Enable Enterprise Controlled Encryption (ECE)

Log in your Okta admin account.On the left, click Directory.Click Profile Editor.Open Verkada SSO OIDC User.Select Add Attribute.a. Add the Display name and Variable name (both values are the same) from the "<org_name>_org_secret.txt" file. It starts with "vkdae2ee…". b. Click Save.Select Mappings.a. Click Okta User to Verkada SSO OIDC. b. Copy the value (the second value) in the downloaded "<org_name>_org_secret.txt" file (including the quotation marks). c. At the bottom of the Mappings page, paste the into the text box corresponding to the new variable just added above. d. Click on the icon in the middle between the and , and select Apply mapping on user create and update.e. Click Save Mappings, then Apply updates now.

Log in to your Azure portal.Search for and select App registrations.Select Verkada SSO OIDC.Note: If you do not see this app, go to All applications.On the left, click Manage > App roles.a. Click Create app role. b. Add the Display name and Description (both values are the same) from the "<org_name>_org_secret.txt" file. It starts with "vkdae2ee…". c. Under Allowed member types select Users/Groups. d. Under Value enter : (second value) in the downloaded "<org_name>_org_secret.txt" file. Do not copy the quotes for the encryption key. e. Click Apply.On the left, click on Manage > Token Configuration.a. Click Add groups claim. b. Select Security groups as the group type. c. Select Emit groups as role claims as the ID. d. Click Add.On the left side, click on Manage > Authentication.a. Under Implicit grant and hybrid flows, select both ID tokens and Access tokens. b. Click Save.On the left, click on Manage > Manifest.a. Verify Manifest for Optional Claims looks like this:Note: You must see idToken.additionalProperties.emit_as_roles.Assign the users to the new role that was created in step 4. Only these users will be able to access Verkada Command.a. Search for and select Microsoft Entra ID. b. On the left side, click Manage > Enterprise applications.Click Verkada SSO OIDC.On the left side, click on Manage > Users and groups.Assign users the newly created role. Note: you must be an owner of the Verkada SSO OIDC application.Click Add user/group.Assign the users to the new role that was created in step 4.Click Assign.(Optional) If the email used for their Command account is not the same as the user principal name on Azure, make sure to do the following:Click Edit properties.Click Contact information.In the email field, enter the email used for their Verkada Command account.Click Save.

Open your Google Admin console.In the left navigation, select Directory > Users.Select the More Options dropdown and click Manage custom attributes.Click on Add Custom Attribute.Create a new custom attribute with the following fields (these fields are case sensitive)a. Category: ECEInfo b. Custom fields:Name: keysInfo Type: TextVisibility: Visible to User and AdminNo. of Values: Multi-Valueg. Click AddFor each user account that will need access to your Verkada organization, you will need to do the following steps:a. Go to Directory > Users and select a user. b. Expand the User Information tab and select ECEInfo. c. Click Edit. d. In the downloaded "<org_name>_org_secret.txt" file, you will find two strings. The first is the Display Name (it starts with "vkdae2ee…"), and the second is the encryption key. Add these values to the keys field in your user’s ECEInfo attribute, separated by a colon (do not include the quotation marks around the encryption key).<display name>:<encryption key>e. Click Save. f. Repeat this for all users in the Verkada organization and continue to Step 9.Note: You can automate the process by skipping this step and following Steps 7-8 instead.Go to Directory > Groups and click Create Group.a. Give the group an identifiable name (e.g., the same name as your Verkada Command organization). Note that if you have multiple Verkada organizations, you will need a corresponding Group for each. b. Click Next. c. In Group Settings, select only invited users for who can join the group. d. Click Create. e. In the newly created group, click Add Members. Add all the users of your Verkada organization here.Go to Apps Script for Google Developers. Click Start Scripting.a. Create a New Project. b. Under Services on the left panel, select Admin SDK API and click Add. c. Paste the following codefunction bulkUpdate() { const groupEmail = "<YOUR GROUP EMAIL>"; const schemaName = "ECEInfo"; const displayName = "<DISPLAY NAME FROM YOUR ORG SECRET TXT FILE>"; const encryptionKey = "<ENCRYPTION KEY FROM YOUR ORG SECRET TXT FILE>"; const groupMembers = AdminDirectory.Members.list(groupEmail).members || []; groupMembers.forEach((member) => { try { var userEmail = member.email; var user = AdminDirectory.Users.get(member.email, { projection: 'full'}); var customSchemas = user.customSchemas || {}; if (!customSchemas[schemaName]) { customSchemas[schemaName] = {}; } if (!customSchemas[schemaName]["keys"]) { customSchemas[schemaName]["keys"] = []; } var newEntry = `${displayName}:${encryptionKey}`; var userHasOrgSecret = customSchemas.ECEInfo.keys.some(function(entry) { return entry.value === newEntry; }); if (userHasOrgSecret) { console.log(`no update on user ${userEmail}`) } else { customSchemas[schemaName]["keys"].push({ type: "work", value: newEntry, }); // Update the user with the modified custom schema AdminDirectory.Users.update({ customSchemas: customSchemas }, userEmail); } } catch (e) { // Log errors if the updating process fails. console.log("Error updating " + userEmail + ": " + e.message); } });};d. Click Save, then Run.There are three options on how to handle new users after this initial setup.a. Follow Step 6 for each new user added to your Verkada organization. b. Have the above script run on a regular basis (e.g., daily) and simply add new users to the Google Group associated with your Verkada organization (Step 7).To do this, select Triggers from the left navigation panel on your Apps Script project.Click Add TriggerSelect the bulkUpdate function on the Head deployment.Select the Time-driven event source and set a schedule that makes sense for your organization. Keep in mind that new users to your Verkada organization will not have access to ECE footage until this script runs after they are added as members of the Google Group.f. Run the script on an as-needed basis.