Skip to main content
All CollectionsVideo SecurityConfiguration and Setup
Enable Enterprise Controlled Encryption (ECE)
Enable Enterprise Controlled Encryption (ECE)
Updated this week

Before you begin

Configure Single Sign-On OIDC

Verkada currently only supports Okta, Microsoft Entra ID (Azure AD), and Google Workspace as identity providers for Single Sign-On with OIDC. For a detailed setup guide, refer to the following:

OIDC SSO must be enabled in your organization to enable ECE.

Update Command mobile app

To ensure a smooth user experience, ask all users in your organization to update their Verkada Command mobile app. The app updates automatically unless auto-update is disabled. This step is required only for users of the Command mobile app.

There is no need to update the Verkada Pass app.

Enable ECE

  1. In Verkada Command, go to All Products > Admin.

  2. In the left navigation, select Privacy & Security > Enterprise Controlled Encryption.

  3. Click Get Started.

  4. Under Generate Key:

    1. Click Generate Key

    2. Download the encryption key.

    3. Add the encryption key to your identity provider.

    4. Click Continue.

  5. Under Verify:

    1. Click Logout and Test.

    2. If the test is successful, you will be redirected to this page.

    3. Click Continue.

  6. Under Enroll Devices:

    1. Click Select Devices and choose the devices to enroll in ECE.

      Note: We recommend choosing Select All Devices to ensure you have the additional security and data protection for your entire fleet.

    2. Click Enroll Devices.

Example template of the encryption key file:

File name: <command-org-name>_org_secret.txt 

Format:
<display-name / variable-name>

<encryption-key>

Add Encryption Key to Identity Provider

ECE is currently only supported on Okta and Microsoft Entra ID (Azure AD). Follow the steps below based on your identity provider.

Okta

  1. Log in your Okta admin account.

  2. On the left, click Directory.

  3. Click Profile Editor.

  4. Open Verkada SSO OIDC User.

  5. Select Add Attribute.

    1. Add the Display name and Variable name (both values are the same) from the “<org_name>_org_secret.txt” file. It starts with “vkdae2ee…”.

    2. Click Save.

  6. Select Mappings.

    1. Click Okta User to Verkada SSO OIDC.

    2. Copy the <encryption-key> value (the second value) in the downloaded “<org_name>_org_secret.txt” file (including the quotation marks).

    3. At the bottom of the Mappings page, paste the <encryption-key> into the text box corresponding to the new variable just added above.

    4. Click on the icon in the middle between the <encryption-key> and <variable-name>, and select Apply mapping on user create and update.

    5. Click Save Mappings then Apply updates now.

Refer to Add Custom Profile Attributes if you run into issues editing the profile.

Microsoft Entra ID (Azure AD)

  1. Log in to your Azure portal.

  2. Search for and select App registrations.

  3. Select Verkada SSO OIDC.

    Note: If you do not see this app, go to All applications.

  4. On the left, click Manage > App roles.

    1. Click Create app role.

    2. Add the Display name and Description (both values are the same) from the “<org_name>_org_secret.txt” file. It starts with “vkdae2ee…”.

    3. Under Allowed member types select Users/Groups.

    4. Under Value enter <display-name>:<encryption-key> (second value) in the downloaded “<org_name>_org_secret.txt” file. Do not copy the quotes for the encryption key.

    5. Click Apply.

  5. On the left, click on Manage > Token Configuration.

    1. Click Add groups claim.

    2. Select Security groups as the group type.

    3. Select Emit groups as role claims as the ID.

    4. Click Add.

  6. On the left side, click on Manage > Authentication.

    1. Under Implicit grant and hybrid flows, select both ID tokens and Access tokens.

    2. Click Save.

  7. On the left, click on Manage > Manifest.

    1. Verify Manifest for Optional Claims looks like this:

      Note: You must see idToken.additionalProperties.emit_as_roles.

  8. Assign the users to the new role that was created in step 4. Only these users will be able to access Verkada Command.

    1. Search for and select Microsoft Entra ID.

    2. On the left side, click Manage > Enterprise applications.

      1. Click Verkada SSO OIDC.

      2. On the left side, click on Manage > Users and groups.

      3. Assign users the newly created role.

        Note: you must be an owner of the Verkada SSO OIDC application.

