Security settings

The Security Settings section allows administrators to:

  1. Control access to their agency's Axon Evidence account by limiting IP addresses and applying exceptions for Axon applications
  2. Configure password requirements for their agency
  3. Choose Multi-Factor Authentication (MFA) settings
  4. Configure API access clients.

Watch this video to learn to configure security administrative settings.

IP Address

By enabling the IP Address security, agency administrators can define who is allowed or not allowed to access their agency’s Axon Evidence accounts based on the IP address. By default, when your Axon Evidence agency is created, IP security is disabled and your agency’s sign-in page can be accessed from anywhere within your country. These settings can be accessed by selecting the Admin tab, and then under Security Settings, choosing IP Address.

If you enable IP security, you can authorize specific IP addresses and ranges of IP addresses, such as the IP addresses used at your agency headquarters or at specific districts. Only devices assigned one of the authorized IP addresses can access your Axon Evidence agency. This IP Security setting supports both IPv4 and IPv6 addresses. You can use both full and compressed formats for IPv6.

Warning
  1. Before you enable IP security, work with your IT staff and your Internet provider to acquire static (non-changing) IP addresses. If you do not use static IP addresses, your agency could be denied access from its own Axon Evidence agency. Consumer-grade Internet lines, such as DSL or cable modems, typically have a 200-hour lease. This means that every 200 hours the IP address is refreshed with a new one.
  2. Your current IP address is displayed on the page. Make sure this address is included in the Allowed IP addresses, or you will be locked out. If you are locked out, contact support.

  1. On the IP address configuration page, select Add New IP Address.

  2. Choose if you are adding a Single IP Address or Range of IP Addresses.

  3. Choose an option below, and then follow the steps to enter an IP Address or range of addresses:

    1. Add a new single IPv4 address: To allow access from a specific IPv4 address (e.g. IP address is 115.77.110.124), enter the IP address (using this example, 115.77.110.124) in the IP Address box.

    2. Add new ranges of IPv4 addresses: To allow access from a range of IPv4 addresses (e.g. the CIDR notation is 115.77.110.0/24), enter the Starting IP Address(in this example, 115.77.110.0) and the Ending IP Address (in this example, 115.77.110.255).

    3. Add new single IPv6 addresses: To allow access from a specific IPv6 address (e.g. IP address is 2001:0db8:85a3:0000:0000:8a2e:0370:7334), enter the IP Address (in this example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334).

    4. Add new ranges of IPv6 addresses: To allow access from a range of IPv6 addresses (e.g. the CIDR notation is 2401:d800::/36), enter the Starting IP Address (using this example, 2401:d800:0000:0000:0000:0000:0000:0000) and Ending IP Address (2401:d800:0fff:ffff:ffff:ffff:ffff:ffff in this example).

  4. Enter a useful description of this address in the Label field. The Label field is optional, but descriptive labels help make managing your Evidence account easier. For example: John Doe’s Workstation for a single address or Agency 8th Floor to specify a range of IP addresses.

  5. Select Add.

  6. The newly added IP Address shows in the table.

  7. You can continue adding additional IP Addresses as needed.

  8. Select Restrict User Access to the Trusted IP Addresses Below located at the top of the page.

    1. Note: You cannot select this option unless at least one IP address or range of IP addresses has been added.

  9. If at any time you want to prevent access from any IP addresses, choose the corresponding Delete icon. However, to prevent being locked out of your account, ensure that you do not delete your current IP address.

IP Allowed Lists for Multi-Homed Networks

Axon Evidence supports IP security allowed lists for agencies where web traffic can originate from multiple IPs during the same user session. The standard IP allowed list security detects if an active user changes source IP address in the middle of a session and logs the user out. The setting restricts site usage to the IP allowed list ranges but does not terminate a user session if there is an IP change mid-session. This IP Security setting supports both IPv4 and IPv6 addresses. You can use both full and compressed formats for IPv6.

This setting is designed for agencies using network designs where web traffic is sourced from multiple IPs. For example, networks with multiple firewalls or proxy servers can exhibit this behavior. Agencies that load balance outbound traffic across multiple network links also fall into this category. These designs are perfectly valid but cause a false positive for our “Man in the Middle” protection. Until now, these agencies have not been able to use our IP allowed list security.

If your agency is not using this type of design, it is recommended that you employ the standard IP session security for the highest levels of protection.

