Before you begin
Configure Single Sign-On OIDC
Verkada currently only supports Okta and Microsoft Entra ID (Azure AD) identity providers for Single Sign-On with OIDC. For a detailed setup guide, refer to OIDC based SSO for Okta.
OIDC SSO must be enabled in your organization to enable ECE.
Update Command mobile app
To ensure a smooth user experience, ask all users in your organization to update their Verkada Command mobile app. The app updates automatically unless auto-update is disabled. This step is required only for users of the Command mobile app.
iOS: Verkada Command
Android: Verkada Command
There is no need to update the Verkada Pass app.
Enable ECE
In Verkada Command, go to All Products > Admin.
In the left navigation, select Privacy & Security > Enterprise Controlled Encryption.
Click Get Started.
Under Generate Key:
Click Generate Key
Download the encryption key.
Click Continue.
Under Verify:
Click Logout and Test.
If the test is successful, you will be redirected to this page.
Click Continue.
Under Enroll Devices:
Click Select Devices and choose the devices to enroll in ECE.
Note: We recommend choosing Select All Devices to ensure you have the additional security and data protection for your entire fleet.
Click Enroll Devices.
Example template of the encryption key file:
File name: <command-org-name>_org_secret.txt
Format:
<display-name / variable-name>
<encryption-key>
Add Encryption Key to Identity Provider
ECE is currently only supported on Okta and Microsoft Entra ID (Azure AD). Follow the steps below based on your identity provider.
Okta
Okta
Log in your Okta admin account.
On the left, click Directory.
Click Profile Editor.
Open Verkada SSO OIDC User.
Select Add Attribute.
Add the Display name and Variable name (both values are the same) from the “<org_name>_org_secret.txt” file. It starts with “vkdae2ee…”.
Click Save.
Select Mappings.
Click Okta User to Verkada SSO OIDC.
Copy the <encryption-key> value (the second value) in the downloaded “<org_name>_org_secret.txt” file (including the quotation marks).
At the bottom of the Mappings page, paste the <encryption-key> into the text box corresponding to the new variable just added above.
Click on the icon in the middle between the <encryption-key> and <variable-name>, and select Apply mapping on user create and update.
Click Save Mappings then Apply updates now.
Refer to Add Custom Profile Attributes if you run into issues editing the profile.
Microsoft Entra ID (Azure AD)
Microsoft Entra ID (Azure AD)
Log in to your Azure portal.
Search for and select App registrations.
Select Verkada SSO OIDC.
Note: If you do not see this app, go to All applications.
On the left, click Manage > App roles.
Click Create app role.
Add the Display name and Description (both values are the same) from the “<org_name>_org_secret.txt” file. It starts with “vkdae2ee…”.
Under Allowed member types select Users/Groups.
Under Value enter <display-name>:<encryption-key> (second value) in the downloaded “<org_name>_org_secret.txt” file. Do not copy the quotes for the encryption key.
Click Apply.
On the left, click on Manage > Token Configuration.
On the left side, click on Manage > Authentication.
Under Implicit grant and hybrid flows, select both ID tokens and Access tokens.
Click Save.
On the left, click on Manage > Manifest.
Assign the users to the new role that was created in step 4. Only these users will be able to access Verkada Command.
Search for and select Microsoft Entra ID.
On the left side, click Manage > Enterprise applications.
Click Verkada SSO OIDC.
On the left side, click on Manage > Users and groups.
Assign users the newly created role.
Note: you must be an owner of the Verkada SSO OIDC application.
(Optional) If the email used for their Command account is not the same as the user principal name on Azure, make sure to do the following:
Click Edit properties.
Click Contact information.
In the email field, enter the email used for their Verkada Command account.
Click Save.
Need more help? Contact Verkada Support.