0% found this document useful (0 votes)

726 views80 pages

Hid Biometric Manager Administration Guide

Uploaded by

Scott0975

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

726 views80 pages

Hid Biometric Manager Administration Guide

Uploaded by

Scott0975

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 80

HID®

Biometric Manager™
Administration Guide

Software Version 1.0.1103.59811, Service Pack 2.2

PLT-04029, A.4
June 2020
HID® Biometric Manager™ Administration Guide

Powering
Trusted Identities
Powering HID® Biometric Manager™
Trusted Identities Administration Guide

Copyright
© 2019-2020 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
This document may not be reproduced, disseminated or republished in any form without the prior written
permission of HID Global Corporation.

Trademarks
HID GLOBAL, HID, the HID Brick logo, the Chain Design, iCLASS SE, Seos, HID Mobile Access, HID Reader
Manager, HID Elite, HID Origo and HID Biometric Manager are trademarks or registered trademarks of HID
Global, ASSA ABLOY AB, or its affiliate(s) in the US and other countries and may not be used without
permission. All other trademarks, service marks, and product or service names are trademarks or
registered trademarks of their respective owners.

Contacts
For additional offices around the world, see www.hidglobal.com/contact/corporate-offices.
Americas and Corporate Asia Pacific
611 Center Ridge Drive 19/F 625 King’s Road
Austin, TX 78753 North Point, Island East
USA Hong Kong
Phone: +1 866 607 7339 Phone: +852 3160 9833
Europe, Middle East and Africa (EMEA) Brazil
3 Cae Gwyrdd Condomínio Business Center
Green Meadow Springs Av. Ermano Marchetti, 1435
Cardiff CF15 7AB Galpão A2 - CEP 05038-001
United Kingdom Lapa - São Paulo / SP Brazil
Phone: +44 (0) 2920 528 500 Phone: +55 11 5514-7100

HID Global Technical Support: www.hidglobal.com/support.

What's new
Date Description Revision
June 2020 Updates to support HID Biometric Manager Service Pack 2.2 (RB25F Reader Firmware A.4
Version 1.5.1.22 and HID Biometric Manager Software Version 1.0.1103.59811)

A complete list of revisions is available in Revision history

PLT-04029, A.4 2 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

HID® Bio me t r ic Ma n a ge r ™Admin is t r a t io n Gu id e

Introduction 5
1.1 Document purpose 6
1.2 Intended audience 6
1.3 Related material 6
1.4 Physical Access Control System overview 7
1.5 HID Biometric Manager 8
1.5.1 Credential Database 8
1.5.2 Data Import 8
1.5.3 Reader Service 8
1.6 Browser compatible device 8
1.7 RB25F 8
1.8 Panels and Door Controllers 9
1.9 Network setups examples 10
HID Biometric Manager overview 11
2.1 System requirements 12
2.2 TCP Port usage 12
2.3 HID Biometric Manager initial setup 13
2.3.1 HID Biometric Manager software install 13
2.3.2 HID Biometric Manager initial login 15
2.4 Resetting administration password 18
2.4.1 Configure time zone setting 19
2.5 Device installation and configuration 21
2.5.1 Configure device settings 23
2.5.2 Device firmware update 26
2.5.3 Reset a device 29
2.5.4 Uninstall a device 30
2.6 Enrollment 31
2.6.1 Enroll people 31
2.6.2 Enroll Cards 33
2.6.3 Enroll Biometrics 36
2.7 Load HID Elite keys 39
2.7.1 Create Biometric Manager operators 41
2.7.2 Configure software/firmware update settings 43
2.7.3 Setting static IP for HBM network 45
2.7.4 Setting static IP for a specific device 46
2.8 Enforce Seos read 47
2.9 Device profiles 48
2.9.1 Create a device profile 48

PLT-04029, A.4 3 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.9.2 Edit a device profile 50

2.9.3 Delete a device profile 54
2.10 Device health indication 55
2.11 Device debug page 56
2.12 Tamper settings 58
2.13 Write fingerprint templates to a card 59
2.14 Backup and recovery 61
2.14.1 Generate recovery key 61
2.14.2 Backup procedure 62
2.14.3 Restore procedure 63
2.15 System monitoring and Reports 65
2.15.1 View Biometric Manager events 65
2.15.2 Transaction Reports 67
Biometric Manager Mobile Access setup 69
A.1 Setup prerequisites 70
A.1.1 HID Mobile Identities setup 70
A.1.2 HID Reader Manager setup 70
A.1.3 Mobile Access user setup 70
A.2 Validate a Reader Manager account in HID Biometric Manager 71
A.3 Test MOB keys are working correctly 73
Fingerprint template encryption 74
Acronyms and terminology 76

PLT-04029, A.4 4 June 2020

Section 01
Introduction

Powering
Trusted Identities
Powering HID® Biometric Manager™
Trusted Identities Administration Guide

1.1 Document purpose

The document provides procedures for administrations to install and setup HID® Biometric Manager™ and
procedures for HID Biometric Manager operators to carry out tasks associated with iCLASS SE® RB25F
installation, people enrollment, and credential/biometric data management.
For more information on the RB25F device, refer to HID iCLASS SE® RB25F User Guide (PLT-04900).

1.2 Intended audience

This document is intended for personnel performing the following roles:
n HID Biometric Manager administrator: The document provides procedural information for the default
administrator to initially setup and configure the HID Biometric Manager application.
n HID Biometric Manager operators: The document provides procedural information for HID Biometric
Manager operators to install and configure network detected RB25F devices, enroll people in the
system, add credentials and biometric data.

1.3 Related material

Refer to this document: For information on:
HID Mobile Access® Solution Overview The HID Mobile Access solution, how system components interact with
(PLT-02078) each other, and how to get the best out of the solution.
HID Mobile Access Frequently Asked The Mobile Access solution, Mobile Access Portals, Mobile IDs, Mobile
Questions (PLT-02085) Access Apps, Mobile-enabled readers, onboarding process, and security.

HID Reader Manager™ Solution User Guide The HID Reader Manager solution, HID Reader Manager App for iOS
(iOS) (PLT-03683) devices, and the HID Reader Manager Portal.
HID Reader Manager Solution User Guide The HID Reader Manager solution, HID Reader Manager App for Android
(Android) (PLT-03858) devices, and the HID Reader Manager Portal.
HID Mobile Access SIS Portal User Guide Procedures for Mobile Access Administrators to manage mobile users and
(PLT-03613) credentials through the HID Mobile Access SIS Portal.
HID Mobile Access App User Guide Installation, configuration, and use of the HID Mobile Access App for iOS
(PLT-02077) and Android devices.

PLT-04029, A.4 6 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

1.4 Physical Access Control System overview

A Physical Access Control System (PACS) provides services for enrolling card holders, assigning access
rights, configuring access points and their associated access criteria, monitoring, and reporting. These
components are focused on access authorization. The HID Biometric Manager and RB25F solution
components are designed to be integrated into the PACS to provide strong authentication at access
points.
When a card holder presents their credential to a RB25F access point reader, it performs authentication
functions to establish whether the user is who they claim to be. If the authentication is successful the PACS
panel or controller is notified of the request for access. The panel then checks the access rights for the
presented credential to see if the card holder is authorized for access. If authorization is successful it opens
the door.
The diagram below provides a high level view of the various system solution components as deployed
within a PACS. The function of each component is described in the following sub sections. The
components with HID Biometric Manager service box are typically deployed on the same server as the
PACS headend software.
Note: Multiple RB25F devices and PACS Panel/Door Controllers can be added. HID Biometric Manager
can control up to 2,000 RB25F devices.

PLT-04029, A.4 7 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

1.5 HID Biometric Manager

The HID Biometric Manager is an application that acts as both a web server and a container for
background tasks and jobs.
The web server allows you to configure RB25F device settings via a web browser, register credential
holders, and to distribute this information to the devices. It also collects and stores logged events from the
RB25F.

1.5.1 Credential Database

The Credential Database is a SQL database that the PACS Service uses to store the credential data that has
been gathered through manual registration or Data Import. It also stores configuration data and transaction
logs for all installed RB25F devices.