        1. Click Add user/group.

        2. Assign the users to the new role that was created in step 4.

        3. Click Assign.

      4. (Optional) If the email used for their Command account is not the same as the user principal name on Azure, make sure to do the following:

        1. Click Edit properties.

        2. Click Contact information.

        3. In the email field, enter the email used for their Verkada Command account.

        4. Click Save.

Google

  1. Open your Google Admin console.

  2. In the left navigation, select Directory > Users.

  3. Select the More Options dropdown and click Manage custom attributes.

  4. Click on Add Custom Attribute.

  5. Create a new custom attribute with the following fields (these fields are case sensitive)

    1. Category: ECEInfo

    2. Custom fields:

      1. Name: keys

      2. Info Type: Text

      3. Visibility: Visible to User and Admin

      4. No. of Values: Multi-Value

    3. Click Add

  6. For each user account that will need access to your Verkada organization, you will need to do the following steps:

    1. Go to Directory > Users and select a user.

    2. Expand the User Information tab and select ECEInfo.

    3. Click Edit.

    4. In the downloaded “<org_name>_org_secret.txt” file, you will find two strings. The first is the Display Name (it starts with “vkdae2ee…”), and the second is the encryption key. Add these values to the keys field in your user’s ECEInfo attribute, separated by a colon (do not include the quotation marks around the encryption key).

      <display name>:<encryption key>

    5. Click Save.

    6. Repeat this for all users in the Verkada organization and continue to Step 9.

    Note: You can automate the process by skipping this step and following Steps 7-8 instead.

  7. Go to Directory > Groups and click Create Group.

    1. Give the group an identifiable name (e.g., the same name as your Verkada Command organization). Note that if you have multiple Verkada organizations, you will need a corresponding Group for each.

    2. Click Next.

    3. In Group Settings, select only invited users for who can join the group.

    4. Click Create.

    5. In the newly created group, click Add Members. Add all the users of your Verkada organization here.

  8. Go to Apps Script for Google Developers. Click Start Scripting.

    1. Create a New Project.

    2. Under Services on the left panel, select Admin SDK API and click Add.

    3. Paste the following code

      function bulkUpdate() { 
        const groupEmail = "<YOUR GROUP EMAIL>";
        const schemaName = "ECEInfo";
        const displayName = "<DISPLAY NAME FROM YOUR ORG SECRET TXT FILE>";
        const encryptionKey = "<ENCRYPTION KEY FROM YOUR ORG SECRET TXT FILE>";

        const groupMembers = AdminDirectory.Members.list(groupEmail).members || [];
        groupMembers.forEach((member) => {
          try {
            var userEmail = member.email;
            var user = AdminDirectory.Users.get(member.email, { projection: 'full'});
            var customSchemas = user.customSchemas || {};
            if (!customSchemas[schemaName]) {
              customSchemas[schemaName] = {};
            }
            if (!customSchemas[schemaName]["keys"]) {
              customSchemas[schemaName]["keys"] = [];
            }
            var newEntry = `${displayName}:${encryptionKey}`;
            var userHasOrgSecret = customSchemas.ECEInfo.keys.some(function(entry) {
              return entry.value === newEntry;  
            });
            if (userHasOrgSecret) {
              console.log(`no update on user ${userEmail}`)
            } else {
              customSchemas[schemaName]["keys"].push({
                type: "work", 
                value: newEntry,  
              });
              // Update the user with the modified custom schema
              AdminDirectory.Users.update({
                customSchemas: customSchemas
              }, userEmail);
            }      
          } catch (e) {
            // Log errors if the updating process fails.
            console.log("Error updating " + userEmail + ": " + e.message);
          }
        });
      };

    4. Click Save, then Run.

  9. There are three options on how to handle new users after this initial setup.

    1. Follow Step 6 for each new user added to your Verkada organization.

    2. Have the above script run on a regular basis (e.g., daily) and simply add new users to the Google Group associated with your Verkada organization (Step 7).

      To do this, select Triggers from the left navigation panel on your Apps Script project.

      1. Click Add Trigger

      2. Select the bulkUpdate function on the Head deployment.

      3. Select the Time-driven event source and set a schedule that makes sense for your organization. Keep in mind that new users to your Verkada organization will not have access to ECE footage until this script runs after they are added as members of the Google Group.

    3. Run the script on an as-needed basis.

Need more help? Contact Verkada Support.

Related Articles
Okta SAML Integration
Okta SCIM Integration
OIDC based SSO for Okta
Remove Enterprise Controlled Encryption
OIDC based SSO for Azure Entra
Did this answer your question?