Skip to main content

Arculix Mobile app admin guide

Intended audience: Administrators

Welcome to the Arculix Mobile app! The mobile app connects with the Arculix multi-factor authentication (MFA) service to make logins more secure. Aruclix Mobile sends push notifications for one-tap authentication and can generate login passcodes on your mobile device.

As an Arculix administrator for your organization, you can set some Arculix Mobile configurations to meet your organization needs. For example, you can force the use of App Lock, set the passcode (PIN) length, enable workstation pairing for Arculix Device Trust, and so on.

Supported authenticators include push, symbol push, time-based one-time passcode (TOTP), security keys (like YubiKey, RFID, etc.), biometrics, SMS, email, security questions, FIDO authenticators, and passwords.

To learn more about all the end user features and functions in the Arculix Mobile app, see Arculix Mobile app user guide. The remainder of this topic will focus on the administrative settings in Arculix that defines the user experience and security settings for your organization as it relates to Arculix Mobile.

Accept or deny access in mobile app

Push notification view

arculix_auth_methods_diagram_logo.png

Arculix Mobile configurations

You can set some Arculix Mobile configurations specific to your organization, like forcing an App Lock or not allowing rooted or jailbroken devices to pair, and so on.

All of these configurations are done in Arculix Core.

  1. Log in to Arculix and go to Organization Settings.

    arculix_org_settings_007.png

  2. Select the Arculix Mobile Application tab.

  3. Set the applicable configuration.

    See the sections below in this topic for certain functions of Arculix Mobile that you want to apply.

Arculix Device Trust

If your organization uses Arculix Device Trust on workstations, you will need to set the following configuration.

Enable workstation pairing

To use Arculix Device Trust, you need to enable the setting to allow end users to pair their workstation with their account in Arculix Mobile app.

In Organization Settings > Arculix Mobile Application tab, select the check box for Enable Workstation pairing on Arculix Mobile app.

More security

You can add another layer of security in Arculix Mobile to approve login requests.

Turn on App Lock

You can show or hide the App Lock feature in Arculix Mobile app. With this feature, end users can go to Settings in Arculix Mobile app and turn on App Lock and create a passcode (PIN). This allows them use a PIN to unlock Arculix Mobile app to approve login requests. After they create a PIN, they can optionally turn on biometric MFA.

In Organization Settings > Arculix Mobile Application tab, select the check box for Show App Lock (Passcode) Menu on Settings.

Enforce App Lock

You can require end users to provide passcode (PIN) or biometric MFA to unlock the Arculix Mobile app to approve login requests. End users cannot approve login requests until they create a PIN. After they create a PIN, they can optionally turn on biometric MFA like Face ID.

Prerequisite: You must have this setting enabled: Show App Lock (Passcode) Menu on Settings.

In Organization Settings > Arculix Mobile Application tab, select the check box for User should use Passcode or Biometric to approve the MFA request.

Enforce App Lock for offline codes

You can require end users to provide passcode (PIN) or biometric MFA to unlock the Arculix Mobile app to view offline codes (TOTP).

Prerequisite: You must have this setting enabled: Show App Lock (Passcode) Menu on Settings.

In Organization Settings > Arculix Mobile Application tab, select the check box for Force the user to authenticate with Biometric/Passcode before showing the TOTP codes on the mobile app.

Specify passcode (PIN) length

Requires Arculix Mobile app version 5.0.5 or later 

By default, the passcode (PIN) length for the App Lock in Arculix Mobile is 4-digits. You can change this setting to require users to create an 8-digit PIN.

Prerequisite: You must have this setting enabled: Show App Lock (Passcode) Menu on Settings.

In Organization Settings > Arculix Mobile Application tab, select the check box for Force the user to set up 8-digit Passcode, instead of 4-digit.

This setting impacts existing users who have set up a passcode (PIN) in Arculix Mobile. If you change this policy, it will ask users to update their passcode to match the policy from 4-digits to 8-digits or vice versa.

With multi-accounts, the 8-digit policy will override any account that only requires 4-digits.

Note

If end users forget their passcode (PIN), they will need to pair their account again.

Require hardware security module checks

Requires Arculix Mobile app version 5.0.5 or later 

For mobile authenticator devices, there is a hardware security module check setting that prevents pairing of mobile devices that do not have Secure Enclave (iOS) and TPM 2.0 (Windows).

