PingOne

(Workforce Only) Configuring the PingID mobile application settings

PingID allows users to download an app to their mobile device and use it to sign on to your company services and applications with the added security of multi-factor authentication (MFA). They can also use it to verify their identity to an employer.

Before you begin

To add PingID mobile app as an authentication method, you need:

  • A PingOne environment with the PingID service.

About this task

Configuring PingID mobile app as an authentication method for MFA includes the following steps:

  1. Configure the MFA policy, including the PingID mobile app-specific configurations. Learn more in Configuring an MFA policy for strong authentication.

  2. Configure the PingID mobile application in the Applications section of PingOne, as described in this procedure.

Steps

  1. Go to Applications > Applications.

  2. In the Applications list, select PingID Mobile.

  3. On the Configuration tab, click the Pencil icon and edit the relevant fields described in the steps that follow this one.

  4. In the Mobile App authentication area, under Mobile Biometrics, select the authentication behavior based on whether the user has biometrics (Fingerprint or Face). Select either:

    Choose from:

    • Preferred: If mobile biometrics are defined on the user’s device, the user must use them to authenticate.

    • Required: Users must configure mobile biometrics on a supported device and can only use biometrics to authenticate.

    • (Optional) Select Enable FaceID Consent on iOS: to prevent users with FaceID defined from authenticating by mistake. When selected, the user is prompted to consent explicitly before each face scan is taken.

    • Select Enable Notification Actions to allow users to approve a notification request from the lock screen.

    • Select Enable Device Passcode Fallback on iOS to allow users to authenticate using the device passcode if biometrics authentication fails.

      • Mobile Biometrics configurations require Biometrics to be selected in the MFA policy. Learn more in MFA policy

      • For PingID mobile app 1.x users only, optionally select Enable FaceID Consent on iOS: to prevent users with FaceID defined from authenticating by mistake. When selected, the user is prompted to consent explicitly before each face scan is taken.

  5. (Optional) In the Mobile App authentication area, enable the following options:

    • Enable OTP Push Notification: Send a push notification to users when they can only authenticate with an OTP. When they tap the notification, PingID mobile app opens automatically, displaying the current OTP.

    • Display Authentication Information map: Include a map with supporting information about the origin of the authentication request they receive with the push notification.

  6. (Optional) In the Mobile Management area, enable the following options:

    • Allow users to unpair or change device from the PingID mobile app

    • Allow authentication from lock screen for legacy Android devices (Android Q or earlier)

    • Require mobile app security PIN: When selected, the user must enter a security PIN to access PingID mobile app. If selected, you must also define the security PIN-requirements, defining whether the security PIN must be 4 or 6 digits in length, and whether PingID mobile app PIN is always required or only when a device PIN or biometrics are not defined on the user’s device. Learn more about PingID mobile app PIN requirements in PingID mobile app PIN requirements

  7. In the Mobile Notifications section, you can choose to notify users when new PingID mobile app versions become available.

    Choose whether to make updates optional or mandatory and define from which version they appear.

    Choose from:

    • Notify users of required mobile version updates: Notify the user when a new version is available. The user must update to the new version to continue using PingID mobile app and cannot skip the update. If selected, for each OS, specify the minimum version from which update notifications should be sent. The default is Latest.

    • Notify users of optional version mobile updates: Notify the user when a new version is available. The notification includes the option to skip the update and install it at a later date. If selected, for each OS, specify the minimum version from which update notifications should be sent. The default is Latest.

  8. (Optional) To restrict the brand and model of mobile devices that can be used with PingID mobile app:

    1. In the Mobile requirements section, select Select allowed and disallowed devices.

    2. In the relevant Brands field, add one or more brands, and in the corresponding Models field, specify one or more models. If no model is selected, all models for that brand are selected.

      • If you choose the same device brand and model under both allowed and disallowed devices, then the disallowed selection takes precedence.

      • These lists are continuously updated as new brands and models are introduced to the market.

  9. To define the minimum operating system that a user’s device (Android or iOS) must be running to authenticate with PingID mobile app:

    1. In the Mobile requirements section, select Require device minimum operating system.

    2. In the relevant list (iOS or Android), select the minimum OS version you want to allow.

      The list of supported operating systems is dynamic and can change as new versions are introduced. Discontinued support of older versions can also impact the minimum supported OS version.

  10. To define the minimum version of PingID mobile app that a user must be running to authenticate:

    1. In the Mobile requirements area, select Require minimum PingID version

    2. In the relevant list (iOS or Android), select the minimum PingID mobile app version you want to allow.

      • Use this option if you want to require that your users have access to new features and the latest security benefits, or to disallow older versions of the PingID mobile app.

      • The list of supported versions is dynamic and can change as new versions are introduced and support of older versions is discontinued.

  11. To require a user’s device to have a device lock enabled on their device to authenticate with PingID mobile app, in the Mobile requirements section, select Require device lock to be enabled on device.

  12. To prevent users from authenticating with a rooted or jailbroken device, in the Mobile requirements section, select Require the device not to be rooted or jailbroken.

  13. To enforce the use of a device that includes a hardware biometrics sensor, when pairing or authenticating with PingID mobile app, in the Mobile requirements section, select Require the device to have biometric capabilities.

  14. To allow your organization’s Mobile Device Management (MDM) to control activities of your users when using PingID mobile app:

    1. In the Mobile requirements section, select Require Mobile Device Management. A token is automatically generated in UUID format. Administrators can edit the key value if required.

    2. In the Effective Date field, enter a date by which you want the MDM requirement to be applied. Users are blocked from authenticating until the MDM system has distributed the token to all managed devices. The effective date should allow enough time for the MDM system to complete the distribution.

    3. Configure the organization’s MDM system. You can find third-party MDM system configuration examples in Third-party MDM system configuration for PingID integration.

      • You can also generate a new token, rotate a token, or revoke a token.

      • Multiple keys can coexist, for example, for allowing time for rotating keys and the time it takes to phase in new keys and retire old ones. PingID checks all listed keys to verify a match with the key submitted in the authentication request. The MDM does not retain multiple values for the same token. Support for multiple keys is provided through PingID.

      Learn more in Managing MDM tokens.

  15. Click Save.