Technical Note
Managing Face ID authentication with BlackBerry
Dynamics apps on iPhone X devices
Published: 2017-11-09
SWD-20171109091437240
Managing Face ID authentication with
BlackBerry Dynamics apps on iPhone
X devices
Summary
This document provides an overview of Face ID support for BlackBerry Dynamics apps and the BlackBerry UEM Client with the
release of the iPhone X device on November 3, 2017. It describes how to manage authentication with BlackBerry Dynamics
apps and the BlackBerry UEM Client using Face ID on iPhone X devices. For more information on security and Face ID, see
Apple's Face ID Security guide.
Note: This document focuses on how to manage authentication with BlackBerry Dynamics apps but there is also device policy
in Good Control and an IT policy in BlackBerry UEM that allows or prevents users from unlocking their devices using Touch ID.
This setting is independent from the other settings discussed in this document and does not
aect whether Touch ID or Face ID
can be used to authenticate with BlackBerry Dynamics apps and the BlackBerry UEM Client.
Expected behavior
On iPhone X devices, all BlackBerry Dynamics apps and the BlackBerry UEM Client will automatically support authentication
with Face ID, but there are no unique policies for managing authentication with Face ID. Although Touch ID is not supported on
iPhone X devices, you can manage authentication with Face ID using the existing Touch ID policies. Note that BlackBerry has
performed testing on a simulator only and this document will be updated with required changes after iPhone X devices are
available.
How existing Touch ID policies work with Face ID in BlackBerry UEM
Until separate policies are added to BlackBerry UEM to manage Face ID, Face ID authentication is controlled by the existing iOS
Touch ID policy settings set in BlackBerry Dynamics profiles. The following is a summary of the existing Touch ID policies and
how they work with Face ID:
Policy setting
Behavior
Allow Touch ID
Select this option to allow a user to start BlackBerry Dynamics
apps and the BlackBerry UEM Client using Touch ID or Face
ID when the apps are already open in the app switcher. If you
deselect this option, users cannot start apps using Face ID or
Touch ID and must enter a password instead.
Enable Touch ID From cold start Select this option to allow a user to start BlackBerry Dynamics
apps and the BlackBerry UEM Client using Touch ID or Face
1
Managing Face ID authentication with BlackBerry Dynamics apps on iPhone X devices
4
Policy setting Behavior
ID when the apps are not already open in the app switcher. If
you deselect this option, users cannot start apps using Face ID
or Touch ID and must enter a password instead.
Require password to be re-entered and disable Touch ID Select this option to specify the amount of time that can pass
before a user must enter a password when they start
BlackBerry Dynamics apps and the BlackBerry UEM Client.
After the user enters the password, Face ID can be used again
for the specified amount of time.
Allowing and restricting Face ID using BlackBerry UEM
• Allow Face ID on iPhone X devices and Touch ID on all other compatible devices: Create a separate BlackBerry
Dynamics profile for users who want to authenticate using Face ID and make sure that the Allow Touch ID option is
selected in the user's profile and that iPhone X is permitted in the iOS hardware models list. Users that are assigned
this policy can use
Face ID on their iPhone X devices and Touch ID on other allowed iOS devices.
• Restrict Face ID on iPhone X devices and Touch ID on all other compatible devices: Deselect the Allow Touch ID
option for users who do not need to authenticate using Face ID. Users that are assigned to this BlackBerry Dynamics
profile cannot use Touch ID or Face ID and must enter a password instead. You can move iPhone X users to a profile
that disables Touch ID and leave other users on a profile with Touch ID enabled.
• Restrict Face ID on iPhone X devices but allow Touch ID on other compatible devices: Create a device group for
iPhone X devices and then assign a BlackBerry Dynamics profile to that device group with settings that restrict Touch
ID. For more information on creating device groups in BlackBerry UEM, see Creating device groups.
