1. Home
  2. Docs
  3. LDS Edition Administrator’s Guide
  4. Policies and Settings
  5. Computer Configurations\Administrative Templates

Computer Configurations\Administrative Templates

During installation of the DigitalPersona LDS Administration Tools, the following nodes and settings are created under the Computer Configuration\Administrative Templates node.

DigitalPersona DigitalPersona Client (Details)

Authentication Devices

Bluetooth

Lock computer when your phone is out of range

Configure whether to lock the computer when a Bluetooth device which was connected during login moves out of range.

  • If enabled, locks the computer when the device is out of
  • If disabled or not configured, does not lock the computer when the device is out of

The definition of “out of range” depends on the installed Bluetooth stack. For the Broadcom stack, which can measure the signal strength of the Bluetooth device, out of range is a hardcoded threshold of 10 dB. For non-Broadcom stacks, out of range is defined as whenever the device is not visible to the software.

Silent authentication

Configure whether or not to use silent authentication for Bluetooth credentials.

  • If enabled or not configured, when Bluetooth credentials are allowed for authentication by the Logon or Session Policy in force, authentication will be attempted with the previously used Bluetooth credential immediately upon entry to a logon
  • If disabled, selection of a specific Bluetooth credential is required for

Fingerprints 

Redirect fingerprint data

Configure whether or not to allow the client computer to redirect fingerprint data to a remote Terminal Services session.

  • If enabled, clients can send fingerprint data to a remote This configuration must be enabled to support fingerprint authentication on a remote desktop.
  • If disabled or not configured, fingerprint data redirection is not

When an administrator changes this setting, only new connections display the behavior specified by the new setting. Sessions that were initiated before the change must log off and reconnect to be affected by the new setting.

  • The Do not compress fingerprint data for redirection checkbox specifies whether to compress fingerprint data on the client computer before redirecting it to the Terminal Services

If checked, fingerprint data is not compressed on the client computers before sending to the Terminal Server. If not checked, fingerprint data is compressed on the client computers before sending to the Terminal Server.

When an administrator changes this setting, only new connections display the behavior specified by the new setting. Sessions that were initiated before the change must log off and reconnect to be affected by the new setting.

Cache user data on local computer

Determines whether user data for domain users are cached on the local computer.

  • If enabled or not configured, user data (fingerprint templates and secure application data) of domain users is cached locally on the computer. This provides domain users the ability to use their fingerprints when a DigitalPersona LDS Server cannot be located. This is a convenient but less secure
  • If not enabled, users may only use fingerprints when DigitalPersona LDS Server is The data of local users is always stored on the local computer.
Fingerprint enrollment

Configure settings related to fingerprint enrollment.

  • Set the minimum number of enrolled fingerprints
    This setting requires that the user enroll at least the specified number of fingerprints.Enrolling just one fingerprint increases the probability of not being able to authenticate. Enrolling several fingerprints will increase the probability of false acceptance.If disabled or not configured, the minimum number of fingerprints required for enrollment is 1.
  • Set the maximum number of enrolled fingerprints.This setting restricts the number of fingerprints that a user can enroll. Enrolling several fingerprints will increase the probability of false acceptance.If disabled or not configured, the maximum number of fingerprints allowed for enrollment is 10.

Fingerprint verification

Configure settings related to fingerprint verification.

  • If enabled, allows you to set the False Accept Rate for fingerprint
  • If disabled or not configured, a FAR setting of Medium High (1 in 100,000) is used.

Set the False Accept Rate

The False Accept Rate (FAR) is the probability of receiving a false acceptance decision when comparing fingerprints scanned from different fingers.

When this setting is enabled, you can select one of the following FAR values:

  • Medium (1 in 10,000)
  • Medium High (1 in 100,000) – Recommended
  • High (1 in 1,000,000)

For example: if you select Medium High, on average, one false acceptance will occur when a fingerprint is compared against one hundred thousand fingerprints scanned from different fingers.

The higher the setting, the lower the chance of receiving a false acceptance. However, at the High setting, the system may reject legitimate fingerprints.

NOTE: The FAR is set on a per verification basis. When matching a fingerprint against the fingerprints of multiple users (identification), the internally used FAR is automatically adjusted to maintain the same effective FAR that was selected for one match.

If disabled or not configured, the value of 1 in 100,000 FAR is used.

OTP

Time-Based OTP Validation Window

Specifies a validation system acceptance delay for OTP validation in minutes.

