Logon Profiles

Logon Profiles configuration

Caution:

Configuration of Logon Profiles differs according to the authentication service that your system uses:

To determine which authentication service your system uses, check the Log In screen. If it appears in the center, your system uses UKG Authentication. If it is on the left side, your system uses OpenAM.

  • For UKG Authentication, Logon Profiles define password requirements for logging on to the system, along with Mobile App user authentication.
    • Only one setting — Minimum Password Length — is available to set password strength, so the Password tab is not available. For a list of all password requirements, see the Password Policy topic.
    • Passwords do not expire.
    • The Session Restrictions tab is not available.
  • For OpenAM authentication, Logon Profiles define the rules for logging on to the system including password requirements, circumstances around account lockout, and Mobile App user authentication. Only limited changes are allowed to the password requirements.

Configure Logon Profiles for UKG Authentication

Only if your system uses UKG Authentication, configure Logon Profiles as follows:

  1. Click Tap Main Menu Administration > Application Setup > Access Profiles > Logon Profiles.
    Note: Only one password policy is permitted for all Logon Profiles. Even though a system can have multiple Logon Profiles, all of the profiles share the same password policy.
  2. You can edit only the minimum length of passwords:
    Note: For a list of all password requirements, see the Password Policy topic.
    1. Click Tap Configure Password Policy.
    2. In Minimum Password Length, you can edit the shortest acceptable password length. Enter the minimum number of characters as follows:
      • Minimum (default) = 8 characters.
      • Maximum = 64 characters.
      Note: People Import integrations continue to run and import user accounts with the existing passwords, even if the passwords are shorter than the minimum number of characters. However, the users are prompted to change their passwords to more secure, complex passwords when they log in for the first time.
    3. Click Tap Save & Return. The minimum password length is shared by all Logon Profiles on the tenant.
  3. To edit the Description, do the following:
    1. Select a profile. Click Tap Edit.
    2. (Optional) Enter a Description.
    3. Default shows Yes; you cannot edit this setting.
    4. Click Tap Save.

Configure Logon Profiles for OpenAM authentication

Only if your system uses OpenAM authentication, configure Logon Profiles as follows:

  1. Click Tap Main Menu Administration > Application Setup > Access Profiles > Logon Profiles.
  2. Create, edit, or remove a profile:
    • Click Tap New. Enter a Name.
    • Select a profile. Click Tap Edit or Duplicate.
    • Select a profile. You cannot delete system profiles. Click Tap Delete. Click Tap OK.
  3. (Optional) Enter a Description.
  4. To make this profile the default profile, select Default.
  5. Modify or complete the options on the Password, Session Restrictions, and Mobile App Settings tabs as follows:

    Password

    Caution: The password policy is strictly enforced and is not designed to be downgraded. You can make changes only as follows.
    • Expiration Frequency— The number of days after which users must change their passwords.
      Caution: If a user account is used for system-to-system API calls — such as for integrations — password expiration can block API calls and prevent integrations from running. To avoid this, convert the user account to API Only User in People Information; see the Employee topic. Your FAP must have API-only user set to Allowed; see the Manager - Common Setup ACPs topic. Once the account is API-Only, it supports only API calls; you cannot use it to log in from a browser or mobile app.
      • You cannot disable password expiration.
      • Default and maximum = 180 days. You can enter fewer days.
    • Reuse Monitoring— The number of previous passwords that cannot be reused.
      • You cannot disable reuse monitoring.
      • Default = 24 previous passwords.
    • Account is locked out for inactivity— The number of days of inactivity before the system locks the account.
      Note: User accounts that use Federated Authentication are not locked out because of inactivity. For more information about the types of authentication, see the Authentication topic.
      • You cannot disable inactivity lock outs.
      • Inactive existing user accounts: Default and maximum = 180 days. You can enter fewer days.
      • First-time login: Default and maximum = 30 days. You can enter fewer days.
        Note: To avoid locking accounts during setup, edit the User Account Status to the effective, active date of the accounts.
    • (Not editable) The password must not contain any of the following— User names, spaces, and words from the forbidden password list cannot be included in passwords.

      Example forbidden passwords: MyUsername, password password, MyStrongPassword.

    • (Not editable) The password must contain all of the following— Shows that a mix of upper-case letters, lower-case letters, non-alphanumeric characters, and numbers must be included in passwords.

      Example acceptable password: AYWzwmQX$Y4M3Dy(but don't use this example).

    • The password is limited by the following— Length and character restrictions.
      • Minimum length: The shortest acceptable password length.

        Minimum (default) = 8 characters.

        Maximum = 64 characters.

        Note: People Import integrations continue to run and import user accounts with the existing passwords, even if the passwords are shorter than the minimum number of characters characters. However, the users are prompted to change their passwords to more secure, complex passwords when they log in for the first time.
      • Maximum consecutive identical characters: The maximum number of identical characters in a row that passwords can contain.

        Default and maximum = 4 identical characters.

        Minimum = 2 identical characters.

        Example forbidden passwords include the following: aaaaa, nnnnn, xxxxx, 00000, 66666, 99999.

      • Maximum sequential letters or numbers: The maximum number of sequential letters or numbers that passwords can contain.

        Default and maximum = 3 sequential characters.

        Minimum = 2 sequential characters.

        Example forbidden passwords include the following: abcd, defg, wxyz, 1234, 5678.

    Session Restrictions

    • Last required password change shows the date when the system last required a password change.
    • Account lockout—Locks user accounts because of failed attempts to log on or to change the password.
      • (Not recommended) Disabled to not lock the user account after failed attempts to log on. If you select Disabled, the remaining Session Restriction settings are not available.

