To access the Security Policy page, click on the Settings tab and select Security Policy.
The Security policy page is broken into categories, and offers exceptions to rules
Automatic device enrolment
If allowed each device will be added to the approved devices list if valid user credentials are provided at the login screen on the device.
If disallowed then before each device can sync anything the device requires approval by an AsdeqDocs administrator on the Device Management screen.
Required check-in timeout
When set to On this rule requires a number of days be set for the required check-in time. If a device does not connect with the server within the specified check-in time, then all files are erased from the device container. Each time a user successfully connects their device to the server the timeout period for the device is reset.
If set to Off then there is no required check-in time, nor automatic erasure of documents.
Offline login credentials
If allowed the users will be able to access the files in their libraries while offline (out of Wi-Fi or data network range, e.g. in an airplane).
If disallowed the users will not be able to access files or login to AsdeqDocs/AsdeqForms while offline.
If allowed the app will permit logging in to a previously synced copy of AsdeqDocs using a fingerprint reader instead of typing a password.
If disallowed users will have to enter their password to access AsdeqDocs/AsdeqForms.
If allowed the app will pre-fill the ‘username’ field on the login screen with the most recently entered value.
If disallowed users will have to enter their username each time they log in to AsdeqDocs/AsdeqForms
Remember Me - Device
When set to allow this rule requires a number of minutes be set. This sets the amount of time that the AsdeqDocs/AsdeqForms app can be in the background before the user is required to provide their credentials again to continue accessing files.
Setting this to Disallow will require the user to log back into AsdeqDocs every time they put the app into the background.
Some devices operating systems will override this setting while AsdeqDocs/AsdeqForms is in the background if resource demands on the device become high and available resources are low. To ensure high security is maintained, AsdeqDocs will request a login when the user brings AsdeqDocs to the foreground.
If you wish to allow users to login without a password you can select Even if the app stops running or Allow Forever. These options store an encrypted password in the device's keychain, and allows users to login even if the app is killed or the device is restarted.
Remember Me - Web
Allows users to resume their web session without logging in again, for the set amount of time. Enabling this functionality adds a checkbox below the username/password on the web login screen:
If enabled a log is recorded of events on the client application such as: login, file access, searches performed, file upload, Email, etc. Each action is recorded with the current location of the device if location services are enabled on the device.
If disabled then activity auditing will not be available for device/user file access.
Record Device Location
If enabled then each device with GPS location capabilities will record the device location when reporting events back to the audit log (see Audit logging above).
If disabled then devices do not report their location when reporting events back to the audit log.
Encryption on device
While enabling this option does have a small processing overhead, it greatly adds security through file encryption to files on the client devices. As such, it is recommended that this be enabled.
If disabled the AES-256 encryption is not utilized and files are stored in the same manner as all other data on the device. If device level encryption is enabled (via Data Protection e.g. the use of a passcode) then the container is encrypted in that manner. Disabling this setting is not recommended for environments where any documents are of a sensitive, private, or commercially important nature.
Enforce Restricted SSL Policy
If enabled AsdeqServer will reject new self-signed or untrusted certificates, blocking man-in-the-middle attacks.
If disabled then new self-signed and untrusted certificates are accepted for connections.
If allowed this allows the device user to email files from AsdeqDocs using the devices' native email functionality. This creates a potential security risk. This feature will only be available on the client if the device has an email account configured.
If disallowed the users will not see the Email option.
Open Files on Other Applications
If allowed this allows the device user to use the native"Open In..." functionality, which creates an unencrypted copy of the file on the device to allow the other app to use it. This creates a potential security risk.
If disallowed the users will not see the Open In option.
Web File Downloads
If allowed the users can download files using the Library file viewer under the Libraries tab in the AsdeqDocs web interface.
If disallowed then access to download files is not available through the AsdeqDocs web interface.
SecureLink is a technology developed by Asdeq Labs. SecureLink allows the user to use files from AsdeqDocs in apps that are part of a SecureLink partnership. Unlike using Open In, using SecureLink will not copy the file into the third party app's container and forces to the third party application to respect the AsdeqDocs security policies (e.g. disable email, disable open in). This means that when you save edits or close the third party app there is not a residual file left unencrypted on the device, there is only the encrypted copy inside the AsdeqDocs secure container.