1.5.2 Data Import

The HID Biometric Manager Data Import component allows credential and credential holder information to
be imported into the HID Biometric Manager database from a third party PACS headend. This ensures that
the output of the RB25F matches expected input of the third party controller.

1.5.3 Reader Service

This runs as a background service and automatically synchronizes data between the HID Biometric
Manager and the RB25F devices.

1.6 Browser compatible device

The HID Biometric Manager provides a web server which supplies content to any device which supports a
compatible browser and is accessible on the network.
This interface is used to install and configure RB25F readers. It is also used to perform user registration
including fingerprint enrollment. Any one of the RB25F devices can be selected as the enrollments device
from the browser.
Other functions include the ability to view transactions on the device in real time, and to download and
trigger updates for both the HID Biometric Manager software and the RB25F device firmware.

1.7 RB25F
The RB25F is a biometric card and fingerprint reader. It authenticates users according to one of five
modes, see Acronyms and terminology as configured by the HID Biometric Manager. These are fingerprint
only, card only, and two variations of card with finger. One stores the fingerprint data on the card, the other
stores the fingerprint data on the RB25F device.
When the credential holder is authenticated, the data is output to a third party controller.

PLT-04029, A.4 8 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

1.8 Panels and Door Controllers

These components are standard PACS hardware panels that are wired to door sensors and controls, card
readers, and general digital input and output to control and monitor other security devices. They make
access decisions based on credential IDs and are designed to continue functioning when communication
with the PACS headend is interrupted. A PACS panel makes an authorization decision about whether the
credential has access rights to a particular area. The authorization decision is made after the authentication
is successfully completed by the RB25F which ensures the credential is authentic.
The following diagram shows an example of the system.
Note:
n The entire system is located inside the firewall.
n Multiple RB25F devices and PACS Panel/Door Controllers can be added. HID Biometric Manager can
control up to 2,000 RB25F devices.

PLT-04029, A.4 9 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

1.9 Network setups examples

The HID Biometric Manager installation wizard is expected to cope with the vast majority of network
configurations. When using Biometric Manager during discovery and installation of RB25F devices, it
defaults to hostname RB25F Server.

Scenario 1 - DHCP network, RB25F devices have dynamic IP, Server has a static IP
In this system setup the server has a static IP or the DHCP server assigns an IP with a permanent lease.
RB25F devices have an Ethernet connection on the same LAN as the server running Biometric Manager.
The network is configured so that the DCHP server dynamically assigns IPs (which may have a limited
lease time) to RB25F.

Scenario 2 - DHCP network, RB25F devices have dynamic IP, Server has a dynamic IP
In this system setup the server has a DHCP assigned IP.
RB25F devices have an Ethernet connection on the same LAN as the server running Biometric Manager.
The network is configured so that the DCHP server dynamically assigns IPs (which may or may not have
limited lease time).
HID Biometric Manager is installed on the server using the setup install wizard. During installation of RB25F
devices in Biometric Manager, you must select and use the default server hostname. In the event where the
server IP address changes, the hostname will reflect back to the server hostname.
Note: Setting HID Biometric Manager to a static IP will cause issues on this network.

Scenario 3 - Biometric manager installed on a PC and connects to DHCP network

This is the same as Scenario 2 except HID Biometric Manager is running on a PC. This means that it is likely
that Biometric Manager will not be running all the time. When Biometric Manager is not running, RB25F
devices will be in an off-line mode. In off-line mode they will run as configured and log events, however
enrollment will not be possible.

Scenario 4 - Network without DHCP

The HID Biometric Manager install wizard carries out setup and assigns a hostname.

PLT-04029, A.4 10 June 2020

Section 02
HID Biometric Manager overview

Powering
Trusted Identities
Powering HID® Biometric Manager™
Trusted Identities Administration Guide

HID® Biometric Manager™ is a web application® that streamlines the management and configuration of
RB25F devices and allows application operators to manage people enrollment, credentials and fingerprint
templates. HID Biometric Manager uses the following operator roles to control access to management
tasks:
n Super Administrator: The super administrator is the initial default user account (cannot be deleted).
This operator installs and initially configures Biometric Manager software, and creates/administers
operator roles within the application see HID Biometric Manager initial setup.
n Administrator: This operator role has full access to Biometric Manager web application with
functions to install and manage RB25F devices see Device installation and configuration and enroll
people in the system, add credentials, collect and store associated biometric data see Enrollment.
n Device Administrator: This operator role is intended for HID partner technicians involved in the setup
and maintenance of the Biometric Management environment as well as configuration and update of
the RB25F. This operator role has limited access to user information.
n Enrollment: This operator role has full access to Biometric Manager web application. however is
limited to the day-to-day activities of enrolling people in the system, adding credentials, collecting
and storing associated biometric data see Enrollment.

2.1 System requirements

HID Biometric Manager system requirements:
n Intel® i5 2.3 GHz
n RAM 8 GB
n Available Disk Space 20 GB
n Windows® 7 SP2 (Minimum), Windows® 10 (Preferred)

2.2 TCP Port usage

HID Biometric Manager TCP port usage:
n 883 Communication (MQTT Broker)
n 8883 Communication (MQTT Broker)
n 80 REST (Initial MQTT Configuration)
n 10500 Device discovery
n 22 (SSH) Firmware upgrade

PLT-04029, A.4 12 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.3 HID Biometric Manager initial setup

2.3.1 HID Biometric Manager software install
It is recommended that HID Biometric Manager is installed on a DHCP network server that automatically
provides and assigns IP addresses, default gateways and other network parameters to client devices.
1. Download the HID Biometric Manager.exe file from the download site to your server:
https://www.hidglobal.com/rb25f
2. Double click on the HID Biometric Manager.exe file to launch the installation wizard.
Note: If the server system language is configured to one of the supported languages then the install
wizard instructions and Biometric Manager will automatically default to the server system
language. Supported languages:
n English n Portuguese
n German n Russian
n Spanish n Simplified Chinese
n French n Japanese
n Italian n Korean

3. Select the HID Biometric language and click OK.

4. On the initial installation wizard screen, click Next.

5. Read the License Agreement. Select I accept the agreement, and click Next.
Note: If you do not accept the License Agreement, click Cancel to end the installation setup process.

PLT-04029, A.4 13 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

6. Follow the installation wizard prompts until the setup has finished installing HID Biometric Manager
on your machine.

PLT-04029, A.4 14 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.3.2 HID Biometric Manager initial login

On the server where HID Biometric Manager has been installed:
1. Double-click on the HID Biometric Manager desktop shortcut or navigate to the installation folder
(usually, C:\Program Files (x86)\HID Global\Biometric Manager\bin) and double-click on the HID
Biometric Manager.exe file.
Note: The size of the database may impact how long it takes the Biometric Manager application to
launch. Start up feedback is indicated with an on screen progress bar.
2. On the HID Biometric Manager Server application screen, click on the Open Client Connection link to
access the HID Biometric Manager application login screen. Record the Client Connection link url as
this can be distributed and used to access the HID Biometric Manager application from a client PC
on the same network.
Note: If the Open Client Connection link url fails to connect to HID Biometric Manager due to a port
issue, change the default port number (443) in the link url to:
http://hostname:82/HIDBiometric/HIDBiometricManager.html

PLT-04029, A.4 15 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

3. Enter the initial default admin User Name (admin) and Password (password) and click LOGIN.

4. For security reasons it is recommended that the default admin login credentials are immediately
changed. Click on the System option and select Operators.

PLT-04029, A.4 16 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

5. Click on the Edit icon [ ] associated with the displayed system admin user.

6. Select the Security option under Change Password:

n Enter the default Old Password.
n Enter a New Password, then re-enter the new password to confirm.
Note: There are currently no password format rules. Clicking on the eye icon when entering the new
password will display the password.
7. Click the Save icon to save this new password.

8. Exit HID Biometric Manager and login again using the default username (admin) and new password.

PLT-04029, A.4 17 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.4 Resetting administration password

Resetting the administrator password can be achieved in the HID Biometric Manager Server under
Security>Account before log in.

