Configuration of Logon Profiles differs according to the authentication service that your system uses:
Note: To determine which authentication service your system uses, check the Log In screen. If it appears in the center of the screen, your system uses Auth0. If it is on the left side, your system uses OpenAM.
- For UKG AuthN authentication (Auth0), a single Logon Profile defines password requirements for logging on to the system.
- Only one setting — Minimum Password Length — is available to set password strength, so the Password tab is not available. For a list of all password requirements, see the Password Policy topic.
- Passwords do not expire with AuthN authentication unless the administrator requires a password reset the next time the person logs in.
- The Session Restrictions and Mobile App tabs are not available.
- For UKG OpenAM authentication, Logon Profiles define the rules for logging on to the system including password requirements and Mobile App user authentication. Only one setting — Minimum Password Length — is available to set password strength.
Configure the Logon Profile for UKG AuthN authentication
Only if your system uses UKG AuthN authentication, configure the Logon Profile as follows:
- Click Tap Main Menu
> Administration > Application Setup > Access Profiles > Logon Profiles. Note:- Only one password policy is permitted.
- For a list of all password requirements, see the Password Policy topic.
- Select the profile.
- You can edit only the minimum length of passwords:
- In Minimum Password Length, you can edit the shortest acceptable password length. Enter the minimum number of characters as follows:
- Minimum (default) = 8 characters.
- Maximum = 64 characters.
Note: Passwords do not expire with AuthN. People Import integrations continue to run and import user accounts with the existing passwords, even if the passwords are shorter than the minimum number of characters. Only at the next password reset are users prompted to change the passwords.
- Click Tap Save & Return.
- In Minimum Password Length, you can edit the shortest acceptable password length. Enter the minimum number of characters as follows:
Configure Logon ProfilesOnly if your system uses UKG OpenAM authentication, configure Logon Profiles as follows:
- Click Tap Main Menu
> Administration > Application Setup > Access Profiles > Logon Profiles. - Create, edit, or remove a profile:
- Click Tap New. Enter a Name.
- Select a profile. Click Tap Edit or Duplicate.
- Select a profile. You cannot delete system profiles. Click Tap Delete. Click Tap OK.
- (Optional) Enter a Description.
- To make this profile the default profile, select Default.
- You can edit only the minimum length of passwords:
- In Minimum Password Length, you can edit the shortest acceptable password length. Enter the minimum number of characters as follows:
- Minimum (default) = 8 characters.
- Maximum = 64 characters.
Note:- Only one password policy is permitted, and it is shared by all Logon Profiles.
- For a list of all password requirements, see the Password Policy topic.
- In Minimum Password Length, you can edit the shortest acceptable password length. Enter the minimum number of characters as follows:
- (Optional) Modify the options on the Mobile App Settings tab as follows:
Allows you to set up Extended Authentication and Local Authentication for users of the Mobile app.
- If a mobile app user’s Login Profile enables Extended Authentication, the user can enter the server without logging in during the authentication period.
- If a mobile app user’s Login Profile enables Local Authentication, the user will need to locally authenticate before being allowed to: enter the server, to punch The entries on a timecard that mark the beginning (in-punch) or end (out-punch) of a work interval, such as the beginning of a shift or transfer., or both.
Extended authentication
Extended authentication allows users to enter the host system through the mobile app without logging in during a set period of time (the “extended authentication period”). The feature uses the host system’s identify provider (IdP) to provide a token to an authenticated user upon logon. The feature is available for organizations that use host authentication or their own IdP.
If an authenticated user shuts down the app or if the session times out, the user can reenter the system without logging in. If the user actually Signs Out (as opposed to closing the app or the session timing out), the token expires and a login will be required on the next attempt into the system from the app.
Extended authentication saves the user from having to log in multiple times to access the host system from the mobile app on the device. The process, however, leaves open the possibility that anybody could use an “authenticated” device and could access the system by simply tapping the app icon. Local Authentication can be used to provide an added layer of security, protecting the user account on authenticated devices.
