a computer, make sure it meets the system requirements listed on page 8, and that you have Administrative Rights on the computer. For a list of compatible fingerprint readers and scanners, see the readme.txt file included with this software. Compatibility The version of DigitalPersona Altus Attended Enrollment described in this guide is compatible with the following DigitalPersona products. • • • DigitalPersona Altus or Altus AD Workstation 1.1 or above DigitalPersona Altus Auth SDK 1.1 or above DigitalPersona Altus Confirm SDK1.1 or above It is not compatible with any other DigitalPersona products, and cannot be installed on the same computer as any other DigitalPersona products. Local installation To install Altus Attended Enrollment on a local computer 1 Launch the installer from the Altus Workstation or Altus AD Workstation folder of the product package, by running Setup.exe. DigitalPersona Altus - Client Guide 27 Uninstalling Altus Attended Enrollment • 2 Or, for silent mode, enter setup.exe /s /v” /qn” at the command line. From the Setup Type page, select Custom. (Altus LDS only) If you plan on installing the optional DigitalPersona Altus Large Scale ID wrapper, you should deselect the Fingerprint Recognition Engine component. For further details, see the DigitalPersona Altus Large Scale ID wrapper section of the Optional installations chapter in the Altus LDS Administrator Guide. Make sure that the same recognition engine that was installed on the client is also installed on the server. 3 Click the X next to Attended Enrollment and select This feature will be installed on local hard drive. 4 Click Next and then Install, to begin installation. For a description of the features and functions of Altus Attended Enrollment, see the chapter beginning on page 58. U n i n s t a l l i n g A l t u s A t t e n d e d E n ro l l m e n t Since Altus Attended Enrollment is actually a subcomponent of Altus Workstation or Altus AD Workstation, it cannot be uninstalled separately from the Workstation product. If you must remove Altus Attended Enrollment from a computer, you will need to uninstall Altus Workstation or Altus AD Workstation, and then reinstall it without Altus Attended Enrollment. DigitalPersona Altus - Client Guide 28 Section Two: Altus Client Features Section Two of the DigitalPersona Altus Client Guide includes the following chapters: Chapter Number and Title Purpose Page 6 - Altus Workstation Describes the features and functionality of the Altus Workstation Console. 30 7 - Credential Manager Describes the features and functionality of the Credential Manager component, common to the Altus Workstation and Kiosk clients. 33 8 - Password Manager Describes the features and functionality of the Password Manager component, common to the Altus Workstation and Kiosk clients. 45 9 - Quick Actions Describes the Quick Actions page, a component of the Altus Workstation. 56 10 - Altus Attended Enrollment Describes the features and functionality specific to the Altus Attended Enrollment component. 58 11 - Altus Kiosk Describes the features and functionality specific to the Altus console provided in the DigitalPersona Altus Kiosk client. 71 DigitalPersona Altus - Client Guide 29 Altus Workstation 6 T HIS CHAPTER DESCRIBES THE FEATURES OF THE D IGITAL PERSONA A LTUS WORKSTATION CLIENT . Main topics in this chapter Page Getting Started 30 The Altus Console 31 Windows authentication 31 Smart card authentication 31 Opening the Altus Console 32 I n t ro d u c t i o n DigitalPersona Altus Workstation is a robust and fully featured workstation client which allows you to significantly and easily increase the security of computers in your enterprise. Its specific features, options and behavior can be configured though Active Directory GPOs and other tools as explained in the DigitalPersona Altus LDS and Altus AD Administrator Guides. A companion product, DigitalPersona Altus Kiosk provides users with fast, convenient and secure multi-factor identification and authentication in environments where users share a common Windows account yet need separately controlled access to resources, applications and data. (See page 71.) Attended Enrollment, an optional component of Altus Workstation, allows administrators to assign a specific user or group to supervise the credential enrollment process. (See page 58.) This chapter includes the following major topics. Most of the content in this section is written from the end-user perspective, and is also available through the various Altus help files. Note that the availability of some product features described in this chapter may be limited, or behave differently, as determined by GPO policies and other settings described in the Administration Tools and Policies and Settings chapters in the DigitalPersona Altus AD and Altus LDS Administrator Guides. Getting Started By default, Altus credentials are enrolled through the Altus Attended Enrollment component. However, an Altus administrator may optionally choose to allow Windows users to self-enroll, i.e. enroll their credentials through Altus Workstation. DigitalPersona Altus - Client Guide 30 The Altus Console The Altus Console The Altus Console is the central location for easy access to Altus Workstation features and settings. Credential Manager - Enroll and manage Altus credentials and their settings. Password Manager - Create and manage Password Manager logons and accounts. Quick Actions- Configure the Altus Hot Key sequence, and assign tasks to various credential and key+credential combinations. Windows authentication Once your DigitalPersona Altus Workstation client has been installed, logon to Windows is controlled by the Logon Authentication Policy set by GPO in Active Directory. For a complete description of logon policies, see the chapter, Logon Authentication Policy, in the DigitalPersona Altus AD and Altus LDS Administrator Guides. Credentials that may be used to authenticate for Windows logon will be limited to those specified in the policy and supported by required hardware or software present on the workstation. Some credentials, such as smart cards, need to be previously formatted and initialized using the manufacturer’s middleware. Additionally, each credential must be enrolled by the end-user, on their computer, or through the Altus Attended Enrollment components (see page 58). The actual process of using your DigitalPersona credentials will vary slightly depending on the type of credential, but will generally follow Microsoft usage with the following exceptions. S m a r t c a rd a u t h e n t i c a t i o n In order to use a contact-type smart card or a Proximity card for logging on to Windows, you must click your user tile on the Windows Logon screen before presenting the card. Then you can insert your smart card for authentication, or use a Proximity card in conjunction with another credential as specified by the Logon Authentication Policy in force. Other types of (non-Proximity) contactless cards may be presented directly from the Logon screen for immediate logon to Windows. DigitalPersona Altus - Client Guide 31 Opening the Altus Console Opening the Altus Console You can open the Altus Console in any of the following ways: • • • • • [Windows 8] From the Apps screen, under DigitalPersona, select Altus Console. [Windows 7 or Vista] Click Start, click All Programs, click DigitalPersona, and then click Altus Console. Double-click the DigitalPersona Altus Workstation icon in the notification area, at the far right of the taskbar. Right-click the DigitalPersona Altus icon, and click Open Altus Console. Press the hot key combination Ctrl+Win Logo Key+H to open the Logons menu and then click Altus Console (when no logons have been created yet) or Manage (after logons have been created.) DigitalPersona Altus - Client Guide 32 Credential Manager 7 THIS CHAPTER DESCRIBES THE CREDENTIAL MANAGER COMPONENT, WHICH IS PART OF THE DIGITALPERSONA ALTUS CLIENTS. Main topics in this chapter Page Managing user credentials 34 Password credential 34 Fingerprint credential 35 Smart, Contactless and Proximity Cards credential 38 Password Recovery credential 39 PIN credential 40 Bluetooth credential 41 One Time Password credential 42 I n t ro d u c t i o n The Credential Manager component is part of the DigitalPersona Altus and Altus AD Workstation and Kiosk clients. It may be used to enroll, manage, and configure settings for Altus credentials. DigitalPersona Altus - Client Guide 33 Managing user credentials Launch the Credential Manager by tapping or clicking the Credential Manager tile from the Altus Console home page. By default, this feature is disabled because the Attended Enrollment component is most often used to enroll user credentials. If you want to allow end-users to enroll and manage their own Altus credentials, see the Policies and Settings chapter in the DigitalPersona Altus LDS and Altus AD Administrator Guides. However, the best practice is to not enable selfenrollment if Attended Enrollment will be used in the enviroment. M a n a g i n g u s e r c re d e n t i a l s The credentials that will be available to a user for verifying their identity may be configured through GPO policies and settings (for managed workstations) by an Altus Administrator or (if not managed) by the local administrator of the computer. Some credentials require the presence of built-in or attached hardware. The following steps will help you to enroll or set up your credentials for use with the product’s features and applications. Unless otherwise specified through a GPO, any hardware or software credential available will be listed in Credential Manager, and may be managed by the user when self-enrollment has been enabled by the Altus administrator). This chapter includes instructions for enrolling and managing of supported Altus credentials Password credential Altus Workstation makes changing your Altus password simple. CAUTION: Windows users should be aware that this will change your Windows password. DigitalPersona Altus - Client Guide 34 Managing user credentials To change your password, follow these steps. 