This method is used when the user cannot log in to change the administrator password as shown in HID
Biometric Manager initial login

PLT-04029, A.4 18 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.4.1 Configure time zone setting

Setting the time zone will configure the time zone for the instance of Biometric Manager running on the
server.
1. Click on the System option.
2. Select the Date/Time option to access system time zone settings.

3. Select the Time Zone arrow icon to access a list of selectable time zones.

PLT-04029, A.4 19 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

4. Select the desired Time Zone from the displayed list.

Note: Use the Search field to narrow your search criteria for a listed time zone.

5. On the Date/Time screen click the Save icon to save your time zone setting.

PLT-04029, A.4 20 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.5 Device installation and configuration

Device installation and configuration with HID Biometric Manager can only be carried out by the
Administrator or Device Administrator role. For initial configuration or when no devices are installed,
Biometric Manager opens on the Devices screen with the option to install a device. If devices are already
installed Biometric Manager opens on the People screen, see Enrollment.
1. Launch HID Biometric Manager and login as an Administrator or Device Administrator operator.
2. To initially install a device, on the Devices screen, click INSTALL DEVICE.
Note: If devices are already installed, to add additional devices click the Install icon [ ].

3. In the Install dialog, click SCAN NETWORK to ensure the complete list of available devices are
shown.
Note: If no devices are found check the ports listed in TCP Port usage are open. The Search function
can be used to search the list of displayed devices.

PLT-04029, A.4 21 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

4. Select a device from the displayed list and click FINISH.

5. When the installation has completed the Devices screen displays the installed device.
Note: Installed devices are automatically added to the default device profile named Devices. The
default device profile can be edited or new profiles can be added to the system.

Note: To uninstall a device, see Uninstall a device.

PLT-04029, A.4 22 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.5.1 Configure device settings

To access and configure settings associated with an installed device:
1. On the Devices screen, highlight a device entry from the displayed list. The Edit/Delete icons appear
on the screen for the highlighted device.
2. Click on the Edit icon [ ] associated with the device to access the device settings screen.

3. On the Devices screen, if not already displayed, select Details.

4. Under Device Information you can edit the following:
n Name/Description: Enter a logical name for the device. As an option enter a description for the
device.
n Profile: Click on the arrow icon to select a device profile. Click EDIT PROFILE SETTINGS to
configure the settings for the displayed device profile, see Edit a device profile.

PLT-04029, A.4 23 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

5. On the Devices screen, select Communication.

6. On the Communication screen you can configure:
n Network Settings: To use a static IP address select the Static option. Enter a static IP address
(IPv4) and also the Subnet Mask and Gateway.
n Host Connections Mode: Set as Wiegand (default).
Note: OSDP is currently not supported.
n BLE Settings: Enable/disable BLE Mobile Access.
n Operation Modes: Select the desired operation mode to enable/disable the Tap or Twist and
Go gesture operation.
n Range and Power Settings: Set the read range for Tap and Twist and Go and the setting for
Transmit Power.
Note: The default range settings for Tap, Twist and Go and Transmit Power are displayed in HID
Biometric Manager. It is recommended that the default Transmit Power setting (-4 dBm) is not
exceeded unless absolutely necessary as range and transmit power settings work in tandem to
increase/decrease effective read range.
7. When the Communication settings have been selected click the Save icon [ ].

PLT-04029, A.4 24 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

8. On the Devices screen select Advanced. On the Advanced screen you have options to:
n SYNC: Syncs all device settings in HID Biometric Manager to the device.
n FACTORY DEFAULT: Restores all device settings to the original factory defaults, see Reset a
device.
n REBOOT DEVICE: Reboots the device.
n UPDATE FIRMWARE: Updates device firmware.
n CHANGE PASSWORD: Change the device password. The device password provides device
security on the LAN if secure mode is not enabled.
n ENABLE SECURE MODE/DISABLE SECURE MODE: This turns on encryption in the
communication channel.
n READ: Read mobile keys from the device.
n CLEAR: Remove mobile keys read from the device.
n WRITE: Write mobile keys to the device. Before Mobile keys can written to the device, keys
have to loaded onto HID Biometric Manager, see Biometric Manager Mobile Access setup.
9. Click SYNC option. For the selected device all settings are copied from HID Biometric Manager to
the RB25F.

PLT-04029, A.4 25 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.5.2 Device firmware update

An indication that a firmware update is available for a device is provided on the Devices screen. If the
displayed version number for a device is not green then this indicates that a firmware update is available
for that device.

Device firmware updates can take up to approximately eight minutes per device, including updates of the
reader board. Updates may complete faster depending on the HID Mobile Access Portal connection and
the number of uninterrupted updates.
Important: It is recommended that device firmware updates should be carefully scheduled as all devices
are updated and will be unavailable for use during the firmware update period.
To update device firmware:
1. Select the System option and click Update.

PLT-04029, A.4 26 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2. Click CHECK FOR UPDATES. Review the displayed firmware update information and click Install to
trigger the firmware update process.

An indication of the firmware update progress is displayed.

Note: The Progress Report bar indicates firmware update progress against total devices. For example, if
two devices are being updated then 50% progress indicates one device updated out of two devices.
Devices are updated in series with information displayed on the current device being updated.

3. When the firmware update is indicated as complete, click OK.

Note: Any partial or failed firmware updates are indicated in the Upgrade Summary table.

PLT-04029, A.4 27 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

A partial update means that the system was not able to complete the secondary step of applying
advanced updates, for example, as a result of the connection to the HID Mobile Access Portal not being
setup (see Biometric Manager Mobile Access setup) or being interrupted.
A partially updated device will run the installed level of firmware however features, such as mobile access,
and firmware fixes will not be available.

4. Check the Devices screen to verify device firmware versions.

PLT-04029, A.4 28 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.5.3 Reset a device

To clear all device settings, including IP address and port:
1. On the Devices screen, highlight a device entry from the displayed list. The Edit/Delete icons appear
on the screen for the highlighted device.
2. Click on the Edit icon [ ] associated with the device to access the device settings screen.

3. On the Devices screen select Advanced and the FACTORY DEFAULT option.
4. Select FACTORY DEFAULT to confirm the action.

Note: Where communication between HID Biometric Manager and the RB25F is not possible, factory
default reset can be carried out at the reader, see HID iCLASS SE RB25F User Guide (PLT-04900).

PLT-04029, A.4 29 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.5.4 Uninstall a device

To uninstall a device (possibly as a means to resolving issues by removing the device from the database,
power cycling, then re-installing the device):
1. On the Devices screen, highlight a device entry from the displayed list. The Edit/Delete icons appear
on the screen for the highlighted device.
2. Click on the Delete icon [ ] associated with the device.

3. Click UNINSTALL to confirm the uninstall action.

4. You will be notified of a successful device uninstall, click OK.

Note: If all devices have been uninstalled in Biometric Manager, you will have to option to install a
devices on the Devices screen, see Device installation and configuration.

PLT-04029, A.4 30 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.6 Enrollment
Enrolling people in the system, adding credentials and collecting associated biometric data can be carried
out by an Administrator operator or a Enrollment operator.

2.6.1 Enroll people

1. Launch HID Biometric Manager and login as either Administrator operator or Enrollment operator.
2. Click on the People option. If no people are enrolled in Biometric Manager the People screen is
empty and you have the option to enroll a person. Click ENROLL PERSON.
Note: If people are already enrolled, click the Add icon [ ] to enroll additional people.

PLT-04029, A.4 31 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

3. Enter the persons details (First Name/Last Name) and an ID number.

4. Select the Active option to make this enrolled person active in the system.
Note: If the Active option is not selected the enrolled person will have an inactive status in the
system and the person's record is not displayed on the People screen.
5. Click the Save icon [ ].

The enrolled person record is displayed on the People screen. To add additional people, click on the New
icon [ ] and enter the new persons details.
Note: To display people that have an inactive status, click the filter icon [ ] and select the Show Inactive
People option.

PLT-04029, A.4 32 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.6.2 Enroll Cards

1. On the People screen select a displayed person record.
2. On the Cards screen click ADD CARD.
3. At this point on the Details screen you can either scan a card to obtain the card details or, if no card
is available, manually enter card details.