Local authentication
Local authentication requires the user to authenticate (with an input such as a fingerprint or a passcode) before being allowed to: access the host system, perform a punch, or both.
Note: Note that the device must be set up with screen locking ON for local authentication.
Local authentication can be set up to be enforced in two separate places in the app: - Logging In: The user is prompted authenticate (passcode, fingerprint, etc.) before being allowed into the server from the mobile app. Note that this setting is applicable only in the "classic" UKG Dimensions mobile app.
- Punching: When attempting a punch, after tapping the Punch button, the user is prompted to authenticate (passcode, fingerprint, etc.) before being allowed to punch from the mobile app.
Important notes about local authentication
- Local authentication is achieved with the same method used in the device for screen unlocking, such as a passcode or a biometric identifier (fingerprint or facial recognition).
- Device screen locking must be turned on for local authentication to work. If local authentication is enabled and the screen locking is turned off, an error will occur and the user will not be allowed to proceed with the task (logging in or punching). Screen locking is located in Settings on the device:
- Some Mobile devices will lock out after multiple failed biometric authentication attempts. Follow your device instructions to enable biometric authentication.
How to set up Extended and Local Authentication
If a user’s Login Profile enables Extended Authentication, the user can enter the server without logging in during the authentication period. Note that this setting is applicable only in the "classic" UKG Dimensions mobile app.
If a user’s Login Profile enables Local Authentication, the user will need to locally authenticate before being allowed to: enter the server, to punch, or both.
In the Logon Profile’s Mobile App Settings tab, set the following fields:
- Extended Authentication (Note that this setting is applicable only in the "classic" UKG Dimensions mobile app)- Set to Enable or Disable.
- Extended Authentication Period (Note that this setting is applicable only in the "classic" UKG Dimensions mobile app) - Set in Days and Hours - Maximum allowed period is 7 days (168 hours).
- Local Authentication for Login (Note that this setting is applicable only in the "classic" UKG Dimensions mobile app) - Set to Not Required, Any, or Biometric.
- Set to Any to require the use of the screen unlock method that is set for the device (such as passcode or pattern) to logon.
- Set to Biometric to require a biometric identifier (such as fingerprint or facial recognition) to login. The system will use whatever biometric identifier is set on the device. Note that if a biometric identifier is not set on the user’s device (or if the user’s device does not support biometric), authentication will not be possible on the device and logon will not be allowed.
- Local Authentication for Punch - Set to Not Required, Any, or Biometric
- Set to Any to require the use of the screen unlock method that is set for the device (such as passcode or pattern) to perform a punch.
- Set to Biometric to require a biometric identifier (such as fingerprint and facial recognition) to perform a punch. The system will use whatever biometric identifier is set on the device. Note that if a biometric identifier is not set on the user’s device (or if the user’s device does not support biometric), authentication will not be possible on the device and the punch cannot be completed.
Forcing the expiration of an Extended Authentication token
An Administrator has the ability to expire a token before its expiration period has elapsed. This need could arise, for example, if a user lost his mobile device. If a device is lost, it would be prudent to expire any tokens associated with that user.
To expire a token, the administrator can go to the People Information and disable the account of the user (by changing the Effective Date for example). This action will immediately invalidate all tokens associated with that user and the administrator can then enable the account again.
- Click Tap Save & Return.
Associate logon profiles to people
Only if your system uses UKG OpenAM authentication
Make sure that the logon profiles are associated with the relevant administrators, managers, or employees. If you don't have access to People Information, contact the administrator who does have access.
- Select Main Menu
> Maintenance > People Information. Select a person. - In Employee, select Information.
- Select the Logon Profile.
- Click Tap Require Password Change at the Next Logon to require the users to make a one-time password change the next time they log on.
- Click Tap Save
. - Repeat for other people.