1 In the Altus Console, select Credential Manager, and then choose Change on the PASSWORD tile. 2 The Password page displays. 3 Enter your current password in the Current password text box. 4 Type a new password in the New password text box, and then type it again in the Confirm new password text box. 5 Click Save to immediately change your current password to the new one that you entered. Fingerprint credential If there is a fingerprint reader or ten print scanner built into or connected to your computer, you can enroll and manage your fingerprints. Select the Fingerprints tile to display the Fingerprints page, where you can enroll your fingerprints credential. The process of enrolling your fingerprints is slightly different depending on whether you are using a single print fingerprint reader, or a ten-print fingerprint scanner such as one of the Crossmatch Guardian products. See the following two sections for descriptions of the steps for each of the hardware devices. DigitalPersona Altus - Client Guide 35 Managing user credentials Enrolling fingerprints with a fingerprint reader To enroll your fingerprints or manage your fingerprints credential 1 In the Altus Console, select Credential Manager, and then choose Add, Change or Delete on the FINGERPRINTS tile. • Change and Delete buttons display on the FINGERPRINTS tile only after the first fingerprint has been enrolled and saved. The Delete button will delete all enrolled fingerprints for the logged on user. To delete a single fingerprint, choose Change and then select a highlighted fingerprint on the Fingerprints page. • 2 The Fingerprints page displays. 3 An outline of two hands is displayed. Fingers that have been previously enrolled are highlighted. 4 • To enroll a fingerprint, click the image of any finger not previously enrolled. • To delete a single previously enrolled fingerprint, click a highlighted finger on the outline. After selecting a finger to enroll, you are prompted to scan the finger until its fingerprint is successfully enrolled. DigitalPersona Altus - Client Guide 36 Managing user credentials Upon completion, that finger image will be highlighted. Index or middle fingers are preferable. 5 Click Save. Note that fingerprint information is not saved until you click Next. If you leave the computer inactive for a while, or close the program, the changes you made are not saved. WARNING: Users should never enroll the same finger under multiple Windows accounts. Doing so will cause the finger to be rejected as a valid credential in any Windows account where it has been enrolled. Enrolling fingerprints with a ten print scanner For a list of supported ten print scanners, see the readme.txt file included with this software package. Additional files may need to be installed before use. See the Optional installations chapter of the Altus AD or Altus LDS Administrator Guide for further details. The ten print scanner captures fingerprints in three segments, often described as 4-4-2, that is four fingers of the left hand, four fingers of the right hand, and the two thumbs together. 1 Click the Fingerprints tile to display the Fingerprints pages. 2 Select which segment to enroll. In the displayed image, choose the left hand, right hand or thumbs. 3 Scan the selected fingers or thumbs as many times as requested to enroll them. If the user is missing any fingers, click the associated finger in the smaller image in the upper right. 4 Each successful enrollment will result in one of the scan numbers turning blue. DigitalPersona Altus - Client Guide 37 Managing user credentials 5 When enrollment of the segment is complete, the screen shows the fingerprint segment in blue. 6 Select another segment until the fingerprints of both hands and thumbs have been captured. Then click Save. To delete a partial fingerprint segment 1 Once the credential has been enrolled, a Delete button is added to its tile.. 2 Select the previously enrolled left or right hand or thumbs. Then confirm the deletion. 3 On the image, select the left or right hand or thumbs. 4 Click Delete. 5 Verify your identity to confirm the deletion. Authentication To authenticate with the ten-print scanner, use only a single finger or thumb and use only the front half of the scanner screen to read the fingerprint. Smart, Contactless and Proximity Cards credential This tile provides a means for enrolling a user’s Smart, Contactless or Proximity Card credential. To enroll a card credential 1 Click the Smart, Contactless and Proximity Cards tile to display the corresponding pages. DigitalPersona Altus - Client Guide 38 Managing user credentials 2 Insert a Smart Card into the card reader or place a Contactless or Proximity Card very close to the reader. 3 Click Enroll and then click Save. To delete all enrolled cards, click Delete on the Cards tile. To delete a single card when more than one card is enrolled, click Change on the Cards tile and then click Delete on the specific card image. Password Recovery credential Password Recovery allows users to regain lost access to their computer when they can’t log on with any other credentials. They simply need to answer the three security questions selected during this enrollment process. This feature is optional and is not available in the Altus Kiosk products. For Altus Workstation, it must be explicitly configured by the Altus Administrator through the Enable Self Password Recovery setting. See Enable Self Password Recovery in the DigitalPersona Altus LDS and Altus AD Administrator Guides. On the Password Recovery page, you can enroll or manage your Password Recovery credential; for example, change your recovery questions or the associated answers. In order to use this recovery credential to gain access to a computer, the user must have previously logged on to the same computer at least once with another valid credential. To set up Password Recovery 1 In the Altus Console, select Credential Manager, and then choose Add, Change or Delete on the PASSWORD RECOVERY tile. 2 The Password Recovery page displays. 3 On the Password Recovery page, select three security questions, and then enter an answer for each question. You can also choose to write your own security questions by selecting that option from the dropdown menu. 4 After completing the questions and answers, select Save. Administrators can configure the list of security questions displayed or create custom questions through the Enable Self Password Recovery setting (See the DigitalPersona Altus LDS or Altus AD Administrator Guide.) After your Password Recovery credential has been enrolled, you can access your computer using your personal questions from the Windows Logon screen. DigitalPersona Altus - Client Guide 39 Managing user credentials Smart, Contactless & Proximity Cards credential Altus supports a wide variety of identity cards and card readers, including Smart cards, Contactless cards and Proximity cards. To enroll or manage a Card credential 1 In the Altus Console, select Credential Manager, and then choose Add, Change or Delete on the CARDS tile. • • To delete all enrolled cards, click Delete on the CARDS tile. To delete a single card when more than one card is enrolled, click Change on the CARDS tile and then click Delete on the specific card image. 2 Insert a card into the card reader or place a Contactless or Proximity Card very close to the reader. 3 The Cards page displays. 4 Insert a Smart Card into the card reader or place a Contactless or Proximity Card very close to the reader. 