Scan card for card details

1. On the Details screen, click READ CARD. If more than one reader is installed, select a device from the
displayed list.
2. Within five seconds, present a card to the RB25F device.
Note: The card type supported by the device is configured in the device profile settings, see Edit a
device profile.

3. Click the Save icon [ ] to save this Credential Identifier.

Note: The credential recorded in HID Biometric Manager must also be present in the third party PACS
software running on the PACS Server.

PLT-04029, A.4 33 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

The operator can now collect and add biometric data associated with this enrolled person, see Enroll
Biometrics.

Manually enter card details

If no card is available to scan, card details can be entered manually:
1. On the Details screen, select the arrow icon [ ] associated with the Format field.

2. Select the Credential Format appropriate for the card in use.

PLT-04029, A.4 34 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

3. Enter a Credential Number (decimal) and Facility Code.

4. Click the Save icon [ ] to save these card details.

The manually entered card details are displayed with the decimal Credential Number converted to
hexadecimal in the Credential Identifier field.
Note: The credential recorded in HID Biometric Manager must also be present in the third party PACS
software running on the PACS Server.

PLT-04029, A.4 35 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.6.3 Enroll Biometrics

1. On the People screen select a displayed person record.
2. Click the Biometrics option.
3. Click ENROLL to start the biometric enrollment process.

4. In the Enroll Biometric dialog select the fingers you wish to enroll and click Next.
Note: If you intend to make use of the Template on Card option as the authentication mode you will
only be able to copy two of these templates to the card. However the system can store all ten
fingers, if needed.

5. Select a device from the displayed list and click Next.

Note: Device names can be changed to a logical name for easier identification, see Configure device
settings.

PLT-04029, A.4 36 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

6. For the highlighted finger you will be prompted to <Place finger on sensor> followed by <Lift
finger>. It is recommended that you follow the on-screen prompts, in the correct sequence, to ensure
a successful finger scan.
Note: For information regarding the correct method of presenting fingers to the scanner during the
biometric enrollment process, see HID iCLASS SE® RB25F User Guide (PLT-04900).

7. Continue to follow the on-screen prompts until you have successfully scanned the first finger three
times. Click Next.
Note: A score of at least one star per scan is needed. A poor score will require that you scan the
finger another three times.

PLT-04029, A.4 37 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

8. You will be prompted to proceed onto the next finger scan. Follow the on-screen instructions until
you have successfully scanned the next finger three times.
9. When all of the selected fingers have been successfully scanned, click Done. The enrolled
fingerprints are associated with the top credential in the credential list.
Note: If the top credential in the credential list is deleted then enrolled fingerprints are associated
with the next credential in the list. If all credentials are deleted then the biometrics are also
deleted.

PLT-04029, A.4 38 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.7 Load HID Elite keys

This feature allows HID to push HID Elite™ keys to the customer via the web. Currently, only Seos® cards are
supported by the HID Elite keys.
Note: Standard keys will not work on the RB25F once Elite keys have been loaded to the device.
Note: After a factory reset, the device cannot be checked for standard or Elite key configurations.
The reader technician account needs to be setup in order to perform this operation. See Validate a Reader
Manager account in HID Biometric Manager
Note: You need to be fully enrolled in HID Elite with an ICE Key reference for RB25F to load your ICE Key
in the field. This may require contacting HID Credential Programs for confirmation of enrolment.
To load Elite keys:
1. Select a device.
2. Open the Key Management tab.
3. Click the arrow to select Elite keys.

PLT-04029, A.4 39 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

4. Select a key set to load.

5. With the key set selected, click Write.

PLT-04029, A.4 40 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.7.1 Create Biometric Manager operators

HID Biometric Manager uses the following operator roles to control access to management tasks:
n Administrator: This operator role has full access to Biometric Manager web application with
functions to install and manage RB25F devices, enroll people in the system, add credentials, and
collect and store associated biometric data.
n Device Administrator: This operator role is intended for HID partner technicians involved in the setup
and maintenance of the Biometric Management environment as well as configuration and update of
the RB25F. This operator role has limited access to user information.
n Enrollment: This operator role has full access to Biometric Manager web application, however is
limited to the day-to day activities of enrolling people in the system, adding credentials, collecting
and storing associated biometric data.
To create Biometric Manager operator roles:
1. Click on the System option.
2. Select the Operators option to access software and firmware update settings.

PLT-04029, A.4 41 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

3. To add and operator, click the New icon [ ].

4. On the Operators Details screen enter the following:

n Login: Enter a login name for this operator.
n Profile: Select the operator profile, Administrator, Device Administrator, or Enrollment.
n Link to: Link this operator profile to a person.
n Password/Confirm Password: Enter a password (re-enter to confirm) for this operator.
5. Click the Save icon [ ] to save the operator profile.

PLT-04029, A.4 42 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.7.2 Configure software/firmware update settings

To configure how HID Biometric Manager software and device firmware are updated:
1. Click on the System Option.
2. Select the Update option to access software and firmware update setings.

3. Select the arrow icon associated with:

n HID Biometric Manager: To access options to configure how Biometric Manager software
updates are installed.
n Device Firmware: To access options to configure how device firmware updates are installed.

4. Select the desired update option and click Apply.

PLT-04029, A.4 43 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

5. Click CHECK FOR UPDATES to check if software/firmware updates are available. Update Status
information is displayed on the screen.
n If new HID Biometric Manager software is available and selected, the installation progress is
displayed in your browser. Once the installation is complete the HID Biometric Manager Server
application will automatically shut down and re-start. You will be prompted to log back into
the HID Biometric Manager.
n If new device firmware is available, see Device firmware update.

PLT-04029, A.4 44 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.7.3 Setting static IP for HBM network

HID Biometric Manager has a feature that allows each device and the HBM network to have a static IP
address. When all connected devices and the HBM network are configured with the correct static IP
settings, the system continues to operate if the DHCP server is turned off.
To set the static IP for the HBM network:
1. Select Network Settings from the System menu.
2. Select IP Addressand click the arrow to select a Host IP from the list.
Note: Tick the Manual Entry box to manually enter the IP Address.

3. Click Save to finish.

PLT-04029, A.4 45 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.7.4 Setting static IP for a specific device

To set the static IP for an individual device:
1. Open the Devices page.
2. Select a device to configure.

3. On the Devices page, select the Communications tab.

4. Tick the Static box to set the static IP address.

5. Click Save to finish.

PLT-04029, A.4 46 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.8 Enforce Seos read

The reader will only read PACS data of a Seos card with this feature enabled. If only using credentials that
are multi technology HID cards with Seos or Seos cards with static UID, this feature is recommended.
The Enforce Seos PACS option can be toggled on or off in Device Profiles under the Advanced tab.

Click the Save icon to finish.

Note: If using Seos credentials without this option enabled, the PACS data read will not be consistent.

PLT-04029, A.4 47 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.9 Device profiles

A device profile contains a set of attributes that you can associate with a device, or group of devices, and
is the primary means by which you can manage devices. HID Biometric Manager comes with a default
device profile named Devices and installed devices are automatically placed in this default device profile.

2.9.1 Create a device profile

To create a new device profile:
1. Click on System and select the Device Profiles option.

PLT-04029, A.4 48 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2. Click the Add icon [ ].

3. Enter a Name and optional Description for the new device profile, then click the Save icon [ ].
Note: Select the arrow icon associated with Authentication Mode to select an Authentication Mode.
Device Profile attributes can now be edited. See Edit a device profile.

4. The created device profile is listed on the Device Profiles screen. To edit a profile, highlight a device
profile from the displayed list. The Edit/Delete icons appear on the screen for the highlighted device
profile.

PLT-04029, A.4 49 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

5. Click on the Edit icon [ ] associated with the device profile to access the profile attributes. See
Edit a device profile.

2.9.2 Edit a device profile

To edit the attributes of device profile:
1. On the System screen, highlight a device profile from the displayed list. The Edit/Delete icons
appear on the screen for the highlighted device profile.
2. Click on the Edit icon [ ] associated with the device profile.

