Logon Profiles

Logon Profiles define the rules for logging on to the system including password requirements, circumstances around account lockout, and Mobile App user authentication.

  1. Click Tap Main Menu  > Administration  > Application Setup > Access Profiles > Logon Profiles
  2. Create, edit, or remove a profile:
    • Click Tap New. Enter a Name.
    • Select a profile. Click Tap Edit or Duplicate.
    • Select a profile. You cannot delete system profiles. Click Tap DeleteClick Tap OK.
  3. (Optional) Enter a Description.
  4. To make this profile the default profile, select Default.
  5. Modify or complete the options on the Password, Session Restrictions, and Mobile App Settings tabs as follows:

    Caution: The password policy is strictly enforced and is not designed to be downgraded. You can make changes only as follows.

    • Expiration Frequency — You cannot disable password expiration, and you can only accept the default or increase the number of days after which to require users to change their passwords.
      • Default and minimum = 90 days.
      • If multi-factor authentication (MFA) is enabled, the default and minimum is 180 days.
    • (Not editable) Reuse Monitoring — The 25 previous passwords cannot be reused.
    • Account is locked out for inactivity —You can only accept the default or decrease the number of days of inactivity before the system locks the account.
      • Existing users: Default = 60 days.
      • First-time users: Default = 30 days.
    • (Not editable) The password must not contain any of the following — Shows that usernames, spaces, and words from the forbidden password list cannot be included in passwords.
    • (Not editable) The password must contain all of the following — Shows that a mix of upper-case letters, lower-case letters, non-alphanumeric characters, and numbers must be included in passwords.
    • The password is limited by the following = Length and character restrictions.
      • (Not editable) Minimum length: Passwords must contain 15 or more characters.
      • Maximum consecutive identical characters: The maximum number of identical characters in a row that passwords can contain. Default = 4.
      • Maximum sequential letters or numbers: The maximum number of sequential letters or numbers that passwords can contain. Default = 3.

    Last required password change shows the date when the system last required a password change.

    • Account lockout— Specify whether to lock user accounts because of failed attempts to log on or to change the password. Select one of the following:
      • (Not recommended) Disabled to not lock the user account after failed attempts to log on. If you select Disabled, the remaining Session Restriction settings are not available.
      • (Recommended) Enabled to lock the user account after the specified number of failed attempts to log on.

        In Number of failed logon or password change attempts before lockout, enter the number of attempts to allow.

        In Lockout duration, select Forever to lock the account perpetually, or enter the length of time to lock the account before the account is unlocked automatically. Use HH:mm format. Default = 00:30 minutes.

        Caution:

        (Only if multi-factor authentication (MFA) is enabled) If an account is locked because of too many failed attempts to log in with a one-time password (OTP), do the following to unlock the account:

        1. Select the employee in the Timecard or schedule. Select Maintenance > People Information > Employee.
        2. Select Account Locked to manually lock the account.
        3. Save the changes.
        4. Select the employee again.
        5. Clear Account Locked to manually unlock the account.
        6. Save the changes.

        Alternatively, reset the password to unlock the account.

    Allows you to set up Extended Authentication and Local Authentication for users of the Mobile app.

    Extended authentication

    Extended authentication allows users to enter the host system through the mobile app without logging in during a set period of time (the “extended authentication period”). The feature uses the host system’s identify provider (IdP) to provide a token to an authenticated user upon logon. The feature is available for organizations that use host authentication or their own IdP.

    If an authenticated user shuts down the app or if the session times out, the user can reenter the system without logging in. If the user actually Signs Out (as opposed to closing the app or the session timing out), the token expires and a login will be required on the next attempt into the system from the app.

    Extended authentication saves the user from having to log in multiple times to access the host system from the mobile app on the device. The process, however, leaves open the possibility that anybody could use an “authenticated” device and could access the system by simply tapping the app icon. Local Authentication can be used to provide an added layer of security, protecting the user account on authenticated devices.

    Local authentication

    Local authentication requires the user to authenticate (with an input such as a fingerprint or a passcode) before being allowed to: access the host system, perform a punch, or both.

    Note: Note that the device must be set up with screen locking ON for local authentication.

    Local authentication can be set up to be enforced in two separate places in the app:

    • Logging In: The user is prompted authenticate (passcode, fingerprint, etc.) before being allowed into the server from the mobile app.
    • Punching: When attempting a punch, after tapping the Punch button, the user is prompted to authenticate (passcode, fingerprint, etc.) before being allowed to punch from the mobile app.

    Important notes about local authentication

    • Local authentication is achieved with the same method used in the device for screen unlocking, such as a passcode or a biometric identifier (fingerprint or facial recognition).
    • Device screen locking must be turned on for local authentication to work. If local authentication is enabled and the screen locking is turned off, an error will occur and the user will not be allowed to proceed with the task (logging in or punching). Screen locking is located in Settings on the device:
    • Some Mobile devices will lock out after multiple failed biometric authentication attempts. Follow your device instructions to enable biometric authentication.

    How to set up Extended and Local Authentication

    If a user’s Login Profile enables Extended Authentication, the user can enter the server without logging in during the authentication period.

    If a user’s Login Profile enables Local Authentication, the user will need to locally authenticate before being allowed to: enter the server, to punch, or both.

    In the Logon Profile’s Mobile App Settings tab, set the following fields:

    • Extended Authentication - Set to Enable / Disable
    • Extended Authentication Period - Set in Days and Hours - Maximum allowed period is 7 days (168 hours).
    • Local Authentication for Login - Set to Not Required, Any, or Biometric.
      • Set to Any to require the use of the screen unlock method that is set for the device (such as passcode or pattern) to logon.
      • Set to Biometric to require a biometric identifier (such as fingerprint or facial recognition) to login. The system will use whatever biometric identifier is set on the device. Note that if a biometric identifier is not set on the user’s device (or if the user’s device does not support biometric), authentication will not be possible on the device and logon will not be allowed.
    • Local Authentication for Punch - Set to Not Required, Any, or Biometric
      • Set to Any to require the use of the screen unlock method that is set for the device (such as passcode or pattern) to perform a punch.
      • Set to Biometric to require a biometric identifier (such as fingerprint and facial recognition) to perform a punch. The system will use whatever biometric identifier is set on the device. Note that if a biometric identifier is not set on the user’s device (or if the user’s device does not support biometric), authentication will not be possible on the device and the punch cannot be completed.

    Forcing the expiration of an Extended Authentication token

    An Administrator has the ability to expire a token before its expiration period has elapsed. This need could arise, for example, if a user lost his mobile device. If a device is lost, it would be prudent to expire any tokens associated with that user.

    To expire a token, the administrator can go to the People Information and disable the account of the user (by changing the Effective Date for example). This action will immediately invalidate all tokens associated with that user and the administrator can then re-enable the account.

  6. Click Tap Save.

Make sure that the access profiles are associated with the relevant administrators, managers, or employees. If you don't have access to People Information, contact the administrator who does have access.

  1. Select Main Menu Maintenance > People Information. Select a person.
  2. In Employee, select Information.
  3. Select the Logon Profile.
  4. Click Tap Require Password Change at the Next Logon to require the users to make a one-time password change the next time they log on.
  5. Click Tap Save .
  6. Repeat for other people.