5 Once the card has been identified, its name will display on the screen with an Enroll button next to it. 6 Click Enroll. For Smart Cards, enter a Smart Card PIN. Then click Enroll. PIN credential An Altus PIN is a credential composed of a series of characters (numbers or letters). A PIN is often used in combination with another credential to enhance its security. This PIN should not be confused with a Smart Card PIN which is used as part of a Smart Card credential. On the PIN page, you can create a new PIN or change your existing PIN. To enroll or manage a PIN 1 In the Altus Console, select Credential Manager, and then choose Add, Change or Delete on the PIN tile. DigitalPersona Altus - Client Guide 40 Managing user credentials 2 The PIN page displays. • Add - Choose Add on the PIN tile. Then enter and confirm the characters that you want to use as your PIN and select Save. Change - Choose Change on the PIN tile. Then enter and confirm the characters that you want to use as your PIN and select Save. Delete - Choose Delete on the PIN tile. Then confirm the deletion by verifying your identity. • • Bluetooth credential Any Bluetooth-enabled device discoverable by this software may be used as a credential for authentication, when combined with an additional supported credential as defined by the Logon or Session Policy in force. Enrolling a Bluetooth credential does not automatically make it available on every Altus client. This is because Bluetooth enrollment pairs the associated device with the machine where it is enrolled initially. To use their Blueooth credential on another machine than the one where it was originally enrolled, users will need to pair their device with each Workstation or Kiosk where they expect to use their Blueooth creedential. All unenrolled and discoverable Bluetooth devices within range are displayed in the bottom portion of the page. To enroll, pair or manage a Bluetooth credential 1 In the Altus Console, select Credential Manager, and then choose Add, Change or Delete on the BLUETOOTH DEVICES tile. 1 The Bluetooth Devices page displays. DigitalPersona Altus - Client Guide 41 Managing user credentials • • 2 Add - To add a new Bluetooth credential, or pair your previously enrolled device on this computer, choose Add on the BLUETOOTH DEVICES tile. Then on the Bluetooth Devices page, select a device and choose Enroll. If an expected device is not displayed, ensure that the device is set to be discoverable. If the device has not previously been paired with this computer, you will be asked to pair it, and then the device will be enrolled as a credential. Devices previously paired with the computer will simply be enrolled. Change - To enroll an additional Bluetooth device, change your current Bluetooth device, or delete a specific Bluetooth device, choose Change on the Bluetooth Devices tile. Then on the Bluetooth Devices page, select Enroll or Delete. Delete - To delete all enrolled Bluetooth devices, choose Delete on the Bluetooth Devices tile. Then confirm the deletion by verifying your identity. One Time Password credential A One Time Password (OTP) is a credential composed of a time-sensitive 6-digit code automatically generated by a special Authenticator app on a user’s mobile device. Once enrolled, this credential can be used for authentication at Windows logon and within a Windows session as defined by the Logon or Session Policy in force. On the Credential Manager, One Time Password page, you can • • • Download the Google Authenticator app for your smartphone or tablet that generates the One Time Password which you then enter on your Windows workstation for authentication. Scan a QR code with your device that automatically creates a OTP account token linked to your OTP credential. Enter the OTP verification code generated by the device. To download the OTP application for your smartphone 1 From the Altus Workstation user console, click Credential Manager, and then click ADD on the OTP tile. 2 Verify your identity with any enrolled credential. 3 In the upper right area of the screen select the tile that represents your smartphone's app store. Supported stores are: Apple App, Windows Phone, Google Play and Blackberry world. DigitalPersona Altus - Client Guide 42 Managing user credentials 4 A QR code displays on your screen. Open a QR reader app on your mobile device and scan the QR code. This will download the app to your device. To setup an Altus account on your device 1 Launch the downloaded app on your device. 2 Select Begin Setup. 3 Select Scan Barcode. 4 Scan the QR code that displays on the One Time Password Page. Do not scan the QR code again that was used to download the app. 5 You can also set up an Altus account in the Authenticator app by selecting the [+] sign in the app and entering the Altus account information manually. 6 To display the information in Credential Manager that needs to be entered on your device, select the Can't scan the barcode link on the One Time Password page. To enroll your OTP credential 1 From the Altus Workstation user console, click Credential Manager, and then click ADD or CHANGE on the One Time Password tile. 2 Verify your identity with any enrolled credential. 3 With your device, scan the QA code that displays on the One Time Password Page. Do not scan the QR code again that was used to download the app. 4 In the Altus Console, enter the One Time Password displayed on your device. 5 Click Verify and Save. To authenticate with your One Time Password 1 At Windows logon or on any Verify your Identity screen, select the One Touch Password tile. 2 Launch the OTP app on your device. DigitalPersona Altus - Client Guide 43 Managing user credentials 3 Enter the One Time Password displayed on your device into the OTP field on your workstation screen and select the arrow button. To delete your OTP credential 1 Once the credential has been enrolled, a DELETE button is added to its tile. 2 Click Delete. 3 Verify your identity to confirm the deletion. DigitalPersona Altus - Client Guide 44 8 Password Manager THIS CHAPTER DESCRIBES PASSWORD MANAGER, A CORE COMPONENT OF DIGITALPERSONA ALTUS WORKSTATION AND KIOSK CLIENTS. Main topics in this chapter Page Main topics in this chapter Page Managed logons and personal logons 45 Using managed logons 52 Browser Integration 46 Website Exclusions 52 Adding logons 47 Backing up Password Manager Data 53 Editing logons 50 Restoring Password Manager Data 54 Organizing logons into categories 51 Settings 54 Managing your logons 52 Differences in supported browsers 54 Using the Logons Menu 52 I n t ro d u c t i o n Logging on to Windows, websites, and applications is easier and more secure when you use Password Manager. You can use it to create stronger passwords that you don't have to write down or remember, and then log on easily and quickly with Altus enrolled credentials such as a fingerprint, smart/proximity/contactless card, or your Windows password. Additional auxiliary credentials can also be used in multi-factor authentication. Password Manager allows you to: • • • • • Personal logons - Add, edit, or delete personal logons and logon account data. Managed logons - Add, edit or delete logon account data for managed logons provided by your administrator. This feature may optionally be disabled by the administrator. Use personal or managed logons to launch your default browser and log on to any website or program. Organize your logons into categories. See at a glance whether any of your passwords are a security risk. DigitalPersona Altus - Client Guide 45 Managed logons and personal logons Managed logons and personal logons Managed logons are created, administered and deployed by an administrator using the Password Manager Admin Tool, which is a separate installation from your DigitalPersona Altus product package. For instructions on using the Password Manager Admin Tool, see the chapter in the DigitalPersona Altus LDS or Altus AD Administrator Guide. In most cases, the first time a managed logon is used, you will be asked for your personal account logon data for a resource. Whether account data is requested, and what type of data is required is determined when the managed logon is created, and also governed by settings described in the DigitalPersona Altus LDS or Altus AD Administrator Guide. If account data is required, it is only entered once. On subsequent use of the logon, account data will be filled in automatically. Additionally, many options are provided for customizing the use of managed logons for your environment. See the Settings described in the DigitalPersona Altus LDS or Altus AD Administrator Guide. Personal logons are created by an individual for their own use. Account data is entered during the creation of the logon, and filled in automatically during subsequent use of the logon. This chapter primarily addresses the use of personal logons, although much of the information also applies to the use of managed logons. Browser Integration To use Password Manager with your web browser, follow the steps listed below for integrating your browser with Password Manager. Internet Explorer Internet Explorer for the desktop does not require any additional configuration. Password Manager does not support the Internet Explorer Modern UI app. Google Chrome 1 Install the Password Manager Extension for Google Chrome by clicking the following link or pasting it into your Chrome browser. http://secure.digitalpersona.com/passwordmanager/dp/altus/chrome/extension/ 2 Follow the instructions that are displayed. 