If you are using this kind of network and want to enable this feature, set your allowed IP addresses or ranges using the same steps shown above, then enable Allow IP address to change during an active session to the trusted IP addresses below.

Axon Application Exceptions

The IP restrictions feature provides additional access security to Axon Evidence. However, implementing this feature can block access for Axon mobile apps, which makes it difficult for officers to effectively use them.

The Axon Application Exceptions settings allow administrators to easily add exceptions to IP restrictions for specific Axon applications.

For the following Axon mobile applications, this feature is only supported for these versions:

  • Axon Device Manager for iOS v2.0.5 or later

  • Axon Device Manager for Android v3.0.4 or later

  • Axon View for iOS v5.0.1 or later

  • Axon View for Android v5.0.3 or later

  • Axon Capture for iOS v5.0 or later

  • Axon Capture for Android v5.0 or later

Earlier versions of these application will continue to function, but will be subject to the IP restrictions. See Keep your Axon apps updated to learn more about current app versions.

Set the applications exemptions:

  1. On the IP Address page, scroll to the Application exceptions section.

  2. Select the Axon Applications you want to exempt from IP Restrictions.

  3. Return to the main System Administration page.

Sign In Configuration

This feature enables administrators to define password settings for all users in the agency. These settings can be accessed by selecting the Admin tab, then under Security Settings, choosing Sign In Configuration.

When you have finished changing settings in any of these sections, choose Submit at the bottom of the page so your changes go into effect.

Deactivate inactive users after not signing in

This setting automatically deactivates a user account if they have been inactive for a pre-set number of days. If you select Enable Automatic Deactivation, the following options appear:

  1. Number of days inactive before account deactivation - can be set to a number of days between 5 and 730.

  2. Email warning schedule before account deactivation - set the number of days before deactivation, between 1 and 89, that the user will get an email reminder to sign in.

    1. You can add up to 3 additional reminders using Add Email Reminder.

Expire passwords for all users

This action will sign all users out of all Axon applications and force them to set a new password, including you. It will interrupt any current work. Make sure all users are in a safe situation to prevent signing them out of a critical application.

Configure password settings

You can set the following password settings:

  • Session Timeout – the number of minutes a user can be inactive before the user is automatically signed out of Axon Evidence. [default 10, min 10, max 720]

  • Failed Login Limit — the number of failed login attempts before the account is locked out. [default 5, min 1, max 25]

  • Lockout Duration — the number of minutes a user is locked out of their account due to failed login attempts. [default 60, min 1, max 720]

  • Password History — the number of unique new passwords a user must use before an old password can be reused. [default 10, min 1, max 25]

  • Maximum Password Age — how many days a password can be used before the user is required to change it. [default 90, min 7, max 365]

  • Minimum Password Age – the number of days a user must wait between manually changing their password. This setting does not affect administrative password resets. [default 1, min 0, max 7]

  • Minimum Password Length — how short passwords can be. [default 8, min 6]

  • Password Character Requirements – the types of characters required in a user’s password. Only the Special Characters option is editable. When enabled, users must include at least one special character in their password.

Note

There are no configuration settings for user security questions. Users have 15 attempts to enter their correct security question responses. Users who fail to enter the correct security question responses are locked out of the system for 1 hour.

Configure password settings using these steps:

  1. On the Sign In Configuration page, scroll to Configure password settings.

  2. Set the options based on your agency’s requirements.

    1. Note: To start over with customizing the password configuration settings, select Restore Defaults.

API Settings

The API Settings section is only available to al Axon Evidence agencies who request access to the Evidence.com Partner API. The Axon Evidence Partner API provides a programmatic means to access the data in your Axon Evidence agency. By developing API-compliant client software or using third-party client software, you can use the Partner API to integrate your Axon Evidence agency with other systems.

The API Settings page provides administrators with the ability to ensure that only authenticated and authorized clients can use the Partner API feature to programmatically configure your Axon Evidence agency. An API client can request, create, read, update and delete operations on a variety of data resources supported by the API, which include the following object types:

  • Users

  • Groups

  • Cases

  • Evidence

  • Devices

  • Reports

  • Category Management

The Partner API is available to all Axon Evidence agencies. To request access to the Partner API, contact your Axon representative. If you need assistance developing API client software, Axon Professional Services are available for billable work.