      • Enabled locks the user account after the specified number of failed attempts to log on.You cannot turn off account locking.

        In Number of failed logon or password change attempts before lockout, enter the number of attempts to allow. Default = 5 attempts.

        In Lockout duration, select Forever to lock the account perpetually, or enter the length of time to lock the account before the account is unlocked automatically. Use HH:mm format. Default = 0:30.

        Caution:

        If an account is locked, do one of the following to unlock it:

        • Reset the password to unlock the account.
        • Wait for the Lockout duration to expire if it is not set to Forever.

    Mobile App Settings

    Allows you to set up Extended Authentication and Local Authentication for users of the Mobile app.

    • If a mobile app user’s Login Profile enables Extended Authentication, the user can enter the server without logging in during the authentication period.
    • If a mobile app user’s Login Profile enables Local Authentication, the user will need to locally authenticate before being allowed to: enter the server, to punch, or both.

    Extended authentication

    Extended authentication allows users to enter the host system through the mobile app without logging in during a set period of time (the “extended authentication period”). The feature uses the host system’s identify provider (IdP) to provide a token to an authenticated user upon logon. The feature is available for organizations that use host authentication or their own IdP.

    If an authenticated user shuts down the app or if the session times out, the user can reenter the system without logging in. If the user actually Signs Out (as opposed to closing the app or the session timing out), the token expires and a login will be required on the next attempt into the system from the app.

    Extended authentication saves the user from having to log in multiple times to access the host system from the mobile app on the device. The process, however, leaves open the possibility that anybody could use an “authenticated” device and could access the system by simply tapping the app icon. Local Authentication can be used to provide an added layer of security, protecting the user account on authenticated devices.

    Local authentication

    Local authentication requires the user to authenticate (with an input such as a fingerprint or a passcode) before being allowed to: access the host system, perform a punch, or both.

    Note: that the device must be set up with screen locking ON for local authentication.

    Local authentication can be set up to be enforced in two separate places in the app:

    • Logging In: The user is prompted authenticate (passcode, fingerprint, etc.) before being allowed into the server from the mobile app. Note that this setting is applicable only in the "classic" UKG Pro mobile app.
    • Punching: When attempting a punch, after tapping the Punch button, the user is prompted to authenticate (passcode, fingerprint, etc.) before being allowed to punch from the mobile app.

    Important notes about local authentication

    • Local authentication is achieved with the same method used in the device for screen unlocking, such as a passcode or a biometric identifier (fingerprint or facial recognition).
    • Device screen locking must be turned on for local authentication to work. If local authentication is enabled and the screen locking is turned off, an error will occur and the user will not be allowed to proceed with the task (logging in or punching). Screen locking is located in Settings on the device:
    • Some Mobile devices will lock out after multiple failed biometric authentication attempts. Follow your device instructions to enable biometric authentication.

    How to set up Extended and Local Authentication

    If a user’s Login Profile enables Extended Authentication, the user can enter the server without logging in during the authentication period. Note that this setting is applicable only in the "classic" UKG Pro mobile app.

    If a user’s Login Profile enables Local Authentication, the user will need to locally authenticate before being allowed to: enter the server, to punch, or both.

    In the Logon Profile’s Mobile App Settings tab, set the following fields:

    • Extended Authentication (Note that this setting is applicable only in the "classic" UKG Pro mobile app)- Set to Enable or Disable.
    • Extended Authentication Period (Note that this setting is applicable only in the "classic" UKG Pro mobile app) - Set in Days and Hours - Maximum allowed period is 7 days (168 hours).
    • Local Authentication for Login (Note that this setting is applicable only in the "classic" UKG Pro mobile app) - Set to Not Required, Any, or Biometric.
      • Set to Any to require the use of the screen unlock method that is set for the device (such as passcode or pattern) to logon.
      • Set to Biometric to require a biometric identifier (such as fingerprint or facial recognition) to login. The system will use whatever biometric identifier is set on the device. Note that if a biometric identifier is not set on the user’s device (or if the user’s device does not support biometric), authentication will not be possible on the device and logon will not be allowed.
    • Local Authentication for Punch - Set to Not Required, Any, or Biometric
      • Set to Any to require the use of the screen unlock method that is set for the device (such as passcode or pattern) to perform a punch.
      • Set to Biometric to require a biometric identifier (such as fingerprint and facial recognition) to perform a punch. The system will use whatever biometric identifier is set on the device. Note that if a biometric identifier is not set on the user’s device (or if the user’s device does not support biometric), authentication will not be possible on the device and the punch cannot be completed.

    Forcing the expiration of an Extended Authentication token

    An Administrator has the ability to expire a token before its expiration period has elapsed. This need could arise, for example, if a user lost his mobile device. If a device is lost, it would be prudent to expire any tokens associated with that user.

    To expire a token, the administrator can go to the People Information and disable the account of the user (by changing the Effective Date for example). This action will immediately invalidate all tokens associated with that user and the administrator can then enable the account again.

  6. Click Tap Save.

Associate Logon Profiles to people

Make sure that the access profiles are associated with the relevant administrators, managers, or employees. If you don't have access to People Information, contact the administrator who does have access.

  1. Select Main Menu Maintenance > People Information. Select a person.
  2. In Employee, select Information.
  3. Select the Logon Profile.
  4. Click Tap Require Password Change at the Next Logon to require the users to make a one-time password change the next time they log on.
  5. Click Tap Save .
  6. Repeat for other people.