Manage Security Groups
Security groups help enforce security policies by applying a common set of settings to multiple user profiles. These settings include:
Onboarding and authentication methods – Controls how users register and verify their identity.
Access restrictions – Limits access based on time of day, network, and location.
Device posture requirements – Ensures users meet security standards before accessing resources.
Recognition settings – Configures facial recognition, shoulder surfing detection, and phone detection.
Assigning a user profile to a security group applies all group settings, overriding individual user settings. Updates to a security group instantly apply to all assigned users. You can also bulk import users and assign them to security groups for streamlined management.
Create a Security Group
In the Admin Console, click Security Groups.
In the top-right corner, click Create Security Group.
Set the Security Group Name.
Enter a name that clearly defines the group's purpose. The name can include spaces and special characters.
General settings
In the General section, configure access, software, and network restrictions, including onboarding, time zone, and security settings. Adjust prepopulated defaults as needed.
Note
Mobile registration, authentication, and ID verification require a mobile device with a front-facing camera (iPhone, iPad, or Android). Users must take a selfie during registration or authentication.
Onboarding and Registration
Mobile Registration
Requires users to scan a QR code and take a selfie to activate their profile.
Mobile Authentication
Requires users to scan a QR code and authenticate with their face each time they start a secure session.
This setting may be hidden if the service is not enabled.
Image Liveness
Liveness detection automatically ensures a live person is in front of the camera.
The Image Liveness slider toggles on automatically when Mobile Authentication is turned on.
ID Verification
Requires users to scan a government-issued ID (e.g., driver's license, passport) on a mobile device and take a selfie to verify their identity.
This setting may be hidden if the service is not enabled.
SG Terms & Conditions Agreement
Requires users to read and accept terms before accessing protected systems and data.
Multi-Factor Authentication (MFA)
Requires users to complete an additional authentication step using an authenticator app.
Users who activated their profile before MFA was enabled must receive a new invite.
Time Zone
Defines the reference time zone for the user’s profile.
The system defaults to GMT 0, but you can adjust it based on the user’s location.
Security Restrictions
IP Restrictions
Control user authentication and secure session access based on the device’s public IP address.
Allowed IP – Add public IP addresses users are permitted to authenticate from
Blocked IP – Add public IP addresses that should be explicitly blocked.
Important
When you enable IP Restrictions for the first time, the system automatically adds the user’s current public IP address to the Allowed IP list. If the user logs in from a different location or their IP address changes, they may be blocked from starting a secure session. To allow access, add the new IP address to the Allowed IP list.
IP Geolocation Restrictions
Restrict user authentication and secure session access to specific countries. The system allows access only when the user's device connects from an approved geolocation.
This setting may be hidden if the service is not enabled.
VPN Restrictions
Allow user authentication only through approved VPN solutions. The system detects if a VPN is in use before granting access.
This setting may be hidden if the service is not enabled.
Restricted Applications
Prevent users from starting a secure session while specified applications are running.
Enter the executable name without “.exe” in the Add Restricted Application field.
Required Applications
Ensure specific applications are running before and during a secure session.
Enter the executable name without “.exe” in the Add Required Application field.
Prevent Screen Share and Screenshot
Block users from sharing their screen or taking screenshots during a secure session.
This setting applies to SG VDI and SG Web.
Watermarks
Display a watermark on all screens during a secure session to enhance security.
Font Family
The system applies a preset font that you cannot change.
Font Size
Defines the watermark text size. Larger fonts help blend the watermark with background applications. Default: 50
Font Weight
Sets the text style to normal or bold. Default: Normal
Font Color
Defines the text color using a hex code. Default: #000000 - Black
Opacity
Adjusts transparency from 0 (invisible) to 1 (fully opaque). Lower opacity reduces obstruction. Default: 0.1
Across
Determines how many times the watermark repeats across the screen. Default: 3
Recognition settings
Facial recognition can run once at login or continuously throughout the session. The system requires a high-quality profile photo stored in the SessionGuardian console.
If a profile picture is missing during user creation or before the first authentication attempt, the SessionGuardian client prompts the user to take one with their webcam.
