V2.3 to 3.0 Revised GPO settings

This page explains the differences between the Group Policy Object containers and settings in versions 2.3 and 3.0 of the DigitalPersona solution.

Version 3.0 of the DigitalPersona solution includes a significant reorganization of the containers and policy settings governing the software (compared to version 2.3), as well as several new, revised and renamed containers and policy settings, described below as they appear in the Windows Group Policy Editor. For complete descriptions of each setting, see Policies and Settings.

These changes will be discussed in two sections, in accordance with the two primary Policy containers, Software Settings and Administrative Templates.

Computer Configuration/Policies/Software Settings

Renamed GPOs and settings

Self Enrollment Policy - This policy, located in the DigitalPersona Client/Security/Enrollment GPO, has been renamed to Enrollment Policy.

New Containers and Settings

Security GPO and Settings

The Security GPO includes two new settings.

SMS

This new GPO consists of a single new setting, SMS Configuration, which includes three configurable values that were previously located in the Administrative Templates/DigitalPersona Client/Authentication Devices\OTP GPO.

These values are

  • Nexmo API Key

  • Nexmo API Secret

  • Nexmo Sender Addresses

SMTP

This new GPO consists of a single new setting, SMTP Configuration, which includes four required values for configuring the email account to be used with the new Password Reset feature.

These values are:

  • SMTP Server

  • Port

  • Email Address

  • Email Password

Additionally, a field is provided for entering an Incoming Email Address and a Test Settings button, which can be used to confirm that the designated SMTP Server is working.

Computer Configuration/Policies/Administrative Templates

New Administrative Templates Structure

Within the Computer Configuration/Policies/Administrative Templates container, the structure has been changed significantly, both at the topmost DigitalPersona level (as shown below) and at successive levels as shown in the images that follow.

New GPOs and Settings

Attended Enrollment

The Attended Enrollment GPO is new, and includes the following new settings (previously configured using XML files), which apply to both the Attended Enrollment application, and the HID DigitalPersona Enrollment application when used for attended enrollment.

  • Security Officer authentication

  • Require enrolling or omitting each credential

Send OTP by email

This setting is new, supporting the new ability for an AD User to choose to have their One-Time Password sent to them by email.

Recovery Credentials

This GPO is new, and includes the following new GPOs:

  • Recovery Questions

  • Self Password Reset.

Recovery Questions - includes the Enable Recovery Questions setting, moved from the previous Security/Settings.

Self Password Reset - renamed from the previous Windows Password Reset GPO and moved from the DigitalPersona Server container to this location. It includes the following settings:

  • Allow users to reset their Windows passwords (moved from previous Windows Password Reset)

  • Path to DigitalPersona Secure Token Server (STS)

Browser hardware support

This GPO is new, and includes two settings previously located in the DigitalPersona Client/Security/Settings containers, Allow Localhost Loopback and Localhost Loopback Origins.

Relocated and Renamed GPOs and Settings

Authentication Devices

Previously there were Authentication Devices GPOs under both the Client and Server containers. They have been combined into one GPO, which includes the previous settings for both Server and Client, and which is now located in the DigitalPersona (AD)/General container.

Cache user data on local computer

This setting was previously located within the DigitalPersona AD Client/Authentication Devices/Fingerprint GPO, and has been relocated to the DigitalPersona/Workstations/Caching Credentials GPO.

Maximum size of identification list

This setting was previously located within the DigitalPersona Client/General Administration GPO, and has been relocated to the DigitalPersona/Workstations/Caching Credentials GPO.

Compatibility with Microsoft fingerprint support

This setting was previously located within the DigitalPersona Client/General Administration/Quick Actions GPO, and has been relocated to the DigitalPersona/Workstations/Advanced GPO.

Quick Actions

This GPO was previously located within the DigitalPersona Client/General Administration container, and has been relocated to the DigitalPersona/Workstations GPO.

Managed Applications

This GPO, previously located within the DigitalPersona Client container, has been deleted. The Disable Applications and Password Manager GPOs have been relocated to the DigitalPersona/Workstations container.

Localhost Settings

Two settings, Allow Localhost Loopback and Localhost Loopback Origins, previously in the DigitalPersona Client/Security/Settings GPO, have been relocated to the DigitalPersona/Workstations/Advanced/Browser hardware support GPO.

DigitalPersona Reports

This container, and the Event Logging container above is, previously in the DigitalPersona Client container, has been removed as it is no longer being used. The functionality has been replaced by the process of importing the DigitalPersona Reports GPOs described in DigitalPersona Reports.