Configure device location reporting and tracking

The location reporting functionality allows end users to see their device location on the Devices page in the user portal. Location tracking is when the systems administrator can also see the device locations.

Users can turn location tracking on/off in the Settings menu in the user portal. However, if you select Force in the Enable Device Location Tracking by Administrator drop-down list, location reporting is enabled for the user and location tracking is enabled for systems administrators regardless of the user selection.

Important: The laws of jurisdiction(s) where your company conducts business or your company policy may require that users have the ability to opt-out of device location sharing. In such case, you should not select the Force option.

To configure location reporting and tracking:

  1. Log in to the Identity Administration portal.
  2. Go to Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
  3. Go to Endpoint Policies > Common Settings > Mobile Settings > Restrictions Settings.
  4. Use the Report mobile device location drop-down list to enable location reporting for the user.

    When you select Yes, the device owner can see the device location on the Devices page in User Portal and you can see the location tracking options.

  5. Use the Permit administrator to see device location drop-down list to configure device location tracking by the administrator, then click Save.

    Setting

    Description

    Disable

    Systems administrators will not be able to track the device location.

    Opt-In

    The device owner has the option to allow systems administrators to track the device location.

    Force

    The device owner is notified but cannot opt-out of sharing the device location with systems administrators.

    The laws of jurisdiction(s) where your company conducts business or your company policy may require that users have the ability to opt-out of device location sharing. In such case, you should not select the Force option.

You can see device locations from the Endpoints page in the Identity Administration portal. Select a device, then go to the Location page. When location tracking by the administrator is available, you have the map view option on the Endpoints page.

To configure location reporting and tracking using Active Directory:

You can use Active Directory Users and Computers to configure device location reporting. To enable that setting, go to the Group Policy in your active directory that applies to the devices: Computer Configuration > Policies > CyberArk Identity Cloud Management Settings > Common Settings > Mobile Settings > Restrictions Settings > Report mobile device location.

The location tracking by administrators configuration option is only in the Identity Administration portal.

In iOS devices, the CyberArk Identity mobile app does not use GPS location tracking. Using GPS hardware is very battery-intensive. Instead, it uses the device’s significant-change location service. This produces updates only when there has been a significant change in the device location, for example 500 meters or more. In addition, significant-change location tracking is event-based -- the application sleeps until there is a significant location change. Consequently, location tracking does not have any significant impact on battery consumption.

The Apple Location icon shown on the top status bar or in the Privacy > Location Settings does not differentiate between GPS and significant-change location tracking.

In Android devices, the CyberArk Identity mobile app is configured for low power consumption. To confirm, tap the device Settings > Location. The CyberArk Identity mobile app listing shows “Low battery use.”