3 Then enable the DigitalPersona Chrome plug-in. • Copy the following text and paste it into the Chrome internet address field. chrome://plugins 4 Find the Altus Password Manager plug-in and make sure that Always Allowed is selected. If you do not want Password Manager to continue showing notifications about integration problems, deselect the Show Integration problem notifications checkbox. Firefox 1 From the Firefox menu, select Add-ons. 2 On the resulting page, select Extensions. 3 Find the DigitalPersona Altus extension, and tap or click Enable. 4 Select Plugins. DigitalPersona Altus - Client Guide 46 Adding logons 5 Find the DigitalPersona Altus plugin and choose Always Activate. 6 Close and restart Firefox. If you do not want Password Manager to continue showing notifications about Firefox integration problems, deselect the Show Integration problem notifications checkbox. Adding logons There are two ways to add a logon for a website or program to Password Manager. • • Remember - Log in to a website or program and Password Manager will offer to remember your account information. Create - With a website or program logon screen displayed in your browser, scan an enrolled fingerprint or present an enrolled card to display the Create Logon dialog. Once the logon is added to Password Manager, from then on, your logon information can be automatically filled in and optionally submitted as well. You can use these logons after browsing to the website or program, or click a logon from the Logons menu to have Password Manager open the website or program and log you on. Remember account data Simply log in to a website or program as usual and Password Manager will offer to remember your account information. Click Remember and your logon information is saved. Next time you can log in with any enrolled credential. If you do not want to see the Password Manager reminder each time you visit this site, select Never for this site. Creating logons To add a logon from the Create Logon dialog DigitalPersona Altus - Client Guide 47 Adding logons 1 With a website or program logon screen displayed in your browser, scan an enrolled fingerprint or present an enrolled card to display the Add Logon dialog. 2 Enter your logon data. • To populate the Email/User ID field with a preformatted Windows credential, click the arrow to the right of the field and select one of the displayed options. Windows User Name Windows User Principal Name Windows Domain\User Name Windows Domain • To populate the Password field with a preformatted credential, click the arrow to the right of the field and select one of the displayed options. Note the colored line under the Password field. This indicates password strength from red, through yellow to green for optimum strength. Windows User Password Use previous password ... -Sometimes, you may modify a password in Password Manager, but this password is rejected by the application. In this case, the software allows you to use a previous password (i.e. a password previously entered for this logon page) instead of the most recent one. If you select Use previous Password, after authentication you will be prompted to choose a previous password in the Choose Password dialog (shown below). The list includes up to seven passwords and can be cleared (deleted) permanently by clicking the Clear list button. DigitalPersona Altus - Client Guide 48 Adding logons • To view the password for this logon, click Show password. • To have the logon fields filled in, but not submitted, clear the Automatically submit account data check box. 3 If Password Manager does not display the required logon fields, click More fields. Then select the check box for each field that is required for logon, or you can clear the check box for any fields that are not required for logon. 4 If Password Manager cannot detect all of the required logon fields, a message is displayed asking if you want to continue. Click Yes to enter manual mode. Each time that you access the now “trained” website, program or network resource, the Password Manager icon shown below is displayed on the screen (Internet Explorer) or to the right of the first recognized entry field (Firefox and Chrome), indicating that you can use any of your enrolled credentials to log on. An administrator can also create managed logons for resources, including Change Password screens (see the Password Manager Admin Tool chapter in the Altus LDS or Altus AD Administrator Guide. Password Manager Icon for Internet Explorer Password Manager Icon for Internet Explorer as displayed on a recognized Change Password screen Password Manager Icon for Firefox and Chrome Password Manager Icon for Firefox and Chrome as displayed on a recognized Change Password screen DigitalPersona Altus - Client Guide 49 Editing logons Manual mode A dialog is displayed with your logon fields filled in. Click the icon for each field and drag it to the appropriate logon field, and then click the button to sign into the website. Once you use the manual mode of entering the logon data for a site, you must continue to use this method to log on to the same website in the future. The manual mode of entering logon data is available only with Internet Explorer 8. Editing logons You can edit a logon from the Password Manager page, or from the Edit Logon dialog, whichever is more convenient at the time. Editing from the Password Manager page To edit a previously created logon from within the main Password Manager page 1 Tap or click the buttons to the right of a logon name to select from the editing options. Select Edit. 2 A new dialog displays on top of the page, to show previously saved logon information and additional options. 3 The account data includes the following editable fields: • • Account name – The name used on the main Password Manager page to identify this account. Category - The name used for categorizing accounts on the main Password Manager page. Tap or click the Category field to choose a previously entered category, or None. DigitalPersona Altus - Client Guide 50 Organizing logons into categories • • • Login - This is the website label discovered by Password Manager as most likely indicating the login field. The actual label name may very from website to website, as this label is controlled by the website and not by Password Manager. Password – This is the website label discovered by Password Manager as most likely indicating the password field. The actual label name may vary from website to website, as this label is controlled by the website and not by Password Manager. The actual password is hidden by default. To show the password, click the Show button. Any optional additional fields and data saved for this account may be displayed in this area. Editing from the Password Manager icon To edit logon information from the Password Manager icon 1 Open the logon screen for a website or program. 2 Click the arrow on the Password Manager icon, and then click Edit logon to display a dialog for editing your account information. 3 Edit your logon information. See the topic Editing from the Password Manager page on page 50 for further details. 4 Click Save. O rg a n i z i n g l o g o n s i n t o c a t e g o r i e s Keep your logons in order by assigning them to custom categories. Logons can be added to a category by selecting the category from the Category dropdown menu when editing the logon. A logon may belong to only one category. However, when creating additional logons for the same web domain, • • If there are two or more accounts belonging to the same web domain, which do not belong to any custom category, then they will be categorized by their domain name (defined as the characters appearing after "http(s)://" and before the domain zone.) If an account is already assigned to a custom category, there is no nested category for it based on the domain name. To create a new category - Tap or click Manage Categories. Then select Add Category and enter a category name in the resulting dialog. DigitalPersona Altus - Client Guide 51 Managing your logons To Edit a category name - Tap or click Manage Categories. Then double-click the category and type a new name in the Category Name field. To Remove a category, tap or click the at the end of the line that contains the category. M a n a g i n g yo u r l o g o n s Password Manager makes it easy to manage your logon information for user names, passwords, and multiple logon accounts, from one central location. Your logons are listed on the Password Manager page in the Altus user console. Each logon includes an entry for the website, program or other resource, and an indented entry for each set of account data created for the resource. To manage your logons: From the user console, click Password Manager Log in—Log in to a website or program for which you have an existing logon. Edit—Edit a logon. Add—Add a