Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

How to Require FaceID for Corporate Email via Hexnode UEM?

Jump To

In mobile-first enterprises, smartphones act as portable vaults for sensitive corporate intellectual property. While a device passcode provides the first line of defence, enforcing device-level security policies along with application-level configuration adds a critical “Identity Checkpoint”.

By applying Hexnode UEM Passcode Policies, Advanced Restrictions, and App Configuration, administrators can enforce biometric authentication requirements for corporate email apps such as Microsoft Outlook or the native iOS Mail app. This helps protect email access even if the device is already unlocked.

1. The Strategic Logic: “The Second Gate”

This strategy strengthens device authentication and protects corporate applications indirectly:

  • Identity Binding: Device access is tied to the user’s biometric profile stored securely in the device hardware.
  • Non-Repudiation: Prevents passcode sharing between users because biometric authentication cannot be transferred.
  • The “Coffee Shop” Guard: Protects data if a device is left unlocked; unauthorized users cannot bypass FaceID to access corporate email.

2. Implementation Framework (iOS / iPadOS via Hexnode UEM Console)

In Hexnode UEM, biometric enforcement for corporate email apps is configured using Passcode policy, Advanced Restrictions, and App Configuration.

Step A: Enforce Device-Level Security Baseline

  1. Navigate to: Policies > New Policy > iOS > Passcode.
  2. Configure Passcode Settings:
    • Allow simple value: Disabled
    • Require alphanumeric value: Enabled
    • Minimum passcode length: 6 (or higher)
    • Maximum failed attempts: 6 (or as required)
    • Auto-Lock: Set per organizational standards

Result: If FaceID or TouchID fails to recognize the user, the device will prompt for this mandatory device passcode to gain access. Configuring strict length and complexity rules ensures this backup entry method cannot be easily guessed by malicious actors.

Step B: Block Biometric Modifications

  1. Navigate to: Policies > create new policy/select existing one > iOS > Restrictions > Advanced Restrictions.
  2. Disable: Add or remove Touch ID / Face ID.

Result:

  • Users cannot enroll new fingerprints or faces.
  • Existing biometric identities remain unchanged.

Step C: Application Configuration for Microsoft Outlook

  1. Navigate to: Policies > create new policy/select existing one > iOS > App Configuration.
  2. Click +Add new configuration and select Microsoft Outlook.
  3. Upload: XML file.

Add the following App Configuration keys in the XML file:

Key Value Purpose
IntuneMAMAllowedAccountsOnly True Ensures only corporate email accounts can be added to this Outlook app, blocking users from adding personal emails.
com.microsoft.outlook.Auth.Biometric True Enables Outlook biometric authentication.
com.microsoft.outlook.Auth.Biometric.UserChangeAllowed False Prevents users from changing app-level biometric settings.

Result: When the user opens the Microsoft Outlook app, they are immediately prompted to authenticate via FaceID/TouchID before they can view their inbox. They are unable to disable this prompt in the app settings, and they cannot bypass the security wrapper by adding a personal email account.

3. Comparison: Device Passcode vs. App-Level Biometric Enforcement

Security Layer Device Passcode Biometric Authentication
Authentication Method Knowledge-based passcode Biometric identity verification
User Convenience Moderate High
Credential Sharing Risk Higher Lower
Authentication Speed Slower Faster
Identity Assurance Moderate Strong

4. Security & Compliance Guardrails

  • Biometric Fallback: iOS requires a device passcode fallback if FaceID/TouchID fails. Enforce strong passcodes via Hexnode UEM Passcode Policies.
  • Compliance Checks: Navigate to: Policies > Compliance Policies. Create a new compliance policy to monitor conditions such as:
    • Passcode removal
    • MDM profile removal
    • Jailbreak detection
    • OS compliance
  • Automated remediation: Use Corporate Wipe remote action for removing managed accounts and corporate data if the device becomes non-compliant.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework