Skip to main content
All CollectionsVideo SecurityConfiguration and Setup
Enable Enterprise Controlled Encryption (ECE)
Enable Enterprise Controlled Encryption (ECE)
Updated over a month ago

Before you begin

Configure Single Sign-On OIDC

Verkada currently only supports Okta and Microsoft Entra ID (Azure AD) identity providers for Single Sign-On with OIDC. For a detailed setup guide, refer to OIDC based SSO for Okta.

OIDC SSO must be enabled in your organization to enable ECE.

Update Command mobile app

To ensure a smooth user experience, ask all users in your organization to update their Verkada Command mobile app. The app updates automatically unless auto-update is disabled. This step is required only for users of the Command mobile app.

There is no need to update the Verkada Pass app.


Enable ECE

  1. In Verkada Command, go to All Products > Admin.

  2. In the left navigation, select Privacy & Security > Enterprise Controlled Encryption.

  3. Click Get Started.

  4. Under Generate Key:

    1. Click Generate Key

    2. Download the encryption key.

    3. Click Continue.

  5. Under Verify:

    1. Click Logout and Test.

    2. If the test is successful, you will be redirected to this page.

    3. Click Continue.

  6. Under Enroll Devices:

    1. Click Select Devices and choose the devices to enroll in ECE.

      Note: We recommend choosing Select All Devices to ensure you have the additional security and data protection for your entire fleet.

    2. Click Enroll Devices.

Example template of the encryption key file:

File name: <command-org-name>_org_secret.txt 

Format:
<display-name / variable-name>

<encryption-key>

Add Encryption Key to Identity Provider

ECE is currently only supported on Okta and Microsoft Entra ID (Azure AD). Follow the steps below based on your identity provider.

Okta

  1. Log in your Okta admin account.

  2. On the left, click Directory.

  3. Click Profile Editor.

  4. Open Verkada SSO OIDC User.

  5. Select Add Attribute.

    1. Add the Display name and Variable name (both values are the same) from the “<org_name>_org_secret.txt” file. It starts with “vkdae2ee…”.

    2. Click Save.

  6. Select Mappings.

    1. Click Okta User to Verkada SSO OIDC.

    2. Copy the <encryption-key> value (the second value) in the downloaded “<org_name>_org_secret.txt” file (including the quotation marks).

    3. At the bottom of the Mappings page, paste the <encryption-key> into the text box corresponding to the new variable just added above.

    4. Click on the icon in the middle between the <encryption-key> and <variable-name>, and select Apply mapping on user create and update.

    5. Click Save Mappings then Apply updates now.

Refer to Add Custom Profile Attributes if you run into issues editing the profile.

Microsoft Entra ID (Azure AD)

  1. Log in to your Azure portal.

  2. Search for and select App registrations.

  3. Select Verkada SSO OIDC.

    Note: If you do not see this app, go to All applications.

  4. On the left, click Manage > App roles.

    1. Click Create app role.

    2. Add the Display name and Description (both values are the same) from the “<org_name>_org_secret.txt” file. It starts with “vkdae2ee…”.

    3. Under Allowed member types select Users/Groups.

    4. Under Value enter <display-name>:<encryption-key> (second value) in the downloaded “<org_name>_org_secret.txt” file. Do not copy the quotes for the encryption key.

    5. Click Apply.

  5. On the left, click on Manage > Token Configuration.

    1. Click Add groups claim.

    2. Select Security groups as the group type.

    3. Select Emit groups as role claims as the ID.

    4. Click Add.

  6. On the left side, click on Manage > Authentication.

    1. Under Implicit grant and hybrid flows, select both ID tokens and Access tokens.

    2. Click Save.

  7. On the left, click on Manage > Manifest.

    1. Verify Manifest for Optional Claims looks like this:

      Note: You must see idToken.additionalProperties.emit_as_roles.

  8. Assign the users to the new role that was created in step 4. Only these users will be able to access Verkada Command.

    1. Search for and select Microsoft Entra ID.

    2. On the left side, click Manage > Enterprise applications.

      1. Click Verkada SSO OIDC.

      2. On the left side, click on Manage > Users and groups.

      3. Assign users the newly created role.

        Note: you must be an owner of the Verkada SSO OIDC application.

        1. Click Add user/group.

        2. Assign the users to the new role that was created in step 4.

        3. Click Assign.

      4. (Optional) If the email used for their Command account is not the same as the user principal name on Azure, make sure to do the following:

        1. Click Edit properties.

        2. Click Contact information.

        3. In the email field, enter the email used for their Verkada Command account.

        4. Click Save.


Need more help? Contact Verkada Support.

Did this answer your question?