Skip to main content

Manage Security Groups

Security groups help enforce security policies by applying a common set of settings to multiple user profiles. These settings include:

  • Onboarding and authentication methods – Controls how users register and verify their identity.

  • Access restrictions – Limits access based on time of day, network, and location.

  • Device posture requirements – Ensures users meet security standards before accessing resources.

  • Recognition settings – Configures facial recognition, shoulder surfing detection, and phone detection.

Assigning a user profile to a security group applies all group settings, overriding individual user settings. Updates to a security group instantly apply to all assigned users. You can also bulk import users and assign them to security groups for streamlined management.

Create a Security Group

  1. In the Admin Console, click Security Groups.

    sg_security_groups_001.png
  2. In the top-right corner, click Create Security Group.

  3. Set the Security Group Name.

    Enter a name that clearly defines the group's purpose. The name can include spaces and special characters.

    sg_security_groups_002.png

General settings

  • In the General section, configure access, software, and network restrictions, including onboarding, time zone, and security settings. Adjust prepopulated defaults as needed.

    Note

    Mobile registration, authentication, and ID verification require a mobile device with a front-facing camera (iPhone, iPad, or Android). Users must take a selfie during registration or authentication.

    Onboarding and Registration 

    Mobile Registration

    Requires users to scan a QR code and take a selfie to activate their profile.

    Mobile Authentication

    Requires users to scan a QR code and authenticate with their face each time they start a secure session.

    This setting may be hidden if the service is not enabled. 

    Image Liveness

    Liveness detection automatically ensures a live person is in front of the camera.

    The Image Liveness slider toggles on automatically when Mobile Authentication is turned on.

    ID Verification

    Requires users to scan a government-issued ID (e.g., driver's license, passport) on a mobile device and take a selfie to verify their identity.

    This setting may be hidden if the service is not enabled. 

    SG Terms & Conditions Agreement

    Requires users to read and accept terms before accessing protected systems and data.

    Multi-Factor Authentication (MFA)

    Requires users to complete an additional authentication step using an authenticator app.

    Users who activated their profile before MFA was enabled must receive a new invite. 

    Time Zone 

    Defines the reference time zone for the user’s profile.

    The system defaults to GMT 0, but you can adjust it based on the user’s location.

    Security Restrictions 

    IP Restrictions

    Control user authentication and secure session access based on the device’s public IP address.

    • Allowed IP – Add public IP addresses users are permitted to authenticate from

    • Blocked IP – Add public IP addresses that should be explicitly blocked.

    Important

    When you enable IP Restrictions for the first time, the system automatically adds the user’s current public IP address to the Allowed IP list. If the user logs in from a different location or their IP address changes, they may be blocked from starting a secure session. To allow access, add the new IP address to the Allowed IP list.

    IP Geolocation Restrictions

    Restrict user authentication and secure session access to specific countries. The system allows access only when the user's device connects from an approved geolocation.

    This setting may be hidden if the service is not enabled. 

    VPN Restrictions

    Allow user authentication only through approved VPN solutions. The system detects if a VPN is in use before granting access.

    This setting may be hidden if the service is not enabled. 

    Restricted Applications

    Prevent users from starting a secure session while specified applications are running.

    Enter the executable name without “.exe” in the Add Restricted Application field.

    Required Applications

    Ensure specific applications are running before and during a secure session.

    Enter the executable name without “.exe” in the Add Required Application field.

    Prevent Screen Share and Screenshot

    Block users from sharing their screen or taking screenshots during a secure session.

    This setting applies to SG VDI and SG Web.

    Watermarks

    Display a watermark on all screens during a secure session to enhance security.

    Font Family

    The system applies a preset font that you cannot change.

    Font Size

    Defines the watermark text size. Larger fonts help blend the watermark with background applications. Default: 50

    Font Weight

    Sets the text style to normal or bold. Default: Normal

    Font Color

    Defines the text color using a hex code. Default: #000000 - Black

    Opacity

    Adjusts transparency from 0 (invisible) to 1 (fully opaque). Lower opacity reduces obstruction. Default: 0.1

    Across

    Determines how many times the watermark repeats across the screen. Default: 3

    sg_security_groups_003.png

Recognition settings

Facial recognition can run once at login or continuously throughout the session. The system requires a high-quality profile photo stored in the SessionGuardian console.