PLT-04029, A.4 50 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

3. On the Device screen, if not already displayed, select Details. On the Details screen you can edit the
device profile Name and Description and select the Authentication Mode (for a definition of the
Authentication Modes, see Acronyms and terminology.
Note: The authentication mode set here is the default when no authentication mode schedule has
been configured.

4. On the Device screen, select Audio/Visual.

5. Click on an Event type from the displayed list to edit the attributes for the selected event.
6. Click SAVE to save the selected setings.
Note: Click USE DEFAULTS to revert back to the default settings for the selected event.

PLT-04029, A.4 51 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

7. On the Device screen, select Authentication.

8. Click ADD SCHEDULE to schedule when a device will operate in a special Authentication Mode.
Select a schedule from the list and click Next.
Note: Click CREATE SCHEDULE to create a new authentication schedule.

9. On the Device screen, select Devices to view the list of devices that belong to this device profile. Any
changes made to this device profile will be applied to these listed devices.
10. Click the Add icon [ ] to add a device to this device profile.

11. On the Device screen, select Advanced.

12. Select the card types which the device should support and the fingerprint sensor settings.
13. Click SAVE to save the selected settings.

PLT-04029, A.4 52 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

PLT-04029, A.4 53 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.9.3 Delete a device profile

To delete a device profile:
1. On the System screen, highlight a device profile from the displayed list. The Edit/Delete icons
appear on the screen for the highlighted device profile.
2. Click on the Delete icon [ ] associated with the device profile.

3. Click CONFIRM to proceed with the device profile delete action.

PLT-04029, A.4 54 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.10 Device health indication

HID Biometric Manager displays the health status of connected devices in a live view on the Device page.
There are four icons that indicate the device health.
Icon Status Definition
High level communications in The device is ready to be used and there are no issues.
place and device ready.

Low level communications only The device has power and can be found through LAN or Ethernet but there
and the device can't be used. is an operating error.

No communications with device. Communication has been lost between the device and HID Biometric
Manager.
The device has lost power or a tamper event has taken place.

High level communications in Communication between the connected devices and HID Biometric
place but device is busy. Manager is stable but the device is experiencing a high level of usage.

The Devices page displays the real-time status for all connected devices.

PLT-04029, A.4 55 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.11 Device debug page

The device debug page provides a live view of the status of each input for the device and serves as a
diagnostic tool during installation and operation.
To access the device debug page, search http://<Device IP>:8888 in a Web browser.
The Miscellaneous window gives device information such as the running time, serial number and firmware
version.
The Digital Inputs reading of High indicates that the input is in use or has been triggered. A short across
the terminals on the rear of the device will result in the Factory Default input reading High.

When the DHCP option under the Network window is toggled off, the Network window will expand. The
details can be manually entered to suit the user.

PLT-04029, A.4 56 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

Under the Control tab, a relay can be selected and activated to determine a connection through the device
debug page. This is useful during the installation of the device. If the door strike is wired to the internal
relay, it can be activated to confirm connection.

Note: The internal relay will toggle for 5 seconds.

PLT-04029, A.4 57 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.12 Tamper settings

When any of the connected devices are removed from the casing or power is cut to the any of the
connected devices, the Factory Default feature will trigger, resetting and rebooting to factory settings,
clearing the connected devices of any stored Biometric templates and any connected devices
configuration settings. The devices will not communicate with the HID Biometric Manager until it has been
re-installed.
Note: The Factory Default feature is switched off by default.
In the case of an accidental tamper, where the device keeps power, a Tamper event will appear in the Live!
view. The Device health will now be red.
To restore communications between the Device and HID Biometric Manager, the Device must be
uninstalled from HID Biometric Manager and then re-installed.
To toggle the Factory Default setting on or off, on the Device Profile page and select the Advanced tab.
Click Save to save the changes.

PLT-04029, A.4 58 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.13 Write fingerprint templates to a card

If you intend to make use of the Template on Card option as the authentication mode you will only be able
to copy two fingerprint templates to the card.
1. On the People screen select a displayed person record.
2. On the Cards screen select a displayed Credential Identifier.
3. Click WRITE TO CARD to copy the templates to the card.

4. Select the fingers (maximum of two) you wish to be written to the card and click WRITE TO CARD.

5. You will have approximately five seconds to present the supported card to the RB25F device in
order to write the profiles to the card. The LED bar will flash while writing to the card. Keep the card
in the reader field until the LED bar returns to it’s default color.

PLT-04029, A.4 59 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

6. You will be notified when the card has been successfully written to.

For a Template on Card authentication mode, the enrolled person can now enter the door by presenting
this card, immediately followed by the correct finger scan on the RB25F.

PLT-04029, A.4 60 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.14 Backup and recovery

This section explains how to backup the Microsoft SQL local Data Base (DB) used by HID Biometric
Manager.

2.14.1 Generate recovery key

This section shows how to generate a recovery key on the original server.
A new key is only required if:
n Clean install is performed
n After updating to SP2.2 and restarting the HBM server
Note: A recovery key only needs to be generated once per database instance.
Before commencing with the first database backup, a recovery key has to be generated as a single use
key. To generate a recovery key from the HID Biometric Manager server and copy this to a safe location.
1. Open the Security tab and select + Generate Recovery Key.

2. The Recovery Key Generator window is displayed. Click Generate Key.

3. Click OK once the Recovery Key message appears then close that window.
4. Copy and save the generated recovery key to a text document and save to multiple secure machines
or locations other than the HBM server.

PLT-04029, A.4 61 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.14.2 Backup procedure

The following shows the backup procedure on the original server.
1. Stop the SQL local database by opening a command prompt and typing SQLLOCALDB STOP HID_
BIOMANAGER.

2. Stop HBM in the Windows system tray.

3. Copy the HID_BIOMANAGER.mdf and HIDBIOMANAGER_log.ldf files from C:\Program Files

(x86)\HID Global\Biometric Manager\database to a secure location.
n Backup daily or weekly.
n Store backups on a secure machine separate to the HBM server.
4. The backup is now complete. It is now safe to start up HBM if no recovery procedure is needed.

PLT-04029, A.4 62 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.14.3 Restore procedure

The restore procedure takes place on the recovery server.
1. Ensure that the original server is not on the network, or that HBM has been uninstalled and is no
longer used on the original server.
2. Ensure the SQL server version on the recovery machine is the same or a higher version than the
original server. The SQL local database version installed by HBM is based on the current version of
SQL server installed.
3. Install HID Biometric Manager but do not start it.
4. Copy and paste the previously back up .mdf and .ldf files to C:\Program Files (x86)\HID
Global\Biometric Manager\database.

5. Launch HBM. The recovery key will need to be entered:

a. Paste the recovery key in the field
b. Click Recover
c. On successful recovery, click OK

PLT-04029, A.4 63 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

6. Once started, check that the recovery process has created a new certificate with the recovery server
information and not the original server information. This can be verified through the HID Biometric
Manager Server window.

a. Open the Security tab.

b. Under the Key Store tab and select certificateauthority and in the Details window, verify the
following:
n Subject CN and Issuer CN must be the host name of the recovery server.
n Check the Validity field and make sure the date and time reflects the date and time around the
current install of HBM on the recovery server .
n Under section Subject Alternative Name, make sure the IP addresses belong to the recovery
server.

8. Log into HBM and uninstall all connected devices. Do not Factory Default.
9. Factory default all devices using the pins on the reverse of the unit, see HID iCLASS SE RB25F User
Guide (PLT-04900).
10. Wait one minute for devices to reboot after factory default.
11. Re-install all devices within HBM.
12. Test the communication between devices and HBM.

PLT-04029, A.4 64 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.15 System monitoring and Reports

2.15.1 View Biometric Manager events
Actions carried out in Biometric Manager are logged as events. To view a HID Biometric Manager events,
click the Live! option. To examine individual entries when the network is busy click the pause icon [ ] to
pause real-time network monitoring.
Note: Event information is only displayed after a device has been added.