By default Open In creates an unencrypted copy of the file in the other apps container which remains after the other app is closed. Any other security policies for the file are also lost using Open In. This is obviously becomes a security issue if the device is stolen or lost.
What SecureLink provides is a way to open a file from AsdeqDocs in a SecureLink partner application while keeping the document encrypted on the device. Approved SecurityLink applications will respect the security policy settings (above) and will not keep make or leave a plain version of the file on the device.
If enabled users on mobile devices will see the print option in the file actions menu for files with print capabilities.
If disabled the print option will not be available to users.
If allowed hyperlinks to referenced documents can be created an emailed. They allow the receiver to download a file from the server.
If disallowed the option will not appear
If allowed users can create links that can be accessed without needing an AsdeqDocs account. Linked documents can be accessed by anyone with network access to the server by entering a password.
If disallowed linked documents can only be accessed by users logged into AsdeqDocs
Allow No Time Limit
If allowed users can configure links that never expire.
If disallowed, the user must always choose the life of the link in days.
Allow Unlimited Password uses
If allowed users can configure links with passwords that may be used forever.
If disallowed, users must always choose the number of times a password may be used before it expires.
Allow Notify Link Creator on Download
If allowed users can configure links that automatically notify the creator when the recipient downloads the linked document from the server
If disallowed, users will not receive a notification.
Outgoing mail must be enabled on the Mail Management page to use this feature
If allowed then the Browse Network functionality is available to the mobile device users. This functionality allows users to search all servers and source locations, and create/manage libraries direct from the device.
If disallowed the users can not search all servers and source locations, and can not create or manage libraries directly from the device.
This option allows the server to push file updates to devices in real-time.
If enabled the server sends a push notification to the device to sync files that are in user's Libraries on the device immediately after they are added, or modified on the back end servers.
If disallowed the devices will only receive file updates during regular scheduled syncs, after the server has identified the back-end file change as part of a scheduled source location scan.
Used in conjunction with web uploads, QuickSync allows users to save a file to the back-end file repository via upload to a Library and have it appear on their device in the same library within seconds.
On Device Library Management
If enabled then users can create, add to and manage libraries from their mobile device.
If disabled then the user's can only create, add to and manage their libraries using the web interface.
If allowed users can create and modify documents from AsdeqDocs into configured Source Locations.
This option must be allowed before the other file actions can be enabled
If allowed users can create new folders at a source location.
if allowed users can make copies of files or folders at the original source location, or in a separate source location.
If allowed users can move files or folders to new locations at the source location, or into a separate source location
Exceptions provide granular control of security policies to administrators, allowing variations from the otherwise global security policy rule configured.
The exceptions can be set for combinations of users/groups and devices, for example:
- Global rule disallows email, with an exception for the group Sales Team (thus allowing the sales team to email files from the client app, but no one else)
- Global rule allows Open in, with an exception for Android devices (thus blocking any user on an Android device from using Open in from AsdeqDocs while allowing all other device platforms to use Open in)
- Global rule sets the background logout time to 10 mins, with an exception for the group Solicitors on iPads set to 90 mins (thus allowing the solicitors to present for longer on their iPads in court before they may be required to log back in)
To view any configured exceptions, either click Show All, or the next to the specific rule if any exceptions exist
If a security policy rule changes from Allows to/from Disallowed, the exceptions also reverse - i.e. the exception from Allow (disallow) will become an exception from Disallow (allow).
To set or change an exception, click on the Edit button to the right of the rule. This will then display the exceptions and allow exceptions to be:
When adding an exception, click on the user or group to search from the user/group the exception is to be set for, and/or select a device platform from the drop down list.
Complete any settings required for the exception (e.g. set a number of minutes for the exception for the Background logout time)
Exceptions with numerical values require ordering, and are applied from top to bottom - if a user is in multiple user groups with different exception values, the highest relevant exception will apply. In the example image above, any user in the top exception who is also in the bottom exception will have only the top exception apply.
Simply click on Remove Exception