# Enable Enterprise Controlled Encryption {% hint style="info" %} See [Enterprise Controlled Encryption (ECE) Overview](https://docs.verkada.com/docs/enterprise-controlled-encryption-overview.pdf) for more information. {% endhint %} *** ## Prerequisites ### Configure Single Sign-On OIDC Verkada currently only supports Okta, Microsoft Entra ID (Azure AD), and Google Workspace as identity providers for Single Sign-On with OIDC. For setup guides, see: * [Okta](https://help.verkada.com/command/security/identity-providers/okta) * [Microsoft Entra ID](https://help.verkada.com/command/security/identity-providers/microsoft-entra-id) * [Google Workspace](https://help.verkada.com/command/security/identity-providers/google-workspace) {% hint style="danger" %} OIDC SSO must be enabled in your organization to enable ECE. {% endhint %} ### Update the Command mobile app Ask all users in your organization to update their Verkada Command mobile app. The app updates automatically unless auto-update is disabled. * iOS: [Verkada Command](https://apps.apple.com/us/app/verkada-command/id1157022527) * Android: [Verkada Command](https://play.google.com/store/apps/details?id=com.verkada.android\&hl=en\&gl=US) There is **no need** to update the Verkada Pass app. *** ## Enable ECE {% stepper %} {% step %} **In Verkada Command, go to All Products > Admin.** {% endstep %} {% step %} **In the left navigation, select Login & Access > Enterprise Controlled Encryption.** {% endstep %} {% step %} **Click Get Started.** {% endstep %} {% step %} **Under Generate Key:** a. Click **Generate Key**\ b. Download the encryption key\ c. [Add the encryption key to your identity provider](#add-encryption-key-to-identity-provider)\ d. Click **Continue** {% endstep %} {% step %} **Under Verify:** a. Click **Logout and Test**\ b. If successful, you will be redirected to this page\ c. Click **Continue** {% endstep %} {% step %} **Under Enroll Devices:** a. Click **Select Devices** and choose the devices to enroll in ECE\ b. Click **Enroll Devices** {% hint style="info" %} We recommend choosing **Select All Devices** to ensure additional security and data protection for your entire fleet. {% endhint %} {% endstep %} {% endstepper %} {% hint style="danger" %} The encryption key should only be generated once. Use this key to create the mapping in the OIDC provider. After verification, avoid regenerating the encryption key. {% endhint %} {% hint style="success" %} Example encryption key file format: ``` File name: _org_secret.txt Format: ``` {% endhint %} *** ## Add Encryption Key to Identity Provider ECE is supported on Okta, Microsoft Entra ID (Azure AD), and Google Workspace.
Okta 1. Log in to your Okta admin account. 2. On the left, click **Directory > Profile Editor**. 3. Open **Verkada SSO OIDC User**. 4. Select **Add Attribute**: 1. Add the Display name and Variable name (both values are the same) from the org\_secret.txt file. It starts with "vkdae2ee…" 2. Click **Save** 5. Select **Mappings**: 1. Click **Okta User to Verkada SSO OIDC** 2. Copy the encryption key value (the second value in the .txt file, including quotation marks) 3. At the bottom of the Mappings page, paste into the text box for the new variable 4. Click the icon in the middle and select **Apply mapping on user create and update** 5. Click **Save Mappings**, then **Apply updates now** {% hint style="danger" %} Completing the mapping steps correctly is crucial for a seamless ECE camera enrollment process. {% endhint %} {% hint style="info" %} Refer to [Add Custom Profile Attributes](https://support.okta.com/help/s/article/How-To-Add-Custom-Profile-Attributes-As-Claims-In-a-ID-Token-or-userinfo?language=en_US) if you encounter issues. {% endhint %}
Microsoft Entra ID (Azure AD) 1. Log in to your Azure portal. 2. Search for and select **App registrations**. 3. Select **Verkada SSO OIDC** (check All applications if not visible). 4. On the left, click **Manage > App roles**: 1. Click **Create app role** 2. Add the **Display Name** and **Description** using the same first value from the `org_secret.txt` file 3. Under **Allowed member types**, select **Users/Groups** 4. **Under Value, enter the encryption key in the format** `first_value:second_value` (without quotes) 5. Click **Apply** 5. On the left, click **Manage > Token Configuration**: 1. Click **Add groups claim** 2. Select **Security groups** as the group type 3. Select **Emit groups as role claims** as the ID 4. Click **Add** 6. On the left, click **Manage > Authentication > Settings**: 1. Under **Implicit grant and hybrid flows**, select both **ID tokens** and **Access tokens** 2. Click **Save** 7. On the left, click **Manage > Manifest**: 1. Verify `idToken.additionalProperties.emit_as_roles` is present 8. Assign users to the new role: 1. Search for and select **Microsoft Entra ID** 2. On the left, click **Manage > Enterprise applications** 3. Click **Verkada SSO OIDC** 4. On the left, click **Manage > Users and groups** 5. Click **Add user/group** 6. Assign users the newly created role 7. Click **Assign**
Google Workspace 1. Open your Google Admin console. 2. Navigate to **Directory > Users**. 3. Select **More Options > Manage custom attributes**. 4. Click **Add Custom Attribute** with: 1. Category: **ECEInfo** 2. Custom field: Name: **keys**, Info Type: **Text**, Visibility: **Visible to User and Admin**, No. of Values: **Multi-Value** 3. Click **Add** 5. For each user needing access to your Verkada organization: 1. Go to **Directory > Users** and select a user 2. Expand **User Information > ECEInfo** 3. Click **Edit** 4. Add the display name and encryption key separated by a colon: `:` 5. Click **Save** 6. Repeat for all users **For automation**, create a Google Group and use the Apps Script provided in the [Verkada ECE documentation](https://docs.verkada.com/docs/enterprise-controlled-encryption-overview.pdf).