In the Recognition section, configure facial authentication and security settings, including facial recognition, shoulder surfing detection, and mobile phone detection.
Continuous Face Recognition
Enables ongoing facial recognition throughout the session instead of a single authentication at login.
The system requires a high-quality profile photo stored in the SessionGuardian console. If a profile picture is missing, users are prompted to take one during authentication.
Enabling this setting also unlocks additional configuration options:
Processing Snapshot Frequency (ms) – Defines how often the system performs recognition and authentication checks. Recommended: 300 ms
Face ID Confidence (%) – Sets the minimum confidence level required for successful facial recognition. Recommended: 98%
Face Detection Delay (ms) – Determines how long the system waits before taking action if the authorized user is not detected. Recommended: 45000 ms (in SG version 2.2 or 20000 ms (in SG version 2.3)
Protection Screen Timeout (sec) – Specifies how long the system waits for the user to reappear before locking access. Recommended: 600 sec
Webcam Resolution Level – Sets the webcam resolution level (1 is the lowest, 5 is the highest). Recommended: 5
Shoulder Surfing Protection – Detects and prevents unauthorized individuals from viewing the screen. When enabled, additional settings are available:
Unauthorized User Detection Delay (ms) – Determines how long the system waits before taking action when an unauthorized user is detected. Recommended: 2000 sec
Mobile Device Detection – Detects if a user attempts to take a picture of the screen using a mobile device. When enabled, additional settings are available:
Mobile Device Detection Frequency (ms) – Defines how often the system analyzes webcam video for mobile device detection. Default: 300 ms (in SG version 2.2) or 1000 ms (in SG version 2.3
Mobile Device Protection Screen Timeout (sec) – Determines how long a lock screen appears when a mobile device is detected. Default: 5 sec
Mobile Device Match Confidence (%) – Sets the minimum confidence level required for mobile device detection. Default: 90% (in SG version 2.2) or 98% (in SG version 2.3)
Camera Device Detection
Camera Device Detection Frequency (ms) – Defines how often the system analyzes the user's machine for a webcam. Default: 500 ms
Camera Device Protection Screen Timeout (sec) – Determines how long a lock screen appears when a webcam not detected. Default: 5 sec
Camera Device Match Confidence (%) – Default: 70%
Webcam Covered – Detects when the user's webcam is blocked or covered during a secure session. If enabled, the system prevents access until the webcam is uncovered.
Webcam Blocking Sensitivity – Adjusts how quickly the system responds when the webcam is covered. Default: Medium
Run Once
Performs a single facial recognition and authentication check at the start of a user’s session. The system does not require additional face verification during the session.
Work Hours Restrictions settings
Work hour restrictions enforce a pre-approved schedule for secure session access. When enabled, users can only start a session during the specified days and times set by an administrator.
Important
Set the appropriate time zone in the General section to ensure the schedule applies correctly.
In the Work Hours Restrictions section, set the following configurations.
Work Hours Restrictions
Limits user access to secure sessions based on a preapproved schedule.
Users can only connect during the authorized days and times set by an administrator.
Work Hour Alert
Notifies users when their session is nearing expiration based on the approved schedule.
The default alert time is 600 seconds (10 minutes) before session termination.
Time Zone
Displays the time zone set in the General section.
Make sure the work hour restrictions align with the correct time zone for users.
Schedule
Defines the approved work hours for secure session access.
Configure individual or multiple days, set start and end times in 24-hour format, and manage schedules using the following options:
Select Week Day(s) – Choose the days for the schedule.
From and To times – Set the session start and end times.
All day – Enable this slider to allow access for the entire selected day.
Add Schedule – Click Add Schedule to apply the selected days and times.
Edit Schedule – Click the pencil icon to modify an the times in an existing schedule.
Browser settings
Configure SessionGuardian Web settings to control browsing behavior and security. Options include:
Incognito Mode – Enables or disables private browsing for all sessions.
Kiosk Mode – Restricts browsing to a single tab.
File Download Control – Allows or blocks file downloads.
Clipboard Access – Allows or prevents copying data from SG Web.