new account for an existing logon. Remove—Delete a logon or account. Using the Logons Menu Password Manager provides a fast, easy way to launch the websites and programs for which you have created personal logons. Double-click a program or website logon from the Logons Menu to open the logon screen and automatically fill in your logon data. Managed logons may also be created by your administrator, and may display on the Logons menu. When you create a logon, it is automatically added to your Password Manager Logons Menu. To display the Logons Menu, do one of the following: • • Press the Password Manager hot key combination. Ctrl+Win+H is the factory setting. You can change the Hot Key combination from the Quick Actions page, accessed by clicking the Quick Actions tile in the Altus Console. Scan your fingerprint (on computers with a built-in or connected fingerprint reader). Using managed logons If you are deploying managed logons to your users, this topic contains information that you will want to make sure is passed on to them. The same information is also included in the end-user help file included with compatible clients. Logging On After creating managed logons and deploying them to users, users will be able to launch a logon screen and verify their identity with their specified credentials. DigitalPersona Altus - Client Guide 52 Website Exclusions Logon screens that have a logon created for them display the Password Manager icon on the screen. Password Manager Icon for Internet Explorer Password Manager Icon for Firefox and Chrome Depending on the attributes defined by the logon administrator, the logon process may vary. • • • A user can be automatically logged on, with all fields populated and submitted, simply by verifying their identity. The user may need to supply information for required fields the first time they use the logon, but be automatically logged on subsequently. If a user has multiple sets of account data, they will be prompted to select the account they wish to log on to in the Select Account Data dialog box. Changing passwords After creating logons and deploying them to users, managed password screens display the Password Manager icon on the screen. After verifying their identity, the user is asked to provide an old password, a new password and to confirm the new password. Depending on the logon attributes, the change password process may vary. • The user can be allowed to choose a new password with or without constraints on the password content. A new random password can be automatically generated, in which case the user must log on with alternate credentials. We b s i t e E x c l u s i o n s The Website Exclusions list displays websites that are excluded from being managed by Password Manager. There are two ways that a website ends up on this list. • • When Password Manager prompted to remember logon credentials, you selected Never for this site. You manually added the website's URL to the list. To access the Website Exclusions list • From the Altus Workstation user console, click Password Manager, and then click Website Exclusions. To add a website to the Website Exclusions list 1 On the Website Exclusions page, select Add Website. 2 Enter the URL for a website that you want to add to the Website Exclusions list. Click Save. To edit a website on the Website Exclusions list 1 On the Website Exclusions page, click the Edit ( 2 Enter your changes and click Save. ) icon for the entry that you want to change. To delete a website from the Website Exclusions list • On the Website Exclusions page, click the Delete ( DigitalPersona Altus - Client Guide ) icon for the entry that you want to delete. 53 Backing up Password Manager Data To search for websites in the Website Exclusions list 1 Enter the text to search for in the Search field. 2 Click the Search ( ) icon. B a c k i n g u p Pa s sw o rd M a n a g e r D a t a It is recommended that users back up their Password Manager data on a regular basis. How often they back it up depends on how often the data changes. For instance, if a user adds new logons on a daily basis, they should probably back up their data daily. Note that only their Password Manager data is backed up by this feature, not their enrolled credentials or the Altus Workstation software. Backups can also be used to migrate Password Manager data from one computer to another. Altus Workstation must be installed on any computer that is to receive backed up data before the data can be restored from the backup file. To back up Password Manager data: 1 Open the Altus Workstation console. 2 On the console Home page, choose Password Manager and then select Backup. 3 Enter a name for the backup file. By default, the file will have a .dpb file extension. Click Browse to specify a location for the backup file. 4 Enter and confirm a password to protect the file. Then select Backup. 5 Verify your identity with any enrolled credential. Then click OK. R e s t o r i n g Pa s sw o rd M a n a g e r D a t a Password Manager data previously backed up through the Backup feature (as a .dpb file) can be restored to the same computer or another computer where Altus Workstation is installed. Note that only a user’s Password Manager data is restored by this feature, not their enrolled credentials or the Altus Workstation software. To restore Password Manager data: 1 Open the Altus Workstation console. 2 On the console Home page, choose Password Manager and then select Restore. 3 Select the previously created backup (.dpb) file. You can enter the path in the field provided or click Browse to locate the file. 4 Enter the password used to protect the file. 5 Select Restore. 6 Verify your identity with any enrolled credential. Then click OK. Settings On the Password Manager Settings page, you can personalize your experience of Password Manager. The Settings page can be accessed by clicking the Settings link at the bottom of the Password Manager page. DigitalPersona Altus - Client Guide 54 Differences in supported browsers Prompt to remember logon credentials - By default, prompts you to use Password Manager to save your logon credentials, on screens recognized as containing logon fields. D i f f e re n c e s i n s u p p o r t e d b ro w s e r s Internet Explorer All features described in this Application Guide are supported in those versions of Microsoft Internet Explorer that are listed in the System Requirements. Firefox When used with supported versions of the FireFox browser, all Password Manager features are available except for Manual Mode and the following Logon properties used in creating managed logons. Lock out logon fields and Monitor screen changes. See the Password Manager Admin Tool chapter in the Altus LDS or Altus AD Administrator Guide. Chrome When used with supported versions of the Chrome browser, all Password Manager features are available except for Manual Mode and the Lock out Logon Fields property used in creating managed logons See the Password Manager Admin Tool chapter in the Altus LDS or Altus AD Administrator Guide. When logging in to a website with a managed logon that was created with the Start Authentication Immediately property set, after logging out or canceling the authentication dialog and being returned to the login page, the authentication dialog is not redisplayed. DigitalPersona Altus - Client Guide 55 Quick Actions 9 THIS CHAPTER DESCRIBES QUICK ACTIONS, A FEATURE OF ALTUS AD AND ALTUS LDS WORKSTATIONS. I n t ro d u c t i o n On the Quick Actions page, you can change the DigitalPersona Hot Key sequence and configure Quick Actions, operations performed automatically in response to the use of the Altus Workstation Hot Key, a credential or a Key+Credential combination. This feature is available in DigitalPersona Altus Workstation and Altus AD Workstation. It is not available in DigitalPersona Altus Kiosk or Altus AD Kiosk. To manage Quick Actions settings 1. Launch the Altus Console 2. Tap or click the Quick Actions tile. Only fingerprint and supported smart (contact, contactless and proximity) card credentials will initiate a Quick Action. Specific Quick Actions may be disabled by your administrator. Available Quick Actions are: Password Manager Action - Initiates a specific action depending on context. When the active window has an associated Password Manager personal logon or managed logon, fills-in account data. DigitalPersona Altus - Client Guide 56 Introduction If the window is determined to be a logon screen that does not have an associated personal logon or managed logon, and the Allow creation of personal logons setting is enabled or not configured, the Add Logon dialog displays. If none of the above cases are true, the Logons Menu or user dashboard is shown. Fast Connect - Connects to a Citrix session or runs a XenApp Published Application. It also fills in specified credentials and logs into an application. If a connection is already active, disconnects from the session. Lock Computer - Locks the computer. The assignment of