If a profile picture is missing during user creation or before the first authentication attempt, the SessionGuardian client prompts the user to take one with their webcam.

  • In the Recognition section, configure facial authentication and security settings, including facial recognition, shoulder surfing detection, and mobile phone detection.

    Continuous Face Recognition 

    Enables ongoing facial recognition throughout the session instead of a single authentication at login.

    The system requires a high-quality profile photo stored in the SessionGuardian console. If a profile picture is missing, users are prompted to take one during authentication.

    Enabling this setting also unlocks additional configuration options:

    • Processing Snapshot Frequency (ms) – Defines how often the system performs recognition and authentication checks. Recommended: 300 ms

    • Face ID Confidence (%) – Sets the minimum confidence level required for successful facial recognition. Recommended: 98%

    • Face Detection Delay (ms) – Determines how long the system waits before taking action if the authorized user is not detected. Recommended: 45000 ms (in SG version 2.2 or 20000 ms (in SG version 2.3)

    • Protection Screen Timeout (sec) – Specifies how long the system waits for the user to reappear before locking access. Recommended: 600 sec

    • Webcam Resolution Level – Sets the webcam resolution level (1 is the lowest, 5 is the highest). Recommended: 5

    • Shoulder Surfing Protection – Detects and prevents unauthorized individuals from viewing the screen. When enabled, additional settings are available:

      • Unauthorized User Detection Delay (ms) – Determines how long the system waits before taking action when an unauthorized user is detected. Recommended: 2000 sec

    • Mobile Device Detection – Detects if a user attempts to take a picture of the screen using a mobile device. When enabled, additional settings are available:

      • Mobile Device Detection Frequency (ms) – Defines how often the system analyzes webcam video for mobile device detection. Default: 300 ms (in SG version 2.2) or 1000 ms (in SG version 2.3

      • Mobile Device Protection Screen Timeout (sec) – Determines how long a lock screen appears when a mobile device is detected. Default: 5 sec

      • Mobile Device Match Confidence (%) – Sets the minimum confidence level required for mobile device detection. Default: 90% (in SG version 2.2) or 98% (in SG version 2.3)

    • Camera Device Detection

      • Camera Device Detection Frequency (ms) – Defines how often the system analyzes the user's machine for a webcam. Default: 500 ms

      • Camera Device Protection Screen Timeout (sec) – Determines how long a lock screen appears when a webcam not detected. Default: 5 sec

      • Camera Device Match Confidence (%)Default: 70% 

    • Webcam Covered – Detects when the user's webcam is blocked or covered during a secure session. If enabled, the system prevents access until the webcam is uncovered.

      • Webcam Blocking Sensitivity – Adjusts how quickly the system responds when the webcam is covered. Default: Medium

    Run Once 

    Performs a single facial recognition and authentication check at the start of a user’s session. The system does not require additional face verification during the session.

    sg_security_groups_005.png

Work Hours Restrictions settings

Work hour restrictions enforce a pre-approved schedule for secure session access. When enabled, users can only start a session during the specified days and times set by an administrator.

Important

Set the appropriate time zone in the General section to ensure the schedule applies correctly.

  • In the Work Hours Restrictions section, set the following configurations.

    Work Hours Restrictions 

    Limits user access to secure sessions based on a preapproved schedule.

    Users can only connect during the authorized days and times set by an administrator.

    Work Hour Alert 

    Notifies users when their session is nearing expiration based on the approved schedule.

    The default alert time is 600 seconds (10 minutes) before session termination. 

    Time Zone 

    Displays the time zone set in the General section.

    Make sure the work hour restrictions align with the correct time zone for users.

    Schedule 

    Defines the approved work hours for secure session access.

    Configure individual or multiple days, set start and end times in 24-hour format, and manage schedules using the following options:

    • Select Week Day(s) – Choose the days for the schedule.

    • From and To times – Set the session start and end times.

    • All day – Enable this slider to allow access for the entire selected day.

    • Add Schedule – Click Add Schedule to apply the selected days and times.

    • Edit Schedule – Click the pencil icon to modify an the times in an existing schedule.

    sg_security_groups_006.png

Browser settings

Configure SessionGuardian Web settings to control browsing behavior and security. Options include:

  • Incognito Mode – Enables or disables private browsing for all sessions.

  • Kiosk Mode – Restricts browsing to a single tab.

  • File Download Control – Allows or blocks file downloads.