To filter displayed events select the Filters option. Any current filters in use are displayed. Click ADD
FILTER to create a new filter based on a Name, Event, or Device. Click the Save icon [ ] to save any
added filters.
Note: If no filters are used then the default filter is applied. This displays events only for the calendar day.

PLT-04029, A.4 65 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

PLT-04029, A.4 66 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

2.15.2 Transaction Reports

To create a report of HID Biometric Manager transactions click System and select Transaction option.

Click RUN REPORT to create a report of HID Biometric Manager transactions. Once the report is created
click the save report icon [ ] to save the report to a PDF or CSV file.

PLT-04029, A.4 67 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

To filter report content select the Filters option. Any current filters in use are displayed. Click ADD FILTER
to create a new filter based on a Controller, Date/Time, Event, or Person/Asset. Click the Save icon [ ] to
save any added filters.
Note: If no filters are used then the default filter is applied. This displays events only for the calendar day.

PLT-04029, A.4 68 June 2020

Appendix A
Biometric Manager Mobile
Access setup

Powering
Trusted Identities
Powering HID® Biometric Manager™
Trusted Identities Administration Guide

This section provides details on the prerequisites that must be in place in order to setup a connection
between HID Biometric Manager™ and the HID Mobile Access® Portal. The section also details how to verify
HID Reader Manager™ Technician account details in Biometric Manager and how to load HID Mobile
Access (MOB) keys onto the RB25F.

A.1 Setup prerequisites

In order to setup a connection between HID Biometric Manager and HID Mobile Access for updates and to
facilitate loading MOB keys onto the RB25F the following prerequisites must be in place.

A.1.1 HID Mobile Identities setup

The Organization must register for HID Mobile Identities via the onboarding process. The onboarding
process will setup an Organizational account in the HID Origo® Portal HID Mobile Access Portal and creates
a primary account administrator. For detailed information on the onboarding process visit the onboarding
site at:
https://managedservices.hidglobal.com/faces/maUserOnBoardingStart
For information relating to the HID Mobile Access solution, including the HID Mobile Access Portal, refer to
the following:
n HID Mobile Access Solution Overview (PLT-02078).
n HID Mobile Access Frequently Asked Questions (PLT-02085).

A.1.2 HID Reader Manager setup

At the customers request, the Mobile Access Portal administrator creates a Reader Manager administrator
in the Mobile Access Portal. A designated Reader Technician downloads, registers, and authenticates the
HID Reader Manager App on a mobile device. The Reader Manager Portal administrator enrolls the Reader
Technician and issues Authorization Keys to the Reader Technician. For information relating to setup
procedures for HID Reader Manager Portal Administrators and Reader Manager Technicians refer to:
n HID Reader Manager Solution User Guide (iOS) (PLT-03683).
n HID Reader Manager Solution User Guide (Android) (PLT-03858).

A.1.3 Mobile Access user setup

The Origo Port and Mobile Access Portal administrator enrolls mobile users in the system and issues
Mobile IDs. End users download and install the HID Mobile Access App on their mobile devices. For
detailed information refer to the following:
n HID Mobile Access Frequently Asked Questions (PLT-02085).
n HID Mobile Access App User Guide (PLT-02077).

PLT-04029, A.4 70 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

A.2 Validate a Reader Manager account in HID Biometric Manager

In order to validate a Reader Manager Technician account in HID Biometric Manager an active Reader
Manager Technician account must be present, see HID Reader Manager setup.
To validate a Reader Manager Technician account (this should be the Portal admin or a company
employee) in HID Biometric Manager:
1. Log into HID Biometric Manager.
2. Select System and under the General section click HID Update Account Settings.

3. On the HID Update Settings page enter the Reader Manager Technician (this should be the Portal
admin or a company employee) account details (User ID/Password) and click VERIFY ACCOUNT.

PLT-04029, A.4 71 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

If the Reader Technician account has not been authorized for any MOB keys then no keys are listed under
List of Mobile Identifiers. If MOB keys have been assigned to the account then these will be listed in.

PLT-04029, A.4 72 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

A.3 Test MOB keys are working correctly

As a prerequisite to test that a MOB key working correctly, the Origo Portal or Mobile Access Portal
administrator must have enrolled mobile users in the system and issued Mobile IDs to the mobile device
that has the HID Mobile Access App installed, see Mobile Access user setup.

To test a MOB key in Biometric Manager:

1. Log into HID Biometric Manager and click the Live! option to view HID Biometric Manager events.

2. Present the mobile device to the RB25F and check the Live! screen to see events showing the mobile
access read and the associated credential identifier.
Note: Mobile Access read will only work if the RB25F is in one of the authentication modes that
support card read, i.e. Card Only, Card or Finger, or Card + Finger. Mobile Access will not work
if the RB25F is in finger mode.

PLT-04029, A.4 73 June 2020

Appendix B
Fingerprint template encryption

Powering
Trusted Identities
Powering HID® Biometric Manager™
Trusted Identities Administration Guide

In-field update for existing installations

1. Update the HID Biometric Manager software to software version 1.0.1103.59811.
2. Update the firmware of each RB25F device connected to the HID Biometric Manager.
3. After updating the RB25F devices, each device must be reset to their factory default state. See Reset
a device
4. Uninstall each RB25F device from within HID Biometric Manager and re-install them.
Note: Steps 3 and 4 ensure a clean move to SP2.1.
Note: The device profile will sync to make sure all the reader configuration is downloaded to the RB25F
device after re-installation and once connection has been established with the HID Biometric
Manager.

New installations
1. Verify that the HID Biometric Manager software is at version 1.0.1103.59811, and RB25F is at firmware
version 1.5.1.22.
2. If required, update the devices firmware and software to the latest version.
Note: As this is a new install, the device configuration can be done after verification. If required, update
the device firmware.

Additional information on the RB25F template encryption

n All RB25F units have been shipped with Identrust x509 certificates which are used as part of the
Biometric template encryption feature.
n The HID Biometric Manager server application will generate an AES-256 encryption key to be used as
part of the template encryption feature.
n There is no need to enter any additional information or setup other than running the update.
After the RB25F has been updated with the new firmware level for SP2.1, and the RB25F has gone through a
re-install process, it must connect with the HID Biometric Manager in order for the encryption key to be
sent to the RB25F. There are two important points of note:
1. Once the update is complete, the device will only allow Template on Device Authentication until the
AES-256 encryption keys are sent from the HID Biometric Manager. If the authentication mode was
set to Finger Only or Finger + Card the device will need to make a connection with the HID Biometric
Manager to receive the MOB keys before it can become fully operational.
2. As part of SP2.1 the AES-256 encryption keys are not backed up. If the computer that the HID
Biometric Manager is running on is destroyed, it is not possible to recover them. This will be
addressed in a future update.

PLT-04029, A.4 75 June 2020

Appendix C
Acronyms and terminology

Powering
Trusted Identities
Powering HID® Biometric Manager™
Trusted Identities Administration Guide