When this policy setting is enabled, the server will check for TPM or Secure Enclave on the mobile device, and reject the pairing process as applicable to the policy.

In Organization Settings > Arculix Mobile Application tab, select the check box for Requires mobile devices to have a hardware security module to pair and use Arculix Mobile.

Tip

Be sure to enable this configuration in Arculix before end users pair their mobile devices.

arculix_mobile_rooted_device.png

Warning message displays when trying to pair a device that does not have TPM or Secure Enclave

Reject rooted or jailbroken devices

There is a security check in the Arculix Mobile app for rooted or jailbroken devices. When the Arculix Mobile app opens and detects that the mobile device is rooted or jailbroken, the app will not work at all.

This setting works at the app level, and does not require a flag or configuration setting in Arculix Core.

Device settings

The following configurations relate to pairing and use of Arculix Mobile app on devices.

FIDO devices

You can indicate whether to show the FIDO tab in the Arculix Mobile app under Settings. This setting allows end users to register FIDO-compliant security keys and devices.

In Organization Settings > Arculix Mobile Application tab, select the check box for Show/Hide FIDO Tab on Arculix Mobile App.

Arculix Mobile app functions

The following configurations relate to the functions of the Arculix Mobile app on devices.

Open on Workstations view

In the Arculix Mobile app, automatically open the Workstations view instead of the Dashboard view.

In Organization Settings > Arculix Mobile Application tab, select the check box for Automatically open on the workstation screen.

Dashboard refresh

In the Arculix Mobile app, periodically refresh the Dashboard for any pending transactions of login requests. This setting is for organizations who do not want to use push notifications.

In Organization Settings > Arculix Mobile Application tab, set the the number of seconds to refresh the Dashboard in this setting: Lets the Arculix Mobile app know that Dashboard should be refreshed every X seconds.

The default setting of -1 indicates no polling.

Other key features

This section describes some other key features in the Arculix Mobile app that do not require any special configurations.

Detect biometric changes

Requires Arculix Mobile app version 5.0.7 or later

Arculix Mobile has a setting called App Lock. It lets you use biometrics like Face ID or fingerprint to approve an authentication request.

When this option is turned on and the app detects a change in biometrics, like adding or removing a fingerprint on the mobile device, it will unpair all accounts.

Note

Be careful when changing biometric settings on shared devices.

Consider this scenario -- Alice has paired accounts in Arculix Mobile. Bob does not.

Alice and Bob share a mobile device. If Bob removes or adds a fingerprint, Arculix Mobile will unpair all accounts for Alice.

Alice will have to pair their mobile device again with Arculix Mobile.

arculix_mobile_app_016.png

Biometric change detected; Arculix Mobile unpairs all accounts

Workstation offline codes

Requires Arculix Mobile app version 5.0.7 in iOS and 5.0.8 in Android

Arculix Core stores offline code seeds securely. Users can switch devices or reinstall the Arculix Mobile app and still keep their offline codes.

VDI workstation support

Requires Arculix Mobile app version 5.0.7 or later

Coming soon! Configuration support for SSO to VDI workstations in Arculix Core.

Arculix Mobile supports passwordless logins to Virtual Desktop Infrastructure (VDI) workstations. Users can easily log in to the VDI desktop through Citrix SSO without any interference from Arculix Device Trust.

The Workstations tab in Arculix Mobile will show VDI workstations with commands specific to VDI.

Take note that VDI workstations paired with Arculix Mobile have these limitations:

  • VDI workstations will not have Offline Codes

  • Logout button for a VDI workstation in the app is optional and configurable using the Organization setting

  • Lock button for a VDI workstation is always visible in the app

  • End user cannot unpair a VDI workstation in Arculix Mobile

arculix_mobile_app_017.png

VDI in Workstations view

Use device camera

Requires Arculix Mobile app version 5.0.5 or later 

Coming soon! A new feature allows you to scan Arculix QR codes using the camera on your mobile device without first opening the Arculix Mobile app.

When you scan an Arculix QR code using your device camera, it will suggest opening the Arculix Mobile app. After the Arculix Mobile app opens, it automatically switches to the QR scan view in the app and seamlessly processes the QR code.

arculix_mobile_app_015.png

Use device camera to scan Arculix QR code

This feature will work with the following QR codes:

  • Arculix pairing QR code

  • Arculix web SSO QR code

  • Arculix Device Trust QR code

In this section: