Setting Up Attended Enrollment

The following sections provide instructions for setting up the Attended Enrollment feature of the DigitalPersona AD Workstation client.

Attended Enrollment is a feature that allows a delegated user, or a member of a delegated user group, to attend and supervise the enrollment of DigitalPersona credentials for other users.

This functionality is an optional feature that can be selected through a Custom installation of the DigitalPersona AD Workstation client.

Assign, or Remove Register/Delete Permissions

By default, Attended Enrollment may be performed by any user with domain administrator privileges, and end users may also enroll and modify their own credentials from their DigitalPersona workstation. If this is the desired behavior for your environment, no further setup is necessary.

In some scenarios, you may want to delegate authority for attended enrollment to another user or user group and prohibit end-users from enrolling or modifying their own credentials.

Use the following steps to:

  • Assign enroll/delete credentials permission to a user or group so that they may supervise Attended Enrollment.

  • Remove the enroll/delete credentials permission from all users.

    Note: In this case, you should remove the permission, not Deny the permission.

  • Create a user or group that will supervise Attended Enrollment.

  1. Open Active Directory Users and Computers.

  2. On the View menu, select Advanced Features.

  3. As necessary, create a new AD Security Group for those who will be supervising enrollment.

  4. Right-click the AD Domain Root and then click Properties.

  5. On the Security tab, click Advanced to view all of the permission entries.

  • To assign new permissions:

    1. Click Add, and then type the name of the group, computer, or user that you wish to assign the permission, and click OK.

    2. In the Permission Entry for ObjectName dialog box, on the Object and Properties tabs, select Descendant User objects from the Apply to drop-down menu.

    3. Double-click the Register/Delete Fingerprint (DigitalPersona)* permission entry, and as appropriate, select either Allow or Deny.

  • To remove the Register/Delete Fingerprint permission from an object or attribute, select the permission entry, and then click Remove.

Note: * Although the permission is titled “Register/Delete Fingerprint,” it actually applies to all DigitalPersona credentials.

Prohibit Domain Administrators from Enrolling/deleting Credentials

To prohibit domain administrators from enrolling/deleting credentials:

  1. Open Active Directory Users and Computers.

  2. On the View menu, select Advanced Features.

  3. Right-click the AD Domain Root and then click Properties.

  4. Remove the Register/Delete Fingerprint (DigitalPersona) permission from the Self object.

    Note: Although the permission is titled “Register/Delete Fingerprint,” it actually applies to all DigitalPersona credentials.

  5. Set the permission for the Register/Delete Fingerprint (DigitalPersona) entry to Deny for the Domain Admins Group.

  6. Navigate to [Domain root]\System\AdminSDHolder. Right-click on Domain Admins and select Properties.

  7. Set the permission for the Register/Delete Fingerprint (DigitalPersona) entry to Deny for Domain Admins.

Customizing Attended Enrollment

Note: This section is included for backward compatibility with previous versions. Using the DigitalPersona.Altus.Enrollment.exe.config to configure Attended Enrollment is not recommended for versions 3.0.2 and above.

For these later versions, the behavior of Attended Enrollment is governed by the following GPOs which are fully described in Policies and Settings.

The behavior of Attended Enrollment is governed by the following GPOs:

  • Policy Enrollment

  • Authentication of the user being enrolled

  • Security officer authentication

  • Require to complete or omit credential

The workflow and UI behavior of Attended Enrollment can be customized significantly through the related configuration file, DigitalPersona.Altus.Enrollment.exe.config.

For convenience, all options are explained or briefly illustrated within the file itself. However, this section will provide more detailed explanations of the options.

The enrollmentConfiguration section of the file is the only area that should be modified.

Changes to the Custom page definition and other sections may cause the program to malfunction, and should only be done by the HID Global Solutions and Implementation Group.

passwordRandomization

This tag specifies whether the user’s password is randomized during the enrollment process.

<passwordRandomization value="DoNotRandomize" /> <!--DoNotRandomize, RandomizeAlways, MayRandomize-->

Possible values are:

  • DoNotRandomize - (default) Password randomization is not available and the UI offers no option to randomize the user’s password.

  • RandomizeAlways - Password randomization always occurs, and the UI provides the option (on the Advanced Features page) to reset the user’s password.

  • MayRandomize - Password randomization is optional and the UI allows the administrator to choose whether to randomize the user’s password for each user.

See Advanced Features for details on how this affects the Attended Enrollment interface and workflow.

completeAllPages

This tag determines whether or not all displayed credentials must be either enrolled or specifically omitted in order to complete enrollment.

<completeAllPages value="true" /> <!--true, false-->

The default is true. Additional choice is false.

authenticateOfficer... and authenticateUser

There are several tags defining workflow events that can be specified to require authentication by the DigitalPersona Security Officer or the user being enrolled. Default values are shown in the examples below, but if any of these tags are missing, the default for that tag is true.

  • <authenticateOfficerOnStarted value="false" />

    Authenticate the Security Officer every time Attended Enrollment is launched.

  • <authenticateOfficerBeforeSave value="true" />

    Authenticate the Security Officer each time a credential is saved or credential enrollment page is closed.

  • <authenticateOfficerBeforeSkip value="true" />

    Authenticate the Security Officer at omitting user data, once every time a credential page is closed.

  • <authenticateOfficerBeforeDelete value="true" />

    Authenticate Security Officer at deleting user data, once every time a credential page is closed or data is deleted.

  • <authenticateOfficerOnCompleted value="true" />

    Authenticate Security Officer at completing user enrollment.

  • <authenticateUserOnPageEnter value="true" />

    Authenticate the user once at opening each credential page.

  • <authenticateUserOnCompleted value="true" />

    Authenticate the user at completing their enrollment.

authenticationPolicyForOfficer

This tag specifies the credentials and credential combinations required for authenticating the DigitalPersona Security Officer.

<authenticationPolicyForOfficer>

<add value="1"/> <!--Password-->

<add value="2"/> <!--Fingerprints-->

<add value="Pin, Otp"/> <!--Contactless Card-->

</authenticationPolicyForOfficer>

Possible values are:

1 - Password

2 - Fingerprint

4 - Smartcard

8 - RecoveryQuestions

32 - Contactless Card

64 - RecoveryPassword

128 - PIN

256 - Proximity

512 - Bluetooth

2048 - OTP-->