Time differences between the TOTP validation server and a client device generating an OTP token can result in a mismatch of the OTP, and subsequent login failure. This is due to the fact that the validation server compares the timestamp when the OTP was generated with the timestamp when it is received. Although the duration of validity of a specific OTP may vary for specific devices, this window is generally plus or minus 30 seconds, for a total window of one minute. In some cases, due to network latency, or inaccurate clocks on lower-end OTP hardware devices, the gap between the originating timestamp and receiving timestamp may be more than the validation window.

This setting allows the administrator to specify a longer validation window. Note that the value indicates the total window, for example a window of 2 minutes would extend the validation window for 1 minute before and after the receiving timestamp.

  • If enabled, you can specify a validation window of between 1 and 20 Be aware that a longer validation window increases the time that the data may be vulnerable to attack.
  • If not configured, the validation window defaults to 1
Push Notification Server API Key

Specifies the user’s unique identification key on the DigitalPersona Push Notification Server.

  • If enabled, and a valid API Key is entered, OTP Push Notification is shown on the logon The API Key is provided in an email from the CPNS Team when a tenant account is created on the DigitalPersona Push Notification Server.
  • If disabled or not configured, Push Notification will not be shown on the logon
Push Notification Server Tenant ID

Specifies the user’s unique identifier on the Crossmatch Push Notification Server.

  • If enabled, and a valid Tenant ID is entered, Push Notification is shown on the logon screen. The Tenant ID is provided in an email from the CPNS Team when a tenant account is created on the DigitalPersona Push Notification
  • If disabled or not configured, Push Notification will not be shown on the logon
Nexmo API Key

Specifies the API Key assigned by the Nexmo SMS Gateway. Requires a previously created Nexmo SMS account.

  • If enabled and the Nexmo API Key is entered, SMS authentication will be shown on the Logon
  • If disabled or not configured, SMS authentication is not shown on the Logon
Nexmo API Secret

Specifies the API Secret assigned by the Nexmo SMS Gateway, Requires a previously created Nexmo SMS account.

  • If enabled and the Nexmo API Secret is entered, SMS authentication will be shown on the Logon
  • If disabled or not configured, SMS authentication is not shown on the Logon
Custom SMS Message

Specifies a custom message that will be sent with each SMS. Requires a previously created Nexmo SMS account.

  • If enabled, you can specify a custom message with a limit of 140 characters. The message must also include the variable placeholder %s representing the code that will be sent in the message. For example, “Enter the following code to logon: %s”.
  • If disabled or not configured, the default message will be sent. The default message is “Use the Altus Verification Code %s.
Nexmo Sender Addresses

Specifies one or more semicolon delimited alphanumeric* strings to be used as Sender Addresses (also called SenderIDs) by the Nexmo SMS Gateway. Requires a previously created Nexmo SMS account.

*There are country-specific limitations governing Sender Addresses. For example, in the United States, only digits (no alphabetic characters or dashes) are allowed in the Sender Address. Country-specific restrictions are described here – https://help.nexmo.com/hc/en-us/sections/200622473-Country-Specific-Features-and-Restrictions.

  • If enabled, you can specify a semicolon delimited list of Sender Each SMS will be sent with a Sender Address randomly selected from the list.
  • If disabled or not configured, the default Sender Address, NXSMS will be

PIN

PIN enrollment

Configure settings related to enrollment of user PIN.

  • If enabled, you can specify the minimum and maximum length of the user
  • If disabled or not configured, the minimum length of the user PIN is 4 and the maximum length is Use the up and down arrow keys to set the minimum and maximum lengths of the user PIN.

Note that requiring longer PINs increases security by making it more difficult to try all possible combinations of numbers to discover a user’s PIN.

Smart cards

Lock the computer upon smart card removal

Configure whether or not the computer locks upon removing the smart card from the smart card reader.

  • If enabled, the computer locks upon removing the smart card from the smart card The computer will lock only if the smart card was used to log on to Windows.
  • If disabled or not configured, the computer does not lock upon removing the smart card from the smart card

Event logging

DigitalPersona Reports

DigitalPersona Reports Event Forwarding

Configures forwarding of DigitalPersona client events to DigitalPersona Reports via the Windows Event Forwarding mechanism.

  • If enabled, DigitalPersona client events are forwarded. If disabled or not configured, DigitalPersona client events are not
Level of detail in event logs

Determines the level of detail and type of events written to the Windows Event Log.

  • If enabled, DigitalPersona components log events on the specified
  • If disabled or not configured, events are logged on the Auditing level. There are three levels of event logging:

Errors Only Auditing Level Details Level

Each higher level includes all previous levels. Events are logged on the computer where the event occurred.