the Altus Workstation Hot Key, and the Quick Actions performed by presenting a credential or Key+Credential combination, may have been configured by your administrator. If so, you will not be able to change them. DigitalPersona Altus - Client Guide 57 Altus Attended Enrollment 10 THIS CHAPTER DESCRIBES ALTUS ATTENDED ENROLLMENT, AN OPTIONALLY INSTALLED COMPONENT OF THE DIGITALPERSONA ALTUS WORKSTATION CLIENT. Main topics in this chapter Page Security Officer identification 58 (Altus only) User creation or selection 59 Altus AD only: User selection 60 Credential enrollment 60 Completing enrollment 70 Advanced Features 70 I n t ro d u c t i o n Altus Attended Enrollment allows the Altus administrator to delegate a user or group to supervise the credential enrollment process. It is not installed as part of the typical (default) installation, but must be selected as part of a Custom installation of Altus Workstation. See page 27 for installation details. Supervised (attended) enrollment is the default method of creating Altus users and enrolling their credentials. However, self-enrollment of user credentials is also an option. See the Altus LDS or Altus AD Administrator Guide for details. Much of the behavior of the Altus Attended Enrollment UI is configurable through an XML file, DPAttendedEnrollment.exe.xml, which is located in the BIN folder of the DigitalPersona installation directory. Available configuration options and parameters are explained within the XML file. There are a few small differences in functionality depending on whether the Altus solution you are using is the Altus LDS or Altus AD product. These differences will be noted within the content that follows. Security Officer identification When launching Attended Enrollment, the first screen requires authentication by an Altus Security Officer. The Security Officer submits any of their enrolled credentials. When using a Windows password, they can simply click the arrow to the right of the password field. The User Selection page displays. Additionally, by default, the Security Officer will need to authenticate after enrollment of each credential. This feature can be configured through the governing XML file. Also, the user being enrolled will need to authenticate at the end of the enrollment process. The user selection/ creation process is different in Altus LDS and Altus AD as shown in the following pages. DigitalPersona Altus - Client Guide 58 (Altus only) User creation or selection ( A l t u s o n l y ) U s e r c re a t i o n o r s e l e c t i o n For Altus AD user selection, see page 60. 1 On the User selection page, select whether the user is an Altus LDS User or Altus AD User, enter their user name and click OK. When an entered user name is not found in the Altus database, you have the option of creating the user at this point. If you think you have simply misspelled the name, you can edit the name directly on this page. and click OK to search for the user again. 2 To create a new Altus user • • Click the Create this user link. On the User creation page, have Altus LDS Users enter and confirm an Altus password. Altus AD Users will need to enter their Windows password. Then click OK. DigitalPersona Altus - Client Guide 59 Altus AD only: User selection 3 The Credential Enrollment page displays. Credential Enrollment is the same in both Altus LDS and Altus AD, and is described beginning on page 60. Altus AD only: User selection To select a user for Attended Enrollment • On the User selection page, enter the name of the Windows user that you want to enroll credentials for, and click OK. C re d e n t i a l e n ro l l m e n t Once a user is selected, the Credential enrollment page displays. This is the central location within Attended Enrollment where a user’s credentials and other identifying information can be enrolled and managed. Credential Enrollment is the same in both Altus LDS and Altus AD, but the UI and the user experience is different depending on whether a single print fingerprint reader is being used for enrollment or a 10 print scanner. DigitalPersona Altus - Client Guide 60 Credential enrollment The tiles on the page, representing credentials and other information that may be captured by Altus in relation to a specific user, give access to pages where this information may be provided. The Altus administrator can configure which specific tiles appear on the page, so there may be more or less tiles than shown in the above image. See the Altus LDS or Altus AD Administrator Guide for details. Note that the Bluetooth credential is not available during Attended Enrollment. This is because Bluetooth enrollment pairs the associated device with the machine wherer it is enrolled, and most users will not be using their Bluetototh device to authenticate on the Attended Enrollment machine. In order to complete enrollment for a user, all tiles on the page must be visited, and will then indicate that they are either enrolled or have been intentionally omitted. Enrolled tiles will be checked, and omitted tiles will show an arrow. When information is omitted, the Security Officer must enter a reason for the omission, which is then made part of the user record in the Altus database. Password credential The Password credential is automatically enrolled for Altus Users during the initial creation of the user. For Altus AD users, the Password Credential is part of their Active Directory profile. The Password tile provides a means to change the user’s password, by entering their current password, and then entering and confirming a new password. Fingerprints credential If there is a fingerprint reader or ten print scanner built into or connected to your computer, you can enroll and manage a user’s fingerprints. Select the Fingerprints tile to display the Fingerprints page, where you can enroll a user’s fingerprints credential. DigitalPersona Altus - Client Guide 61 Credential enrollment The process of enrolling a user’s fingerprints is slightly different depending on whether you are using a single print fingerprint reader, or a ten-print fingerprint scanner such as one of the Crossmatch Guardian products. See the following two sections for descriptions of the steps for each of the hardware devices. Enrolling fingerprints with a fingerprint reader To enroll a fingerprint 1 Click the Fingerprints tile to display the Fingerprints pages. 2 Click on a finger in the displayed hand image. DigitalPersona Altus - Client Guide 62 Credential enrollment 3 Scan the selected finger as many times as requested to enroll the fingerprint. 4 Click Save. To delete a fingerprint, click any highlighted finger and confirm the deletion by clicking Yes. Enrolling fingerprints with a ten print scanner For a list of supported ten-print scanners, see the readme.txt file included with this software package. Additional files may need to be installed before use. See the Optional installations chapter of the Altus AD or Altus LDS Administrator Guide for further details. The ten-print scanner captures fingerprints in three segments, often described as 4-4-2, that is four fingers of the left hand, four fingers of the right hand, and the two thumbs together. 1 Click the Fingerprints tile to display the Fingerprints pages. DigitalPersona Altus - Client Guide 63 Credential enrollment 2 Select which segment to enroll. In the displayed image, choose the left hand, right hand or thumbs. 3 Scan the selected fingers or thumbs as many times as requested to enroll them. If the user is missing any fingers, click the associated finger in the smaller image in the upper right. 4 Each successful enrollment will result in one of the scan numbers turning blue. 5 When enrollment of the segment is complete, the screen shows the fingerprint segment in blue. DigitalPersona Altus - Client Guide 64 Credential enrollment 6 Select another segment until the fingerprints of both hands and thumbs have been captured. Then click Save. To delete a partial fingerprint segment 1 Once the credential has been enrolled, a Delete button is added to its tile.. 2 Select the previously enrolled left or right hand or thumbs. Then confirm the deletion. 3 On the image, select the left or right hand or thumbs. 4 Click Delete. 5 Verify your identity to confirm the deletion. Authentication To authenticate with the ten-print scanner, use only a single finger or thumb. Use only the front half of the scanner screen to read the fingerprint. Smart, Contactless and Proximity Cards credential This tile provides a means for enrolling a user’s Smart, Contactless or Proximity Card credential. To enroll a card credential 1 Click the Smart, Contactless and Proximity Cards tile to display the corresponding pages. 2 Insert a Smart Card into the card reader or place a Contactless or Proximity Card very close to the reader. 