We didn’t think mobile could become a more popular or valuable topic, and then the unthinkable happened. Suddenly, our mobile devices became the only way many of us could see the faces of our friends and family or hear their voices. Professionally, mobile devices also continue to keep people connected who are working away from the work site, whether that be working from home, a cafe near home, or hey — even the beach or the Appalachian Trail.

Side note: I actually do know of someone who worked while hiking part of the Appalachian Trail. It’s amazing what’s possible with a good hot spot. 

The need and the desire over the past couple of years to make it possible for people to work beyond the office means that mobile devices are an even more prevalent and attractive technology. Whether your employees are soon returning to the office or are still working remotely, you can use the Workforce Mobile app to create a positive experience for your people.

Worker on Phone

Giving the right people access to the UKG Workforce Central mobile app

So, how does it work? How do you make sure that someone randomly poking around the app store trying out different apps can’t make their way into the app? Well, users must have their organization’s unique IP address to set up the app, for one — but there are even more security measures in place. To use the mobile app, users must validate themselves as authenticated users. 

  • Local authentication describes the process a user takes to identify themselves on the mobile device and log in to the UKG Workforce Central® solution. Examples of this include Face ID for Apple iPhones or Fingerprint for Android devices. Users are also prompted to authenticate themselves again when using the app to punch in. 
  • Extended authentication is what allows a mobile user to stay logged in on a device for a set time period. The host server registers the device upon login and creates a temporary logon token. The token is valid for a set amount of time, which is sent to (and stored on) the device. This token along with a one-time password algorithm ensures a secure user login. 

Extended authentication saves users from having to log in multiple times during the day, which is super convenient. But it also presents the possibility that anyone with an “authenticated” device could access the system by simply tapping the icon. What if an employee dropped their phone in the airport and it got into the wrong hands? Ah! That’s why both levels of authentication are important. Layering local authentication on top of extended authentication provides an addition tier of security for authenticated devices. If the airport phone swiper gets into the phone, they might be able to snoop through the employee’s photos and text messages, but they won’t get into the UKG Workforce Central mobile app with local authentication enabled. 

Customizing the employee experience with access method profiles

Access method profiles do just what the name implies — they allow or deny entry to the system. And if they allow entry, they then control the content that is available to the person using the app. That means administrators can use access method profiles to create custom experiences for different devices depending on what the device owner (the employee) needs to see. If you have UKG Workforce Central 8.0, you can take advantage of access method profiles today.

There are three types of access method profiles: function access profiles, display profiles, and role profiles. System administrators assign every employee a function access profile and a display profile. The role profile is what associates the function access and display profiles with one another and ultimately determines what the user can see. As you can imagine, the manager role profile would allow access to much more than the employee end-user role profile. 

Administrators can also tie a role profile to an IP address, which would control what users can see and do in the app depending on which device the address is coming from. For example, maybe you only want people to be able to punch in and out while they are on their corporate work device and not on their personal device. If the IP address signifies a personal device instead of a corporate device, you can adjust the settings so that the user can only use certain functions — like seeing their schedules and requesting time off, for example, but not punching in or out. 

For more detailed information about access method profiles, such as how to set them up, please check out UKG Workforce Central Online Help or the Documentation for UKG Workforce Mobile & UKG Workforce Tablet in UKG Kronos Community. Please note that you must be logged in to Community to view the article.

Geosensing and Geofencing

Then there are the top-voted and powerful geosensing and geofencing features. Only a couple of letters separate the spelling of these terms, but they do have a fundamental difference. 

When we talk about geosensing, we are describing the ability to filter which data is presented to a user via the mobile app by sensing where the person is located. Now, since we just talked about access method profiles, you might be wondering how one affects the other. Does geosensing work in conjunction with access method profiles? While they both provide access to what is seen, they do it in different ways. Access method profiles are tied to the employee’s role or position, not the location. Geosensing is helpful for presenting relevant data at the right time. Managers who are responsible for multiple departments or geographic areas can use geosensing to show data specific to whichever store location they are in. For example, if I am a district manager responsible for seven different stores, but I am currently located in store seven, my mobile information will be organized around store seven and show me the most relevant information. There is also an employee version of geosensing. If I am a geosensed employee and I go into the punch widget and select a transfer, the transfers will be filtered based on my physical location.

On the other hand, when we describe geofencing, we are talking about restricting punches from outside the radius of a known place. A known place is a specific geographic location-point based on latitude and longitude coordinates. You can use known places in combination with function access control points to set up rules for transactions. For example, you can configure the system to restrict a punch performed outside a set punch radius. Or, you can set it up so the employee is allowed to punch outside the radius and record the punch information indicating that the transaction was performed outside the punch radius. As you might infer, GPS location services must be turned on for geofencing to work. 

Find more information and get up and running quickly

I talked in more detail about these topics at my UKG Huddle session in June 2021, and participants asked TONS of great questions. You can check them out in the Bright Ideas About Accommodating Remote Employees with Mobile FAQ in UKG Kronos Community. Also, the Huddle is available on demand until June 2022! Check out the Get the UKG Huddle On Demand and Feed Your Genius Again blog post for all the information you need to access the session replays.

Lastly, I encourage you to visit the Mobile Resource Center in the UKG Kronos Community to find a number of supporting resources for employee users, managers, and new mobile administrators including video tutorials, user adoption tools, and quick links to documentation. 

The moral of this blog post? Authentication and access method profiles allow you to give the right employees access to what they need on their mobile devices. Also, use local authentication on top of extended authentication so you don’t have to worry about Bob who left his phone in the seat pocket on the airplane or Betty who left her phone on the counter at the coffee shop. 

Published: Tuesday, August 24, 2021