• Restrict iPhone X devices: You can also restrict device models to make sure that there are no iPhone X users assigned
to a policy that allows Touch ID. In BlackBerry UEM, hardware model restrictions are set in activation profiles. Create a
separate BlackBerry Dynamics profile for users who want to authenticate using Touch ID and make sure that the Allow
Touch ID option in BlackBerry UEM is selected in the user's profile and that iPhone X is not permitted in the
iOShardware models list in the user's activation profile. Users that are assigned these profiles will not be able to use
Face ID or iPhone X devices. Users will be allowed to use Touch ID on other allowed iOS devices.
For more information on managing BlackBerry Dynamics profiles, device groups, or restricting hardware models in BlackBerry
UEM, see the the BlackBerry UEM administration content.
How existing Touch ID policies work with Face ID in Good Control
Until separate policies are added to Good Control to manage Face ID, Face ID authentication is controlled by the existing iOS
Touch ID security policy settings. The following is a summary of the existing Touch ID security policies and how they work with
Face ID:
Managing Face ID authentication with BlackBerry Dynamics apps on iPhone X devices
5
Policy setting Behavior
Allow Touch ID for Idle Unlock Select this option to allow a user to start BlackBerry Dynamics
apps and the BlackBerry UEM Client using Touch ID or Face
ID when the apps are already open in the app switcher. If you
deselect this option, users cannot start apps using Face ID or
Touch ID and must enter a password instead.
Enable Touch ID From Cold Start Select this option to allow a user to start BlackBerry Dynamics
apps and the BlackBerry UEM Client using Touch ID or Face
ID when the apps are not already open in the app switcher. If
you deselect this option, users cannot start apps using Face ID
or Touch ID and must enter a password instead.
Force Password re-entry after Select this option to specify the amount of time that can pass
before a user must enter a password when they start
BlackBerry Dynamics apps and the BlackBerry UEM Client.
After the user enters the password, Face ID can be used again
for the specified amount of time.
Allowing and restricting Face ID
• Allow Face ID on iPhone X devices and Touch ID on all other compatible devices: Create a separate security policy
for users who want to authenticate using Face ID and make sure that the Allow Touch ID for Idle Unlock option is
selected in the user's policy and that iPhone X is permitted in the iOS hardware models list. Users that are assigned
this policy can use Face ID on their iPhone X devices and Touch ID on other allowed iOS devices.
• Restrict Face ID on iPhone X devices and Touch ID on all other compatible devices: Deselect the Allow Touch ID for
Idle Unlock option for users who do not need to authenticate using Face ID. Users that are assigned to this security
policy cannot use Touch ID or Face ID and must enter a password instead. You can move iPhone X users to a security
policy that disables Touch ID and leave other users on a security policy with Touch ID enabled.
• Restrict iPhone X devices: You can also restrict device models, to make sure that there are no iPhone X users
assigned to a policy that allows Touch ID. In Good Control, hardware model restrictions are set in the Permitted
hardware models list in a compliance policy. Create a separate security policy for users who want to authenticate
using Touch ID and make sure that the Allow Touch ID for Idle Unlock option is selected in the user's policy and that
iPhone X is not permitted in the iOShardware models list. Users that are assigned this policy will not be able to use
Face ID or iPhone X devices. Users will be allowed to use Touch ID on other allowed iOS devices.
For more information on managing Touch ID security policies or restricting hardware models in Good Control, see the Good
Control Online Help.
User experience
When user launches an app after idle timeout or restart, they see an iOS system message stating that "This app was designed to
use Touch ID and may not fully support Face ID." Users can select one of the following options:
Managing Face ID authentication with BlackBerry Dynamics apps on iPhone X devices
6
• Don’t Allow: Users will be required to use their BlackBerry Dynamics password to start their apps.
• Ok: Users will be prompted to use Face ID. If successful, the app will start. If Face ID is not successful, they will get an
error message to try again or they can cancel and enter their BlackBerry Dynamics password instead.
Several of the BlackBerry Dynamics user on-screen messages will continue to refer to Touch ID, instead of Face ID, until the
messages are updated in a future release. Although screen prompts refer to Touch ID, the impact will actually be for Face ID.