Term Definition
Authentication Mode Template on Card: The RB25F is waiting for a Credential (Card) to be presented. It
(RB25F) retrieves all the biometric templates from the credential.
If the presented finger matches the biometric templates retrieved from the
credential a Grant Access is recommended. This is a 1:1 Verification match against
Template on Card (ToC). The sensor is not armed (blue light off) until the Credential
is presented.
Card + Finger: The RB25F is waiting for a Credential (Card) to be presented. It
looks up the user ID and all associated biometric templates in it’s local device
database. If the presented finger matches the biometric templates retreated from
the local database a Grant Access is recommended. This is a 1:1 Verification match
against Template on Device (ToD). The sensor is not armed (blue light off) until the
Credential is presented.
Finger Only: The RB25F is waiting for a finger to be presented that is stored in its
local device database. If the presented finger matches one stored in the database a
Grant Access is recommended. This is a 1:N Identification match against Template on
Device (ToD). The sensor is always armed (blue light on).
Card Only: The RB25F is waiting for a Credential (Card) to be presented. It reads
the PACS data only and always recommends a Grant Access. The sensor is never
armed (blue light off).
The RB25F is waiting for either a Credential (Card) to be presented or a finger,
stored in its local device database, to be presented. This authentication mode is
particularly useful during initial enrollment setup.
Biometric spoofing Biometric spoofing is a method of fooling a biometric identification management
system. An artificial object (for example, a fingerprint mold made of silicon) is
presented to the biometric scanner that imitates the unique biological properties of
a person which the system is designed to measure.
BLE Bluetooth Low Energy (formerly marketed as Bluetooth Smart) is a wireless
personal area network technology.
ERR The Equal Error Rate (EER) is the common value indicating that the proportion of
false acceptances (FAR) is equal to the proportion of false rejections (FRR). The
lower the EER value, the higher the accuracy of the biometric system.
False Accept Rate (FAR) The False Accept Rate (FAR) is the measure of the likelihood that the biometric
security system will incorrectly accept an access attempt by an unauthorized user.
False Reject Rate (FRR) The False Reject Rate (FRR) is the instance of a security system failing to verify or
identify an authorized person.
FTA Failure To Acquire. The biometric system failure to extract usable identification data
from a biometric sample.
Identification (of Identity) Typically finding a matching template in a large database of templates. 1:N matching.
LFD Live Finger Detection. This is used in some markets instead of Spoof. It is also used
to refer to insuring a severed finger is not being presented at the sensor.
MINEX Minutia Interoperability Exchange. The MINEX program is dedicated to the
evaluation and development of the capabilities of fingerprint minutia matchers
running on ISO/IEC 7816 smart cards.
M-Series Mercury Platform Series of Products.
MSI Multi-Spectral Imaging.
OSDP Open Supervised Device Protocol (OSDP) is an access control communications
standard developed by the Security Industry Association (SIA) to improve

PLT-04029, A.4 77 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

Term Definition
interoperability among access control and security products.
PAD Pressure Attack Detection.
PD Presence Detection.
ROC Receiver Operating Characteristic.
SDK Software Development Kit.
SIA Structure Image Acquisition.
Tap The Tap gesture with a mobile device for door opening.
The Tap operation is typically used when the mobile device is in close proximity to
the reader. Approximately 12 inches (30 cm).
Twist and Go The Twist gesture with mobile device for door opening.
The Twist operation is typically used when the mobile device is at a longer distance
from the reader. Approximately 6 feet (2 meters).
ToC Template on Card. The PACS data is read from the card.
ToD Template on Device. The PACS data is read from the device database.
vCOM V-Series Command Protocol.
Verification (of Identity) Typically a fingerprint template is stored on a card and checked against a finger
presented to the finger print sensor. 1:1 matching.

PLT-04029, A.4 78 June 2020

Powering HID® Biometric Manager™
Trusted Identities Administration Guide

Revision history
Date Description Revision
June 2020 Updates to support HID Biometric Manager Service Pack 2.2 (RB25F Reader Firmware A.4
Version 1.5.1.22 and HID Biometric Manager Software Version 1.0.1103.59811)
December 2019 Updates to support HID Biometric Manager Service Pack 2.1 (RB25F Reader Firmware A.3
Version 1.5.0.86 and HID Biometric Manager Software Version 1.0.886.57608)
September 2019 Updates to support RB25F Service Pack 1 (RB25F Reader Firmware Version 1.5.0.82 and A.2
HID Biometric Manager Software Version 1.0.774.56514)
June 2019 Minor update to Section 3.2.1 HID Biometric Manager software install. A.1
February 2019 Initial release. A.0

PLT-04029, A.4 79 June 2020

Powering
Trusted Identities PLT-04029, A.4
Americas & Corporate Asia Pacific 19/F Europe, Middle East & Africa Brazil
611 Center Ridge Drive 625 King's Road 3 Cae Gwyrdd, Condomínio Business Center
Austin, TX 78758 North Point Green Meadow Springs, Av. Ermano Marchetti, 1435
USA Island East Cardiff, Galpão A2 - CEP 05038-001
Hong Kong United Kingdom, Lapa - São Paulo / SP, Brazil
CF15 7AB
Support: 866-607-7339 Support: 852-3160-9833 Support: +44 (0) 2920 528 500 Phone: +55 11 5514-7100
Fax: 949-732-2120 Fax: 852-3160-4809