For most normal tasks it is enough to set the level to Auditing Level. This would cover all logon events, authentication events, fingerprint management events, user management events, etc. Setting a very high level of event logging will fill the log file quickly.

Log Status events

Note that logging of Status events is not enabled by default, and must be separately enabled by selecting the Log Status Events checkbox. Status events provide information about the state of various policies and components on client computers. They are logged on configurable intervals and generally used when events are remotely collected.

General Administration

Quick Actions

Specifies administrator-defined Quick Actions (DigitalPersona LDS Workstation only) that are performed automatically when a user presents an authorized and enrolled credential, or credential plus the Ctrl or Shift keys.

  • If enabled, the administrator can specify the Quick Action to be performed by the DigitalPersona
  • If disabled, no Quick Action will be performed for the selected credential and Ctrl or Shift keys combination on the DigitalPersona
  • If not configured, the default or user specified Quick Action will be performed on the DigitalPersona Select one of the Quick Action options to be performed by the DigitalPersona client as explained below.

Password Manager Action – If the active window is associated with a personal or managed logon, stored logon data will be filled in. If there is no associated logon, and “Allow creation of personal logons” is enabled or not configured, the User Training Tool displays.

Lock Workstation – Locks the computer.

Compatibility with Microsoft fingerprint support

For Quick Actions to work, the DigitalPersona client software must always maintain an exclusive connection to the fingerprint reader. This exclusivity prevents other software from using the reader, including Microsoft’s built-in fingerprint support.

This setting enables or disables Quick Actions that use fingerprints (Finger Actions), thus allowing use of the fingerprint reader in other applications.

  • If enabled, Finger Actions are disabled, and other fingerprint software can use the fingerprint reader whenever the DigitalPersona software does not require exclusive use for authentication and fingerprint
  • If disabled or not configured, Finger Actions work, but other fingerprint software (including Microsoft) cannot use the fingerprint

Note that if the DigitalPersona “Verify Your Identity” dialog or DigitalPersona fingerprint enrollment process is running, they will use the fingerprint reader exclusively, but as soon as they finish, other applications can use the fingerprint reader again.

AD LDS instance name

Specifies the name of an AD LDS instance where a DigitalPersona LDS Server is hosted.

  • If enabled, and a instance name is entered, queries are sent to the specified AD LDS
  • If disabled or not configured, queries are sent to any AD LDS instance found in the
Do not launch the Getting Started wizard upon logon
  • If enabled, the DigitalPersona LDS user console and the Getting Started page do not start automatically after user logon.
  • If disabled or not configured, the DigitalPersona LDS user console and the Getting Started page starts automatically after user
Allow DigitalPersona client to use DigitalPersona Server
  • If enabled or not configured, DigitalPersona clients will attempt to contact a DigitalPersona LDS Server to obtain services.
  • If disabled, DigitalPersona clients will not attempt to contact a DigitalPersona LDS Server, and will use cached data.
Show Taskbar icon
  • If enabled or not configured, a Taskbar icon is displayed on managed
  • If disabled, the Taskbar icon is not
Maximum size of identification list

The identification list contains an administrator-specified number of user accounts. It is used in conjunction with cached credentials to identify a user by their fingerprint and, as an added convenience, frees them from typing their user name and domain at Windows logon.

  • If enabled, you can specify the maximum number of users the identification list can hold on a particular Type the number of users in the Maximum size of identification list text box. While the number of credentials that can be cached is virtually unlimited, the maximum number of users that can be added to the identification list is 100; the minimum is 0.
  • If disabled or not configured, the default value of 10 is

Users are added to the identification list in the order they log on. The most recent user to log on is added to the top of the list. If the list has exceeded its capacity, the least recent user to log on is removed from the list when another user logs on. If a user is already on the list and logs on again, they are moved from their original position on the list and placed on top.

Once removed from the list, a user can still use their cached credentials (if enabled), but they must type their user name and domain manually.

  • If DigitalPersona is deployed in a networked environment, it performs identification locally out of the set of users in the identification list and then, for added security, confirms the user identity using the DigitalPersona
Allow VPN-less access

Specifies the URL for VPN-less access.

This feature allows logon to Windows and access to other resources when users are outside of their corporate network without a VPN connection.

  • If enabled and a valid URL to the DPCA Web Proxy is entered, the web proxy will be
  • If disabled or not configured, VPN-less access will not be

Requires installation and valid configuration of the DigitalPersona Web Management Components.

