Skip to main content

Arculix Mobile app admin guide

Intended audience: Administrators

Welcome to the Arculix Mobile app! The mobile app connects with the Arculix multi-factor authentication (MFA) service to make logins more secure. Aruclix Mobile sends push notifications for one-tap authentication and can generate login passcodes on your mobile device.

As an Arculix administrator for your organization, you can set some Arculix Mobile configurations to meet your organization needs. For example, you can force the use of App Lock, set the passcode (PIN) length, enable workstation pairing for Arculix Device Trust, and so on.

Supported authenticators include push, symbol-to-accept, time-based one-time passcode (TOTP), security keys (like YubiKey, RFID, etc.), biometrics, SMS, email, security questions, FIDO authenticators, and passwords.

To learn more about all the end user features and functions in the Arculix Mobile app, see Arculix Mobile app user guide. The remainder of this topic will focus on the administrative settings in Arculix that defines the user experience and security settings for your organization as it relates to Arculix Mobile.

Accept or deny access in mobile app

Push notification view

arculix_auth_methods_diagram_logo.png

Arculix Mobile configurations

You can set some Arculix Mobile configurations specific to your organization, like forcing an App Lock or not allowing rooted or jailbroken devices to pair, and so on.

All of these configurations are done in Arculix Core.

  1. Log in to Arculix and go to Organization Settings.

    arculix_org_settings_007.png
  2. Select the Arculix Mobile Application tab.

  3. Set the applicable configuration.

    See the sections below in this topic for certain functions of Arculix Mobile that you want to apply.

Arculix Device Trust

If your organization uses Arculix Device Trust on workstations, you will need to set the following configuration.

Enable workstation pairing

To use Arculix Device Trust, you need to enable the setting to allow end users to pair their workstation with their account in Arculix Mobile app.

In Arculix Core, select the check box for Enable Workstation pairing on Arculix Mobile app.

More security

You can add another layer of security in Arculix Mobile to approve login requests.

Turn on App Lock

You can show or hide the App Lock feature in Arculix Mobile app. With this feature, end users can go to Settings in Arculix Mobile app and turn on App Lock and create a passcode (PIN). This allows them use a PIN to unlock Arculix Mobile app to approve login requests. After they create a PIN, they can optionally turn on biometric MFA.

In Arculix, select the check box for Show App Lock (Passcode) Menu on Settings.

Enforce App Lock

You can require end users to provide passcode (PIN) or biometric MFA to unlock the Arculix Mobile app to approve login requests. End users cannot approve login requests until they create a PIN. After they create a PIN, they can optionally turn on biometric MFA like Face ID.

Prerequisite: You must have this setting enabled: Show App Lock (Passcode) Menu on Settings.

In Arculix, select the check box for User should use Passcode or Biometric to approve the MFA request.

Enforce App Lock for offline codes

You can require end users to provide passcode (PIN) or biometric MFA to unlock the Arculix Mobile app to view offline codes (TOTP).

Prerequisite: You must have this setting enabled: Show App Lock (Passcode) Menu on Settings.

In Arculix, select the check box for Force the user to authenticate with Biometric/Passcode before showing the TOTP codes on the mobile app.

Specify passcode (PIN) length

Requires Arculix Mobile app version 5.0.5 or later

By default, the passcode (PIN) length for the App Lock in Arculix Mobile is 4-digits. You can change this setting to require users to create an 8-digit PIN.

Prerequisite: You must have this setting enabled: Show App Lock (Passcode) Menu on Settings.

In Arculix, select the check box for Force the user to set up 8-digit Passcode, instead of 4-digit.

This setting impacts existing users who have set up a passcode (PIN) in Arculix Mobile. If you change this policy, it will ask users to update their passcode to match the policy from 4-digits to 8-digits or vice versa.

With multi-accounts, the 8-digit policy will override any account that only requires 4-digits.

Note

If end users forget their passcode (PIN), they will need to pair their account again.

Require hardware security module checks

Requires Arculix Mobile app version 5.0.5 or later

For mobile authenticator devices, there is a hardware security module check setting that prevents pairing of mobile devices that do not have Secure Enclave (iOS) and TPM 2.0 (Windows).

When this policy setting is enabled, the server will check for TPM or Secure Enclave on the mobile device, and reject the pairing process as applicable to the policy.

In Arculix, select the check box for Requires mobile devices to have a hardware security module to pair and use Arculix Mobile.

Tip

Be sure to enable this configuration in Arculix before end users pair their mobile devices.

arculix_mobile_rooted_device.png

Warning message displays when trying to pair a device that does not have TPM or Secure Enclave

Reject rooted or jailbroken devices

There is a security check in the Arculix Mobile app for rooted or jailbroken devices. When the Arculix Mobile app opens and detects that the mobile device is rooted or jailbroken, the app will not work at all.

This setting works at the app level, and does not require a flag or configuration setting in Arculix Core.

Device settings

The following configurations relate to pairing and use of Arculix Mobile app on devices.

FIDO devices

You can indicate whether to show the FIDO tab in the Arculix Mobile app under Settings. This setting allows end users to register FIDO-compliant security keys and devices.

In Arculix, select the check box for Show/Hide FIDO Tab on Arculix Mobile App.

Arculix Mobile app functions

The following configurations relate to the functions of the Arculix Mobile app on devices.

Open on Workstations view

In the Arculix Mobile app, automatically open the Workstations view instead of the Dashboard view.

In Arculix, select the check box for Automatically open on the workstation screen.

Dashboard refresh

In the Arculix Mobile app, periodically refresh the Dashboard for any pending transactions of login requests. This setting is for organizations who do not want to use push notifications.

In Arculix, set the the number of seconds to refresh the Dashboard in this setting: Let's the app know that Dashboard should be refreshed every X seconds.

The default setting of -1 indicates no polling.

Use device camera

Requires Arculix Mobile app version 5.0.5 or later

Coming soon! A new feature allows you to scan Arculix QR codes using the camera on your mobile device without first opening the Arculix Mobile app.

When you scan an Arculix QR code using your device camera, it will suggest opening the Arculix Mobile app. After the Arculix Mobile app opens, it automatically switches to the QR scan view in the app and seamlessly processes the QR code.

arculix_mobile_app_015.png

Use device camera to scan Arculix QR code

This feature will work with the following QR codes:

  • Arculix pairing QR code

  • Arculix web SSO QR code

  • Arculix Device Trust QR code

Implementation

To implement the Use Device Camera feature, it requires the following:

  • End users must first install or update to Arculix Mobile app version 5.0.5 or later

  • To turn on this feature in Arculix, contact Support.