3 Click Enroll and then click Save. To delete all enrolled cards, click Delete on the Cards tile. To delete a single card when more than one card is enrolled, click Change on the Cards tile and then click Delete on the specific card image. DigitalPersona Altus - Client Guide 65 Credential enrollment PIN credential This tile provides a means for enrolling a user’s PIN credential. To enroll a PIN credential 1 Click the PIN tile to display the PIN page. 1 Enter and confirm a PIN. The system default requires a PIN between 6 and 12 alphanumeric characters, however the minimum and maximum PIN length may be specified through a GPO setting by the Altus administrator. 2 Click Save. Password Recovery credential Te Password Recovery credential allows the user to regain access to their Windows account by answering a series a questions that have been previously configured. The Password Recovery tile provides a means to set up a user’s Password Recovery Questions. To set up a user’s Password Recovery Questions 1 Click the Password Recovery tile to display the Password Recovery page. DigitalPersona Altus - Client Guide 66 Credential enrollment 2 The user selects their questions from those available from the dropdown menus, and enters their unique answers. They can also write their own security questions by selecting that option. 3 Click Save. OTP credential A One Time Password (OTP) is a credential composed of a time-sensitive 6-digit code automatically generated by a special Authenticator app on a user’s mobile device. Once enrolled, this credential can be used for authentication at Windows logon and within a Windows session as defined by the Logon or Session Policy in force. On the One Time Password page, you can • • • Download the Google Authenticator app for your smartphone or tablet that generates the One Time Password which you then enter on your Windows workstation for authentication. Scan a QR code with your device that automatically creates a OTP account token linked to your OTP credential. Enter the OTP verification code generated by the device. To download the OTP application for the user’s smartphone 1 From the Credential enrollment page, click Add on the One Time Password tile. 2 Verify your identity with any enrolled credential. DigitalPersona Altus - Client Guide 67 Credential enrollment 3 In the upper right area of the screen select the tile that represents the app store for the user’s device. Supported stores are: Apple App, Windows Phone, Google Play and Blackberry world. 4 A QR code displays on the screen. Have the user open a QR reader app on their mobile device and scan the QR code. This will download the app to their device. To setup an Altus account on the device 1 Launch the downloaded app on the device. 2 Select Begin Setup. 3 Select Scan Barcode. 4 Scan the QR code that displays on the One Time Password Page. Do not scan the QR code again that was used to download the app. 5 The user can also set up an Altus account in the Authenticator app by selecting the [+] sign in the app and entering the Altus account information manually. 6 To display the information in Credential Manager that needs to be entered on the device, select the Can't scan the barcode link on the One Time Password page. To enroll the One Time Password credential 1 From the Credential enrollment page, click Add or CHANGE on the One Time Password tile. 2 Verify your identity with any enrolled credential. 3 With your device, scan the QA code that displays on the One Time Password Page. Do not scan the QR code again that was used to download the app. 4 In Credential enrollment, enter the One Time Password displayed on the device. 5 Click Save. To delete an OTP credential 1 Once the credential has been enrolled, a DELETE button is added to its tile. 2 Click Delete. 3 Verify the user’s identity to confirm the deletion. DigitalPersona Altus - Client Guide 68 Credential enrollment To authenticate with a One Time Password 1 At Windows logon or on any Verify your Identity screen, select the One Touch Password tile. 2 Launch the OTP app on the device. 3 Enter the One Time Password displayed on the device into the OTP field on the workstation screen and select the arrow button. Photo (Altus LDS only) This tile provides a means for taking a photograph of the user. Note that this photograph is not an Altus credential and cannot be used for verifying your identity when authentication is required for login to Windows, websites or programs. This page does not display in the Altus AD Console. To take a photograph of the user 1 Position the user in front of the camera. 2 If necessary, use the slider bar to adjust the brightness of the image. DigitalPersona Altus - Client Guide 69 Completing enrollment 3 Click Take photo. Then click Save. C o m p l e t i n g e n rol l m e n t Once all displayed tiles have either been enrolled or omitted, the Security Officer clicks Complete enrollment and the program returns to the User selection page. A d v a n c e d F e a t u res Altus Advanced Features can be accessed by clicking the Advanced button on the Credential enrollment page. The Altus Advanced Features page displays. The behavior of the page will vary depending on the value of the PasswordRandomization tag in the file, DPAttendedEnrollment.exe.xml. See the Altus LDS or Altus AD Administrator Guide for further details. DigitalPersona Altus - Client Guide 70 Altus Kiosk 11 THIS CHAPTER DESCRIBES THE MAIN FEATURES OF THE DIGITALPERSONA ALTUS KIOSK CLIENT. Main topics in this chapter Page Feature overview 71 Comparing Altus Workstation and Altus Kiosk 72 Logging On to Windows 72 Using the Password Manager Admin Tool with Altus Kiosk 74 Logging On to Password-Protected Programs 74 Switching Users on Altus Kiosk Computers 75 I n t ro d u c t i o n DigitalPersona Pro Kiosk for Enterprise provides users with fast, convenient and secure multi-factor identification and authentication in environments where users share a common Windows account yet need separately controlled access to resources, applications and data. F e a t u re o ve r v i e w Altus Kiosk provides these features: Single Sign-On to enterprise applications - Simplifies user logon to enterprise applications, including traditional Windows applications, web applications and Terminals. No changes to those applications are required and setup takes only a few minutes per application. Multi-factor authentication - Further enhances convenience and security by providing administrators with a choice of credentials (such as fingerprints, smart cards or Windows Passwords, etc.) that can be required in any combination to authenticate users logging on to the PC, to enterprise applications, or for fast user switching between users on the same workstation. Ability to roam and share user credentials across computers - If your environment requires users to gain access to multiple workstations or kiosks, they do not need to re-enroll their credentials at each computer. Altus Kiosk can automatically make users' authentication credentials and other data, such as managed logons to enterprise applications, available at each computer within the domain. Attended or unattended credential enrollment - By default, Altus Kiosk is configured for centralized enrollment through one or more supervised computers using the Altus Attended Enrollment component, an optional component of Altus Workstation and Altus AD Workstation This chapter describes the similarities and differences between DigitalPersona Altus Workstation and Altus Kiosk functionality from the point of view of the administrator. Most of the basic functionality is common to both Altus Workstation and Altus Kiosk. Additional details on user tasks are provided in the DigitalPersona Altus Kiosk Help file. In the following topics, the term “kiosk” refers to one or more Kiosk Workstations which are tied to a shared Kiosk account. DigitalPersona Altus - Client Guide 71 Comparing Altus Workstation and Altus Kiosk C o m p a r i n g A l t u s Wo r k s t a t i o n a n d A l t u s K i o s k This section describes the similarities and differences between DigitalPersona Altus Workstation and DigitalPersona Altus Kiosk. Both DigitalPersona Altus Kiosk and DigitalPersona Altus Workstation include the following features: • • • • • Multifactor and alternative authentication credentials Password Manager - Altus Kiosk supports both personal and managed logons. Personal logons are created by an individual user providing quick and secure logon to resources, programs and websites. Managed logons provide the same functionality but are created by an administrator using the Password Manager Admin Tool. Use of personal logons may be prohibited by the Altus administrator. Like DigitalPersona Altus Workstation, Altus Kiosk’s default configuration provides centralized enrollment through one or more supervised computers using Altus Attended Enrollment, an optional component of Altus Workstation or Altus AD Workstation. If enabled, Altus Kiosk users can enroll their credentials in the same manner as in Altus Workstation. The one exception is that the Password Recovery credential is not available in Altus Kiosk. Even if a user has created their Password Recovery credential in Altus Workstation, the credential cannot be used in Altus Kiosk, since by design Kiosk does not have a way to login with the Password Recovery credential. Both clients require DigitalPersona Altus Server Version 1.1 or above. When comparing Altus Kiosk to Altus Workstation, Altus Kiosk differs in the following ways: • • • • • • A specified Shared Account is always used for Windows logon that is independent of the user account being authenticated. This affects account profile and user preferences. By default, all Altus users are granted Kiosk access. However, in order to logon to Altus Kiosk, each user must first be created through Attended Enrollment or through Self Enrollment on an Altus Workstation. Any authorized Altus Kiosk user can unlock a kiosk computer. For example, a user may log on and lock the kiosk computer. Then, a second user can unlock it without performing log off and log on. The name of the last user is not shown in Logon or Unlock dialogs regardless of security settings. A kiosk user can enroll their own credentials, regardless of which user account was logged on to the kiosk, without logging on to their Windows account. The administrator must have allowed permissions for the user to enroll and delete their fingerprints. Altus Kiosk does not allow use of a Password Recovery credential for accessing your Kiosk account. Logging On to Windows Altus Kiosk allows users to log on to Windows with any enrolled Altus credential, such as their Altus password, their fingerprint or various types of smart cards. All kiosk users share the same Windows session. If the computer becomes locked, any authorized kiosk user will be able to unlock it, view the desktop, and run programs. Users may also have the option to not log into the kiosk session, but instead to log on to their own Windows account instead of the Shared Account, although this is recommended for administrators only. Computers where Altus Kiosk is installed will display an additional Kiosk User tile on the Logon Screen. DigitalPersona Altus - Client Guide 72 Logging On to Windows The user name for the Windows shared account that Altus Kiosk uses cannot be used to log on to a kiosk session. All Kiosk users must use their own Altus credential to log on. Logging on to Windows without Kiosk To log on to a computer without using a kiosk session, select Other User and enter your Windows user name and password. When logging in to a computer outside of a kiosk session, the designated Shared Account for the kiosk is not used and therefore Altus Kiosk features are not available. Specifically, access to the Altus Console, and the use of Password Manager logons are disabled. This feature is intended for administrators who might need to access a computer for administrative purposes, and without kiosk features enabled. Non-administrators can be prohibited from logging on to the computer outside of a kiosk session by enabling a DigitalPersona setting in the controlling GPO. See Prevent users from logging on outside of a Kiosk session in the Altus LDS or Altus AD Administrator Guide. CAUTION: If you lock the computer outside of a kiosk session, other kiosk users will not be able to unlock it, so be sure to log out of a local session on any kiosk workstation. Automatic logon using the Shared Kiosk Account Kiosk can be configured to automatically logon to the Shared Kiosk account when Windows starts or restarts. The Windows Logon screen will not be displayed. The automatic logon setting will allow any user to access a Windows session without interactive authentication when the Kiosk computer is restarted. This option is controlled by the Allow automatic logon using Shared Kiosk Account setting described in the Altus AD or ALtus LDS Administrator Guides. Changing Your Password The process of changing your WIndows password on a computer with DigitalPersona Altus Kiosk installed is the same as on a computer without Altus Kiosk installed. To change your Windows password: 1 Press Ctrl+Alt+Delete. 2 Select Change a Password. 3 Enter your Windows user name and your old password. 4 Enter and confirm a new password. User Account Control An administrator may use any authorized and enrolled credential instead of their user name and password, to give a standard user permission to perform an activity that is restricted by User Account Control. When the User Account Control dialog displays, a local administrator with an authorized credential can use their credential to permit the activity. DigitalPersona Altus - Client Guide 73 Using the Password Manager Admin Tool with Altus Kiosk U s i n g t h e Pa s sw o rd M a n a g e r A d m i n To o l w i t h A l t u s K i o s k The Password Manager Admin Tool is an administrative tool that allows an administrator to provide automated logon to password-protected resources, programs and websites. With Altus Kiosk, Password Manager includes the following differences when compared to Altus Workstation implementations: • • Managed logons created with the Password Manager Admin Tool must be deployed to the Shared Account instead of to user accounts. Kiosk users do not need to log on to Windows to use managed logons. Their identity is verified each time they log on to the resource. For kiosk users, the Password Manager logon data is never cached locally. Only managed logons created using the Altus Password Manager Admin Tool, version 1.0 or higher, are compatible with the current version of Altus Kiosk. For additional information on the Password Manager Admin Tool and the creation and use of managed logons, see the Altus LDS or Altus AD Administrator Guide. L o g g i n g O n t o Pa s sw o rd - P ro t e c t e d P ro g ra m s DigitalPersona Altus Kiosk lets a kiosk user log on to password-protected resources, programs and websites with any enrolled credential. As an administrator, you must enable this feature for specific programs by creating managed logons for them. Password-protected resources with managed logons display a Password Manager icon, shown below, in the upper left corner of the screen (Internet Explorer) or to the right of the first recognized entry field (Firefox and Chrome). Password Manager Icon for Internet Explorer Password Manager Icon for Internet Explorer as displayed on Change Password screens Password Manager Icon for Firefox and Chrome Password Manager Icon for Firefox and Chrome as displayed on Change Password screens Administrators can also add a logon for a change password screen to a managed logon. Users are prompted for their account data the first time they log on to a resource. Then, on subsequent logons, they only need to launch the program, and submit their enrolled credential. DigitalPersona Altus Kiosk automatically enters the user name, domain and password and any other necessary account data in the appropriate logon screen text boxes and, if so configured, submits the account data. For further information on Password Manager, see the Altus LDS or Altus AD Administrator Guide. DigitalPersona Altus - Client Guide 74 Switching Users on Altus Kiosk Computers Switching Users on Altus Kiosk Computers You can log on, unlock or gain access to a password-protected resource on a kiosk computer by using your enrolled credentials. After your work is finished, you can do one of the following: • • • • Close the resource and leave the kiosk computer unlocked. The next user can approach the kiosk computer and provide their credentials to gain access to the password-protected resource. Close the resource and lock the kiosk computer. The next user can approach the kiosk computer and provide their credentials to unlock the computer. They can then open any password-protected resource with their credentials. Close the resource and log off from the kiosk computer. The next user can approach the kiosk computer and provide their credentials to log on to the computer. The user is logged into the Shared Account for the kiosk. The installation and configuration of DigitalPersona Altus Kiosk is covered in the chapter “Altus Kiosk installation” on page 20. All other functionality is the same as described in the chapter “Altus Workstation” on page 30. DigitalPersona Altus - Client Guide 75 Index Altus Workstation 11 , 20 , 27 A ADDLOCAL 18 , 25 Altus Attended Enrollment 7 Kiosk 7 Workstation 7 , 11 Altus clients 6 Attended Enrollment 58 Automatic logon using the Shared Kiosk Account 73 T Transform files 18 , 26 U users, switching 75 using logon screens 53 C changing passwords 53 , 73 Chrome browser 8 D Deployment considerations for Altus AD Workstation 11 G ghosting 7 I imaging 7 installing Altus client software 12 , 21 , 27 L local installation of Altus Workstation 11 , 20 , 27 logging on 52 logging on to programs 74 M manual mode 50 Migration from DigitalPersona Pro Kiosk 20 from DigitalPersona Pro Workstation 12 O online help 9 R REMOVE 18 , 25 S slipstreaming 17 , 24 support online help 9 readme file 8 support resources 8 system requirements 8 DigitalPersona Altus - Client Guide 76