The following are some scenarios where this will occur:
• A user activates a new app: If a user activates a new app on an iPhone X device and the Touch ID policy is enabled, the
user is prompted to enter and confirm their password and enable Touch ID. If Touch ID is enabled, then Face ID will be
allowed.
• An administrator enables Touch ID in a security policy: If an administrator enables the use of Touch ID, users will see a
message stating that their "IT Administrator has allowed Touch ID". For iPhone X devices, Face ID will be allowed.
• An administrator disables Touch ID in a policy: If an administrator disables the use of Touch ID, users will see a
message stating that their “IT Administrator has changed the password policy and removed usage of Touch ID”. For
iPhone X devices, Face ID will no longer be allowed.
• A user unlocks an app: When unlocking an app on iPhone X devices, users will be prompted to use “Touch ID for App
X” and to “Authenticate using your
finger” instead of being prompted to use Face ID.
• A user receives a Face ID error: If a user tries to authenticate with Face ID on iPhone X devices, and there is error, they
receive the message to “Authenticate using your finger” instead of telling them to use Face ID.
• A user uses Easy Activation to activate an app: If user tries to easy activate using Face ID on iPhone X devices, they will
be prompted to use Touch ID instead.
• A user performs a cold start of an app: If Touch ID is not allowed for cold start on iPhone X devices, users receive a
message that references Touch ID instead of Face ID.
• A user makes changes to Face ID: When users change Face ID enrollment updating biometrics on iPhone X devices,
they are prompted to enter their password and the message will reference Touch ID instead of Face ID.
Future support
In an upcoming release, you will be able to manage Face ID separately from Touch ID and users will see updated Face ID
messaging on their iPhone X devices.
Managing Face ID authentication with BlackBerry Dynamics apps on iPhone X devices
7
Legal notice
©
2017 BlackBerry Limited. Trademarks, including but not limited to BLACKBERRY, BBM, BES, EMBLEM Design, ATHOC,
MOVIRTU and SECUSMART are the trademarks or registered trademarks of BlackBerry Limited, its subsidiaries and/or
aliates, used under license, and the exclusive rights to such trademarks are expressly reserved. All other trademarks are the
property of their respective owners.
iOS is a trademark of Cisco Systems, Inc. and/or its aliates in the U.S. and certain other countries. iOS
®
is used under license
by Apple Inc. Apple, iPhone and Touch ID are trademarks of Apple Inc. All other trademarks are the property of their respective
owners.
This documentation including all documentation incorporated by reference herein such as documentation provided or made
available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without condition,
endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its aliated companies
("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or
omissions in this documentation. In order to protect BlackBerry proprietary and
confidential information and/or trade secrets,
this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to
periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide
any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software, products or services
including components and content such as content protected by copyright and/or third-party websites (collectively the "Third
Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services
including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality,
decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products
and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the
third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS,
ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF
DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-
INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING
OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF
ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE
HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY
NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY
LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE
EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU
FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY
BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-
PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES
2
Legal notice
8
REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL,
EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS
OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS
INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR
RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY
PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY
PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR
SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE
FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO
OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY
LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE
CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE,
TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES
OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B)
TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING
AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE
PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE,
AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY
HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your
airtime service provider has agreed to support all of their features. Some airtime service providers might not oer Internet
browsing functionality with a subscription to the BlackBerry
®
Internet Service. Check with your service provider for availability,
roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's
products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or
violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if
any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use
Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that
are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no
express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and
BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed
by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties,
except to the extent expressly covered by a license or other agreement with BlackBerry.
The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry
applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN
AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE
OTHER THAN THIS DOCUMENTATION.
BlackBerry Enterprise Software incorporates certain third-party software. The license and copyright information associated with
this software is available at http://worldwide.blackberry.com/legal/thirdpartysoftware.jsp.
Legal notice
9
BlackBerry Limited
2200 University Avenue East
Waterloo, Ontario
Canada N2K 0A7
BlackBerry UK Limited
200 Bath Road
Slough, Berkshire SL1 3XE
United Kingdom
Published in Canada
Legal notice
10