  • Clipboard Access – Allows or prevents copying data from SG Web.

  • Homepage URL – Defines the default page that opens when a session starts.

  • Whitelisted URLs – Restricts browsing to approved sites.

  • Bookmarks – Displays preset bookmarks for quick access.

  • In the Browser section, set the following configurations.

    Incognito Mode

    Forces all SG Web browsing sessions to operate in private browsing mode.

    Pages viewed during a session are not saved in browsing history, and all cached data is deleted when SG Web is closed.

    Kiosk Mode

    Restricts SG Web to a single tab, allowing access only to whitelisted URLs.

    When disabled, users can open multiple tabs within SG Web.

    Allow File Download

    Enables or prevents users from downloading files from whitelisted pages.

    When disabled, SG Web blocks all file downloads, whether initiated by the user or the website.

    Allow Copying

    Enables or blocks copying data or screen captures from SG Web to the clipboard for use in other applications.

    Target URL

    Sets the default homepage that opens when a secure session starts.

    The URL must match at least one whitelist entry to load properly.

    Whitelisted URLs

    Restricts SG Web access to approved websites.

    Only URLs that meet the defined whitelist criteria can be accessed. Click Add Whitelisted URL to enter an allowed website.

    • Add Whitelisted URL – Enter the URL or use the wildcard character (*) to allow variations.

    Bookmark URLs

    Displays a bookmark toolbar with predefined URLs for quick access.

    Bookmark URLs must also be added to the Whitelist URLs list to open correctly.

    • Add Bookmark URLs – Enter the URL and name of the bookmark. use the wildcard character (*) to allow variations.

    sg_security_groups_007.png

Advanced settings

Super Admins can use the Advanced section to fine-tune recognition, security, and system behavior in the SessionGuardian Client.

Note

Only Super Admins can access this tab. Change these settings only if advised by SecureAuth Support.

  • In the Advanced section, review the following configurations. Only make changes if advised by Support.

    Advanced

    Controls how the SessionGuardian Client manages network congestion, latency, and connection disruptions with the SessionGuardian Console Server.

    API Request Max Retries

    Sets the number of times the SessionGuardian Client retries a failed request or connection attempt before stopping. Default: 5

    API Request Retry Delay

    Defines how long the SessionGuardian Client waits before retrying a failed request or connection attempt. Default: 1000 sec

    Webcam Max Snapshots

    Sets the maximum number of snapshots the webcam captures for recognition and authentication. Default: 5

    Webcam Min Valid Snapshots

    Specifies the minimum number of valid snapshots required for successful facial recognition. Default: 3

    Workspace Launching Timeout

    Determines how long the SessionGuardian Client waits for a workspace to launch before timing out. Default: 30000 sec

    General

    Controls how the SessionGuardian Client operates on the end-user's device

    Detect RDC

    Prevents the SessionGuardian Client from running if the user's device is accessed through Remote Desktop.

    Check AV

    Requires the end-user’s device to have active antivirus software running before starting a secure session.

    Prevent Running in VM

    Blocks the SessionGuardian Client from running inside a virtual machine (VM) to prevent unauthorized use.

    Ignore Close Session Event

    Prevents users from manually closing a secure session to ensure continuous protection.

    Keep-Alive Timeout

    Defines how long the client waits for a connection attempt to the SessionGuardian Console before timing out. Default: 60 sec

    Keep-Alive Frequency

    Determines how often the client sends a keep-alive request to the server to maintain the connection. Default: 15 sec

    VM Login Timeout

    Specifies how long SessionGuardian waits for the login process to complete in a VDI client or virtual desktop before timing out. Default: 30000 ms

    Protection Max Retries

    Sets the number of times the client attempts to hook into the VDI client to enable screen share and screenshot protection. Default: 5

    Protection Retry Delay

    Defines how long the client waits before retrying to hook into the VDI client for screen share and screenshot protection. Default 5000 ms

    Recognition

    Face Detection Threshold

    Sets the minimum number of matching facial features required between the user's face and their profile photo for authentication. Default: 3 (in SG version 2.2 or 2 (in SG version 2.3)

    IRW Video Validation

    Determines the required size of the user's face within the video frame for successful recognition. Default: 350

    Stop Session Timeout

    Defines how long the system waits before terminating the session if facial recognition fails or the user is not detected. Default: 15000 ms

    sg_security_groups_008.png