Symantec Mobility: Suite lets you create a policy that lets iOS device users use a PIN to authenticate to the Work Hub. For iOS devices that support Touch ID, users can now choose whether they want to log into the Work Hub using their Touch ID or their Work Hub PIN. If for some reason Touch ID fails, user can enter their Work Hub PIN to authenticate. Touch ID can also be used on all applications where the PIN is supported. But it cannot be used to authenticate in offline mode.
The PIN/Touch ID policy lets users access the Work Hub, the WorkSpace, sealed, and wrapped apps making access easier and more convenient. And this same PIN works across all of a user's enrolled devices for both online and offline use (Touch ID is not supported for offline use). Not only is the PIN/Touch ID easier to enter than IDP credentials, but it also serves as single sign-on. When users authenticate to wrapped or sealed apps and then open the Work Hub, they won't have to reauthenticate. Note that single sign-on based on authenticating to the Work Hub first does not apply to subsequent access to sealed and wrapped apps. Touch ID is supported for the in-house and public Work Hubs.
Authentication requirements in the app policy take precedence over the iOS Work Hub PIN policy. For example, if the PIN policy is disabled but the app policy requires authentication to access the app, IDP authentication is still required. You must also enable the user to access the app offline in the app policy for the offline PIN to function.
The iOS PIN/Touch ID policy is supported for all identity providers. And it works whether mobile device management (MDM) is enabled or not. The Work Hub PIN/Touch ID policy is currently only supported for iOS. However, Android does support offline PINs.
When new users enroll, after they authenticate to access to the Work Hub using their IDP credentials, they are prompted to set up a user PIN. For users who are already enrolled, the next time they access the Work Hub, after they type their IDP credentials, they are prompted to set up a user PIN. If a user forgets their PIN, they can still authenticate using their IDP credentials.
The Work Hub PIN is enabled by default with default settings. But you can modify these settings to customize these settings to make the requirements more or less lenient. For an iOS PIN policy to take effect, you must rewrap your apps and rebuild our Work Hub.