Log InContact Support

Enable Enterprise Controlled Encryption

Enable customer-managed encryption keys for maximum data security

See Enterprise Controlled Encryption (ECE) Overview for more information.

Prerequisites

Configure Single Sign-On OIDC

Verkada currently only supports Okta, Microsoft Entra ID (Azure AD), and Google Workspace as identity providers for Single Sign-On with OIDC. For setup guides, see:

OIDC SSO must be enabled in your organization to enable ECE.

Update Command mobile app

Ask all users in your organization to update their Verkada Command mobile app. The app updates automatically unless auto-update is disabled.

There is no need to update the Verkada Pass app.

Enable ECE

1

In Verkada Command, go to All Products > Admin.

2

In the left navigation, select Login & Access > Enterprise Controlled Encryption.

3

Click Get Started.

4

Under Generate Key:

a. Click Generate Key b. Download the encryption key c. Add the encryption key to your identity provider d. Click Continue

5

Under Verify:

a. Click Logout and Test b. If successful, you will be redirected to this page c. Click Continue

6

Under Enroll Devices:

a. Click Select Devices and choose the devices to enroll in ECE b. Click Enroll Devices

We recommend choosing Select All Devices to ensure additional security and data protection for your entire fleet.

The encryption key should only be generated once. Use this key to create the mapping in the OIDC provider. After verification, avoid regenerating the encryption key.

Example encryption key file format:

Add Encryption Key to Identity Provider

ECE is supported on Okta, Microsoft Entra ID (Azure AD), and Google Workspace.

Okta

  1. Log in to your Okta admin account.

  2. On the left, click Directory > Profile Editor.

  3. Open Verkada SSO OIDC User.

  4. Select Add Attribute:

    • Add the Display name and Variable name (both values are the same) from the org_secret.txt file. It starts with "vkdae2ee…"

    • Click Save

  5. Select Mappings:

    • Click Okta User to Verkada SSO OIDC

    • Copy the encryption key value (the second value in the .txt file, including quotation marks)

    • At the bottom of the Mappings page, paste into the text box for the new variable

    • Click the icon in the middle and select Apply mapping on user create and update

    • Click Save Mappings, then Apply updates now

Completing the mapping steps correctly is crucial for a seamless ECE camera enrollment process.

Refer to Add Custom Profile Attributes if you encounter issues.

Microsoft Entra ID (Azure AD)

  1. Log in to your Azure portal.

  2. Search for and select App registrations.

  3. Select Verkada SSO OIDC (check All applications if not visible).

  4. On the left, click Manage > App roles:

    • Click Create app role

    • Add the Display name and Description (both values are the same) from the org_secret.txt file

    • Under Allowed member types, select Users/Groups

    • Under Value, enter the encryption key (second value, without quotes)

    • Click Apply

  5. On the left, click Manage > Token Configuration:

    • Click Add groups claim

    • Select Security groups as the group type

    • Select Emit groups as role claims as the ID

    • Click Add

  6. On the left, click Manage > Authentication:

    • Under Implicit grant and hybrid flows, select both ID tokens and Access tokens

    • Click Save

  7. On the left, click Manage > Manifest:

    • Verify idToken.additionalProperties.emit_as_roles is present

  8. Assign users to the new role:

    • Search for and select Microsoft Entra ID

    • On the left, click Manage > Enterprise applications

    • Click Verkada SSO OIDC

    • On the left, click Manage > Users and groups

    • Click Add user/group

    • Assign users the newly created role

    • Click Assign

Google Workspace

  1. Open your Google Admin console.

  2. Navigate to Directory > Users.

  3. Select More Options > Manage custom attributes.

  4. Click Add Custom Attribute with:

    • Category: ECEInfo

    • Custom field: Name: keys, Info Type: Text, Visibility: Visible to User and Admin, No. of Values: Multi-Value

    • Click Add

  5. For each user needing access to your Verkada organization:

    • Go to Directory > Users and select a user

    • Expand User Information > ECEInfo

    • Click Edit

    • Add the display name and encryption key separated by a colon: <display name>:<encryption key>

    • Click Save

    • Repeat for all users

For automation, create a Google Group and use the Apps Script provided in the Verkada ECE documentation.

Last updated

Was this helpful?