Managed applications

Disable Applications 

Prevent Password Manager from running

  • If enabled, the Password Manager application is not
  • If disabled or not configured, the Password Manager application is

Password Manager

Display password complexity popup

  • If enabled or not configured, the password complexity popup displays when modifying logon profile protected fields.
  • If disabled, the popup is not
Security/Settings

Allow Localhost Loopback

Configure whether or not to allow the client computer to use Localhost Loopback from their web browsers.

Some product features require communication between a client’s web browser and a locally attached hardware device such as a fingerprint reader. DigitalPersona uses a web service named ‘Localhost Loopback’ for this purpose. Be aware that enabling this feature does involve some security risk where malicious websites may be able to communicate with hardware on the local machine.

  • If enabled or not configured, Localhost Loopback is
  • If disabled, Localhost Loopback is Features such as fingerprint or smart card authentication will not work within client web browsers.

Enable Recovery Questions

Configures whether or not to allow Self Password Recovery, a feature that allows users to gain access to the computer in the event that they are unable to authenticate with the required credentials.

  • If enabled, administrators can configure requirements for self password recovery and users will be able to use Self Password Recovery to log
  • If disabled or not configured, Self Password Recovery functionality is not available to Administrators can:
  • Select questions from a predefined list that users must answer to set up and use Self Password
  • Allow users to type their own custom
  • Add up to three administrator-defined custom

Localhost Loopback Origins

Specifies origins for which Localhost Loopback will be enabled.

  • If enabled, specifies those websites for which Localhost Loopback will be enabled. Enter the website origins in a semicolon-delimited format, e. www.celestix.com;www.mydomain.com. Localhost Loopback will be enabled only for specified websites and disabled for all other websites.
  • If disabled or not configured, Localhost Loopback will be enabled for all websites. Be aware that enabling this feature does involve some security risk where malicious websites may be able to communicate with hardware on the local.

DigitalPersona Server (Detail)

Authentication Devices

Fingerprints

Fingerprint enrollment

Configure settings related to fingerprint enrollment.

  • Minimum number of enrolled fingerprints

This setting requires that the user enroll at least the specified number of fingerprints.

If disabled or not configured, the minimum number of fingerprints required for enrollment is 1.

  • Maximum number of enrolled fingerprints:

This setting restricts the number of fingerprints that a user can enroll.

If disabled or not configured, the maximum number of fingerprints allowed for enrollment is 10.

Note: Enrolling just one fingerprint increases the probability of a user not being able to authenticate. However, enrolling several fingerprints increases the probability of false acceptance.

Fingerprint verification

Configures the False Accept Rate (FAR), which is the probability of receiving an acceptance decision when comparing fingerprints scanned from different fingers.

Specify the value 1 in N where one false acceptance is likely to occur in N verification attempts. For example, if you select 1 in 10,000 it means that, on average, one false acceptance will occur when a fingerprint is compared against ten thousand fingerprints scanned from different fingers. If you select 1 in 100,000 the probability is one in one hundred thousand.

The higher the value N specified, the lower the chance of receiving a false acceptance. If this value is too high, the system may reject legitimate fingerprints.

  • If enabled, you can set the False Accept Rate for fingerprint
  • If disabled or not configured, the value of 1 in 100,000 FAR is

NOTE: FAR is set on a per verification basis. When matching a fingerprint against fingerprints of multiple users (identification), the internally used FAR is automatically adjusted to maintain the same effective FAR as was selected for a single match.

PIN

PIN enrollment

Configure settings related to enrollment of a user’s PIN credential.

  • If enabled, specifies the minimum and maximum length of a user
  • If disabled or not configured, the minimum length of the PIN is 6 and the maximum length is Use the up and down arrow keys to set the minimum and maximum length of the PIN.

Longer PINs increase security, by making it more difficult to try all possible combinations of characters to discover the PIN.

Credentials verification lockout

Allow users to unlock their Windows account using DigitalPersona Self Password Recovery

Configure whether or not users are allowed to unlock their Windows account using DigitalPersona Self Password Recovery.

  • If enabled, users are allowed to unlock their
  • If disabled or not configured, users are not allowed to unlock their User accounts can only be unlocked by the domain administrator.
Account lockout duration

Configure the number of minutes an account is locked out before automatically being unlocked. To specify that the account will be locked out until the administrator explicitly unlocks it, set the value to 0. The Account lockout duration must be greater than or equal to the reset time.

  • If enabled, you can set a value between 1 and 99999
  • If disabled or not configured, the duration of the lockout is 30
Reset account lockout counter after

Configure the number of minutes that must elapse after a failed credential verification attempt before the account lockout counter is reset to 0. The reset time must be less than or equal to the Account lockout duration.

  • If enabled, you can set a value between 1 and 99999
  • If not configured, the counter is reset after 5
Account lockout threshold

Configure the number of failed credential verification attempts that causes a user account to be locked out. The lockout applies to verification of all credentials except the Windows password, which is governed by the Windows lockout policy.

A user cannot access a locked out account using any credential (except their Windows password) until it is reset by an administrator or until the account lockout duration has expired.

  • If enabled, you can set a value between 1 and 999 failed fingerprint verification attempts, or you can specify that the account will never be locked out to fingerprint verification by setting the value to
  • If disabled or not configured, the account will never be locked out due to failure of fingerprint

Event Logging

Level of detail in event logs

Determines whether DigitalPersona LDS logs events, such as credential enrollment and authentication attempts, in the Windows Event Log.

There are three levels of event logging:

  • Errors Only Level
  • Auditing Level
  • Details Level

Each higher level includes all previous levels. Events are logged on the computer where they occur.

Normally, the Auditing Level provides sufficient detail, covering all logon, authentication, credential and user management events, etc. Higher levels will fill the log file much more quickly.

  • If enabled, DigitalPersona logs events for the specified level. If not configured, events are logged at the Auditing level.
  • If disabled, events are logged at the Auditing level. Log Status events

Status events provide information about the state of several important systems on the computer. They are logged on configurable intervals and generally used when events are remotely collected. Note that logging of Status events (see page 165) is not enabled by default, and must be separately enabled by selecting the Log Status Events checkbox.

Status events provide information about the state of various policies and components on client computers. The interval at which status events are reported can also be configured.

Identification Server settings

Perform fingerprint identification on server

Specifies whether fingerprint identification is performed on the DigitalPersona Server or against the local computer cache.

  • If enabled or not configured, fingerprint identification requests are directed to a DigitalPersona Server, where the provided fingerprint data is compared to the data for every user with enrolled fingerprints in the Active Directory domain. Note that after enabling this setting, you will need to wait about 15 minutes before identification is available – or you can restart the DigitalPersona Server to refresh the
  • If disabled, fingerprint identification requests are processed on the local computer, where the provided fingerprint data is compared to the data for every user with enrolled fingerprints in the local computer

The default is “not configured.” Note that the default of not configured for this setting has the opposite effect from the same setting in the previous DigitalPersona Pro software where not configured resulted in fingerprint identification requests being processed on the local computer.

Windows Password

Allow users to reset their Windows passwords

Specifies whether or not users are allowed to reset their Windows passwords using their previously enrolled DigitalPersona Recovery Questions.

  • If enabled, users are allowed to reset their Windows When enabling this setting, make sure that users are allowed to enroll their Recovery Questions.
  • If disabled or not configured, users are not allowed to reset their Windows passwords, which then may only be reset by the domain
Path to DigitalPersona Secure Token Server (STS)

Specifies the path (URL) to the DigitalPersona Secure Token Server (STS). For example: https:// servername.domainname/dppassivests. This path is required in order to send an email verification message to the user.

  • If enabled and a valid URL is entered, email verification messages can be sent to the
  • If disabled or not configured, email verifications cannot be sent to the

DigitalPersona Client (Detail)

Managed applications

Password Manager

Allow creation of personal logons

Allows users to create and use personal logons for websites and programs.

  • If enabled or not configured, creation of personal logons by users is
  • If disabled, creation of personal logons by users is not
Managed logons

Configure settings for managed logons that govern access to account data and the deployment of logons to users. If enabled, the options listed below can be configured.

If disabled or not configured managed logons will not be available to users.

  • Allow users to view managed logon passwords: If this option is selected, users are allowed to view their managed logon passwords after verifying their identity. If unselected, users are not allowed to view managed logon
  • Allow users to edit account data: If this option is selected, users can edit their account data. If unselected, users cannot edit account
  • Allow users to add account data: If this option is selected, users can add to their account If unselected, users cannot add new account data.
  • Allow users to delete account data: If this option is selected, users can delete their account If unselected, users cannot delete account data.
  • Path(s) to the managed logons folder(s): When the setting is enabled, managed logons located in the specified folder are copied to all DigitalPersona LDS computers that have this setting applied. Multiple folders may be specified by separating the paths with a pipe character (|). If no valid path is specified, managed logons will not be available to users.