h idglobal.com An ASSA ABLOY Group brand

Magic Series English
100% (1)
Magic Series English
63 pages
MA5800 Security Hardening and Maintenance Guide 08
No ratings yet
MA5800 Security Hardening and Maintenance Guide 08
188 pages
Privileged Remote Access - 24.1.2 - Lab Guide - R2
No ratings yet
Privileged Remote Access - 24.1.2 - Lab Guide - R2
208 pages
Access and Identity Manegement PDF
No ratings yet
Access and Identity Manegement PDF
132 pages
IC3 Placement Test Sample 2 (1)
No ratings yet
IC3 Placement Test Sample 2 (1)
14 pages
HID Signo 25B User Guide
No ratings yet
HID Signo 25B User Guide
18 pages
Final Report
100% (1)
Final Report
40 pages
IDENTIKEY Appliance Administrator Guide
No ratings yet
IDENTIKEY Appliance Administrator Guide
189 pages
Eqqc 1 MST
No ratings yet
Eqqc 1 MST
446 pages
Symantec SGOS 6.5 Command Line Interface
No ratings yet
Symantec SGOS 6.5 Command Line Interface
460 pages
Hid Digitalpersona Ad Administrator Guide
No ratings yet
Hid Digitalpersona Ad Administrator Guide
377 pages
CP R81 MobileAccess AdminGuide
No ratings yet
CP R81 MobileAccess AdminGuide
293 pages
ReleaseNotes 2024.2.0
No ratings yet
ReleaseNotes 2024.2.0
97 pages
plt-03858_b.7_-_hid_reader_manager_app_user_guide_android
No ratings yet
plt-03858_b.7_-_hid_reader_manager_app_user_guide_android
79 pages
Cyber Security & Social Media Security
No ratings yet
Cyber Security & Social Media Security
4 pages
Who Wants To Be A Millionaire? CSS 11 Edition
No ratings yet
Who Wants To Be A Millionaire? CSS 11 Edition
65 pages
Module 6
No ratings yet
Module 6
48 pages
Morphomanager Idemia Brochure 202306 2
No ratings yet
Morphomanager Idemia Brochure 202306 2
2 pages
Security 6
No ratings yet
Security 6
43 pages
OT04 Access Control System Operation - HikCentral Access Control
No ratings yet
OT04 Access Control System Operation - HikCentral Access Control
57 pages
Formatos Lectoras y Credenciales
No ratings yet
Formatos Lectoras y Credenciales
107 pages
plt-04029 b.3 - Hid Biometric Manager Administration Guide
No ratings yet
plt-04029 b.3 - Hid Biometric Manager Administration Guide
124 pages
Cyber Security PDF
No ratings yet
Cyber Security PDF
25 pages
Pacs Three Reasons To Upgrade Eb en
No ratings yet
Pacs Three Reasons To Upgrade Eb en
16 pages
H8-SSR User Manual
No ratings yet
H8-SSR User Manual
74 pages
Hardware Manual Magic Series - English (Rev11)
100% (1)
Hardware Manual Magic Series - English (Rev11)
56 pages
Fingerprint-Attendance-System-with-Access-Control-iclock-990-User-Manual
No ratings yet
Fingerprint-Attendance-System-with-Access-Control-iclock-990-User-Manual
59 pages
3shape TRIOS Product Catalog EN 2019 - 19
No ratings yet
3shape TRIOS Product Catalog EN 2019 - 19
27 pages
Access Review
No ratings yet
Access Review
28 pages
E-Ledger 1 3 6
No ratings yet
E-Ledger 1 3 6
7 pages
Biometric Authentication
No ratings yet
Biometric Authentication
12 pages
Iclock 360 User Manual: About This Manual About This Manual A Ab Bo Ou Utt TTH Hiis SM Ma An Nu Ua All
100% (1)
Iclock 360 User Manual: About This Manual About This Manual A Ab Bo Ou Utt TTH Hiis SM Ma An Nu Ua All
59 pages
Module 1 Lesson 3-5 - GE 4 Living in The IT Era
No ratings yet
Module 1 Lesson 3-5 - GE 4 Living in The IT Era
20 pages
8biometric Systems Interaction Assessment The State of The Art PDF
No ratings yet
8biometric Systems Interaction Assessment The State of The Art PDF
14 pages
pacs-hid-mobile-access-br-en
No ratings yet
pacs-hid-mobile-access-br-en
8 pages
Desktop Engineering - 2012-03
No ratings yet
Desktop Engineering - 2012-03
52 pages
HP Authentication Manager
No ratings yet
HP Authentication Manager
6 pages
Accops HS5020 Datasheet
No ratings yet
Accops HS5020 Datasheet
6 pages
QG 8e Online
No ratings yet
QG 8e Online
8 pages
Layertech Qution Paper 1
No ratings yet
Layertech Qution Paper 1
8 pages
Mca Big Data PDF Sem 3
No ratings yet
Mca Big Data PDF Sem 3
193 pages
Symantec ISG-2 - x-Admin-and-Deployment-Guide
No ratings yet
Symantec ISG-2 - x-Admin-and-Deployment-Guide
15 pages
XSLT PDF
No ratings yet
XSLT PDF
10 pages
Big Data Notes
No ratings yet
Big Data Notes
18 pages
ARM Core Data Flow Model and 3 Stage Pipelining
No ratings yet
ARM Core Data Flow Model and 3 Stage Pipelining
42 pages
pacs-reader-mgr-app-br-en_0
No ratings yet
pacs-reader-mgr-app-br-en_0
4 pages
1 Hitachi ID Privileged Access Manager: Temporary, Secure and Accountable Privilege Elevation
No ratings yet
1 Hitachi ID Privileged Access Manager: Temporary, Secure and Accountable Privilege Elevation
14 pages
Mobile Devices 1265
No ratings yet
Mobile Devices 1265
10 pages
AM21Q1 Visitor Management As A Service Features Ss v2
No ratings yet
AM21Q1 Visitor Management As A Service Features Ss v2
3 pages
Secureadmin: Designed To Streamline Workflow and Simplify Device Management
No ratings yet
Secureadmin: Designed To Streamline Workflow and Simplify Device Management
4 pages
Unit 2 History of Computers
No ratings yet
Unit 2 History of Computers
4 pages
LVM Configuration - RHEL 8 (EX294)
No ratings yet
LVM Configuration - RHEL 8 (EX294)
28 pages
CN (5th) Dec2022
No ratings yet
CN (5th) Dec2022
2 pages
Prajwal 20 Ghadigoankar 20 Data 20 Analyst 20&20 ML20 Resume 1
No ratings yet
Prajwal 20 Ghadigoankar 20 Data 20 Analyst 20&20 ML20 Resume 1
2 pages
Accops HySecure Data Sheet
No ratings yet
Accops HySecure Data Sheet
9 pages
User Manual DS-K1A8503MF
No ratings yet
User Manual DS-K1A8503MF
111 pages
DWIN Software Dev Guide v3 2EN
No ratings yet
DWIN Software Dev Guide v3 2EN
53 pages
KT UserManual V1.0
No ratings yet
KT UserManual V1.0
16 pages
SecureAdmin Operator's Manual PDF
No ratings yet
SecureAdmin Operator's Manual PDF
784 pages
ISA-unit1
No ratings yet
ISA-unit1
6 pages
KurzinfoAkzent3000 en 15032013
No ratings yet
KurzinfoAkzent3000 en 15032013
3 pages
Pacs Hid Mobile Access Solutions Ds en 2
No ratings yet
Pacs Hid Mobile Access Solutions Ds en 2
2 pages
CCNA 200-301 Official Cert Guide, Volume 2-43
No ratings yet
CCNA 200-301 Official Cert Guide, Volume 2-43
3 pages
UD12587B-A Baseline DS-K1T8003 Fingerprint Access Control Terminal User Manual V1.0.1 20190315
No ratings yet
UD12587B-A Baseline DS-K1T8003 Fingerprint Access Control Terminal User Manual V1.0.1 20190315
120 pages
Google Classroom
No ratings yet
Google Classroom
42 pages
Bishal Paudyal 159202209: ICO155 Lab 2 - Virtualization Part 1
No ratings yet
Bishal Paudyal 159202209: ICO155 Lab 2 - Virtualization Part 1
7 pages
9 Access Control
No ratings yet
9 Access Control
12 pages
EPORDO BT-E4 Hardware Manual 201410
100% (1)
EPORDO BT-E4 Hardware Manual 201410
21 pages
Lab 5 - Using The Nmap Scripting Engine (NSE) and Metasploit To Exploit Windows XP
100% (1)
Lab 5 - Using The Nmap Scripting Engine (NSE) and Metasploit To Exploit Windows XP
9 pages
DataSheet - SSM Core Server - 180214
No ratings yet
DataSheet - SSM Core Server - 180214
1 page
VF100X User Manual
No ratings yet
VF100X User Manual
36 pages
Hacking Biometric Access Control Systems: Search This Site..
No ratings yet
Hacking Biometric Access Control Systems: Search This Site..
4 pages
Excel VBA Made Easy
No ratings yet
Excel VBA Made Easy
87 pages
Certified-Platform-App-Builder-demo
No ratings yet
Certified-Platform-App-Builder-demo
9 pages
Migration:: Verification On The Source System
No ratings yet
Migration:: Verification On The Source System
2 pages
Privileged Access Management
No ratings yet
Privileged Access Management
24 pages
FDX SDK Pro .NET Programming Manual (Windows) SG1-0030B-008
No ratings yet
FDX SDK Pro .NET Programming Manual (Windows) SG1-0030B-008
40 pages
ITS OD 103 Devices 1023
No ratings yet
ITS OD 103 Devices 1023
3 pages
Machine Manual
No ratings yet
Machine Manual
23 pages
PPT ch18
No ratings yet
PPT ch18
65 pages
AP RTA-UM To Plugin Marpho Device
No ratings yet
AP RTA-UM To Plugin Marpho Device
10 pages
BiometricAccessControl Training
No ratings yet
BiometricAccessControl Training
45 pages
User Manual For New Firmware of The 3/3.5-Inch Color Screen: Date: April 2013
No ratings yet
User Manual For New Firmware of The 3/3.5-Inch Color Screen: Date: April 2013
63 pages
ETE 332 Previous Exam Papers
No ratings yet
ETE 332 Previous Exam Papers
2 pages
IG 12 Win Desktop WinLogin Admin Iss2
No ratings yet
IG 12 Win Desktop WinLogin Admin Iss2
167 pages
BC-2028 Manual
No ratings yet
BC-2028 Manual
50 pages
Ilearn Smart World 8 Unit 5
No ratings yet
Ilearn Smart World 8 Unit 5
10 pages
Female Data Entry Engineer CV/Resume Sample
No ratings yet
Female Data Entry Engineer CV/Resume Sample
2 pages
Comprehensive Bitbucket Workflows and Integration: Definitive Reference for Developers and Engineers
From Everand
Comprehensive Bitbucket Workflows and Integration: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Advanced GitLab CI/CD Pipelines: An In-Depth Guide for Continuous Integration and Deployment
From Everand
Advanced GitLab CI/CD Pipelines: An In-Depth Guide for Continuous Integration and Deployment
Adam Jones
No ratings yet
Information security - Edition 2022: Risk management. Management systems. The ISO/IEC 27001:2022 standard. The ISO/IEC 27002:2022 controls.
From Everand
Information security - Edition 2022: Risk management. Management systems. The ISO/IEC 27001:2022 standard. The ISO/IEC 27002:2022 controls.
Cesare Gallotti
No ratings yet
MCSA Windows 10 Study Guide: Exam 70-698
From Everand
MCSA Windows 10 Study Guide: Exam 70-698
William Panek
No ratings yet
ISO 27001 Controls – A guide to implementing and auditing
From Everand
ISO 27001 Controls – A guide to implementing and auditing
Bridget Kenyon
No ratings yet
Transit Quarters
From Everand
Transit Quarters
Shyamala Nemana
4/5 (8)