Homepage URL – Defines the default page that opens when a session starts.
Whitelisted URLs – Restricts browsing to approved sites.
Bookmarks – Displays preset bookmarks for quick access.
In the Browser section, set the following configurations.
Incognito Mode
Forces all SG Web browsing sessions to operate in private browsing mode.
Pages viewed during a session are not saved in browsing history, and all cached data is deleted when SG Web is closed.
Kiosk Mode
Restricts SG Web to a single tab, allowing access only to whitelisted URLs.
When disabled, users can open multiple tabs within SG Web.
Allow File Download
Enables or prevents users from downloading files from whitelisted pages.
When disabled, SG Web blocks all file downloads, whether initiated by the user or the website.
Allow Copying
Enables or blocks copying data or screen captures from SG Web to the clipboard for use in other applications.
Target URL
Sets the default homepage that opens when a secure session starts.
The URL must match at least one whitelist entry to load properly.
Whitelisted URLs
Restricts SG Web access to approved websites.
Only URLs that meet the defined whitelist criteria can be accessed. Click Add Whitelisted URL to enter an allowed website.
Add Whitelisted URL – Enter the URL or use the wildcard character (*) to allow variations.
Bookmark URLs
Displays a bookmark toolbar with predefined URLs for quick access.
Bookmark URLs must also be added to the Whitelist URLs list to open correctly.
Add Bookmark URLs – Enter the URL and name of the bookmark. use the wildcard character (*) to allow variations.
Advanced settings
Super Admins can use the Advanced section to fine-tune recognition, security, and system behavior in the SessionGuardian Client.
Note
Only Super Admins can access this tab. Change these settings only if advised by SecureAuth Support.
In the Advanced section, review the following configurations. Only make changes if advised by Support.
Advanced
Controls how the SessionGuardian Client manages network congestion, latency, and connection disruptions with the SessionGuardian Console Server.
API Request Max Retries
Sets the number of times the SessionGuardian Client retries a failed request or connection attempt before stopping. Default: 5
API Request Retry Delay
Defines how long the SessionGuardian Client waits before retrying a failed request or connection attempt. Default: 1000 sec
Webcam Max Snapshots
Sets the maximum number of snapshots the webcam captures for recognition and authentication. Default: 5
Webcam Min Valid Snapshots
Specifies the minimum number of valid snapshots required for successful facial recognition. Default: 3
Workspace Launching Timeout
Determines how long the SessionGuardian Client waits for a workspace to launch before timing out. Default: 30000 sec
General
Controls how the SessionGuardian Client operates on the end-user's device
Detect RDC
Prevents the SessionGuardian Client from running if the user's device is accessed through Remote Desktop.
Check AV
Requires the end-user’s device to have active antivirus software running before starting a secure session.
Prevent Running in VM
Blocks the SessionGuardian Client from running inside a virtual machine (VM) to prevent unauthorized use.
Ignore Close Session Event
Prevents users from manually closing a secure session to ensure continuous protection.
Keep-Alive Timeout
Defines how long the client waits for a connection attempt to the SessionGuardian Console before timing out. Default: 60 sec
Keep-Alive Frequency
Determines how often the client sends a keep-alive request to the server to maintain the connection. Default: 15 sec
VM Login Timeout
Specifies how long SessionGuardian waits for the login process to complete in a VDI client or virtual desktop before timing out. Default: 30000 ms
Protection Max Retries
Sets the number of times the client attempts to hook into the VDI client to enable screen share and screenshot protection. Default: 5
Protection Retry Delay
Defines how long the client waits before retrying to hook into the VDI client for screen share and screenshot protection. Default 5000 ms
Recognition
Face Detection Threshold
Sets the minimum number of matching facial features required between the user's face and their profile photo for authentication. Default: 3 (in SG version 2.2 or 2 (in SG version 2.3)
IRW Video Validation
Determines the required size of the user's face within the video frame for successful recognition. Default: 350
Stop Session Timeout
Defines how long the system waits before terminating the session if facial recognition fails or the user is not detected. Default: 15000 ms