Build your system from the inside out using Openpath as your end-to-end access control solution. If you’re solving for spaces with both new and legacy systems, Openpath can be easily implemented to work with whatever you’ve got.

How does this app work?

The Envoy + Openpath app streamlines the process of logging and distributing access to visitors. With in-depth customization options, including issuing access on either invites or guest sign-in, Envoy will create temporary Cloud Credentials in Openpath, which automatically and temporarily grants access to specific parts of your building — including automatic expiration and configurable access. Cloud Credentials are shared with your guests by either e-mail or SMS when a phone number is provided and do not require the Openpath app to interact with.

Enabling Envoy + Openpath

Note: You will need administrative access on your Openpath ACU to complete this setup. Ensure you have administrative access or work with a local administrator before proceeding with the following steps:

  1. Begin by creating a role for the Envoy Bot.

    1. Under the “Role Management” page in Openpath (click “Home > Users > Role Management”), click “Create New Role.”

    2. Ensure at least “read” and “write” permissions are granted for View, and View & Edit users.

  2. Create a user for the Envoy Bot.

    1. Navigate to the “User Management” portal in Openpath “Home > Users > User Management” and click the “Create User” button.

    2. The new user will require an email — if you don't have an administrative alias email address, you could consider something like [email protected], where the addition of “+envoybot” will help differentiate the user in Openpath.

    3. The new user should have a recognizable “First” and “Last” name, we recommend “Envoy Bot”.

    4. The new user should have the “Status” defined as “Active” and the role created in the previous step is selected.

    5. Ensure “Portal Access” is toggled on for this new user, this will permit Envoy to access the API in order to generate cloud credentials for your visitors.

    6. Under the “Access” tab in the new user view, ensure the new user has access to all of the relevant doors. This access will later be used for mapping visitor types in Envoy to access permissions.

  3. After creating a user in Openpath for Envoy, go to Apps > All Apps in the Envoy dashboard.

  4. Under Access Control, find Openpath, then click “Install.”

  5. In the API step, enter administrative credentials created in the first steps and click “Save” to continue.

  6. On the Org step, select the desired Organization from the drop-down and click “Next Step” to continue.

    1. The drop-down menu on this step is automatically populated based on the Orgs the administrative account provided in Step 1 has access to. If you do not see your intended Organization than you must revisit your permissions within Openpath.

  7. On the Entries step, you can select which entries you want to permit visitor types to access.

    1. This step allows you to select multiple visitor types per entry.

    2. This step allows you to add additional entries with the “Add another” button.

  8. On the same step, you will find Employee access control automation via Envoy Protect. All you need to do is toggle on Envoy Protect feature and, employees will gain or lose access dependent on their pre-approval screening.

  9. Click “Next Step” after you have finalized your entry/visitor type privilege mapping.

  10. On the Customization step, you can select several options of customization, including:

    1. ONLY ALLOW INVITED GUESTS: Toggling this setting will switch to “Sign In” only Cloud Credential issuance when disabled, and “Invite” based Cloud Credentials when enabled. When this option is disabled the “ADVANCE ACCESS” and “ACCESS DURATION” fields can not be obeyed.

    2. ADVANCE ACCESS: This is the length of time the Cloud Credential will work before the invited date and time (e.g., An invite may be for 8 PM on April 13th, but 15 minutes or even 12 hours prior to the meeting can be added to enable to the Cloud Credentials early, allowing visitors to access the facilities for parking or lodgings).

    3. ACCESS DURATION: This is the length of time the Cloud Credential will work for. After the access duration expires automatically in Envoy the Cloud Credential will cease to work.

    4. FLOW BLOCK LIST (OPTIONAL): This is the list of visitor types that are blocked from receiving access.

    5. YOUR CUSTOM LOGO (OPTIONAL): This is the logo that is displayed to visitors when they unlock doors with their temporary Cloud Credentials.

    6. ADDITIONAL INSTRUCTIONS (OPTIONAL): This is the additional instructions / messaging which is displayed to visitors when they unlock doors with their temporary Cloud Credentials.

Envoy Protect + Openpath

If your company has Envoy Protect enabled they can edit their existing Openpath app, click on Step 3 Entries and click the checkbox to enable the "Envoy Protect" option. After they do that they go ahead and re-save the app.

Note: If you haven't yet set up Openpath, follow the steps from Enabling Envoy + Openpath first.

DISCLAIMER: Openpath users (employees) are not disabled by default, Envoy did not want to take on the liability to mass disable user accounts. In order to do this on your own, you will need to set the end date and time in order to disable your users' access.

How does it work?

  1. The employee has answered the preconfigured questions by the Envoy admins.

  2. They pass screening based on the set of rules

    1. (i.e. Have you been in contact with someone feeling ill over the past 14 days?)

  3. The employee will be approved for the next business day

  4. When they go to the office the next day, the employee will need to "check-in" in order for their credentials to reactivated to allow them to enter the building.

How Envoy Visitors entries look in Openpath

In the example below, individual visitors are listed. This list can be found in Openpath under the Home > Users > User Management > Edit User Credentials menu. Look for the user, “Envoy Bot”.

  • Visitor Stephen Arsenault signed in on May 10th, the associated visitor ID from Envoy is visible in the naming column as “49899119

  • The format for these messages is as follows: Envoy ${eventType} ID ${visitorId}, ${visitorName}

How cloud credentials are assigned to Envoy Visitors in Openpath

Once successfully configured, the Envoy + Openpath app will create Cloud Credentials with the user your configured (e.g., Envoy Bot). This user will display the automatically generated temporary Cloud Credentials created for each visitor and will also be reflected in the Openpath Reports > Activity Log menu, with additional visitor information available in the reports “Detail” column.

Below is an example of a Cloud Credential, issued over e-mail via Envoy and accessed on a mobile device:

Possible iterations of access

Uninvited visitor signs in

  • They receive access if entries are assigned to that visitor type.

  • They do not receive access if there are no entries assigned to that visitor type.

  • They do not receive access if the customer has selected “ONLY ALLOW INVITED GUESTS”.

Invite created without advance access

  • Credential link will be emailed and texted once the invitee has signed in.

Invite created with advance access

  • Credential link should be emailed x amount of time before scheduled arrival.

Invite is created with advance access and then the invitee signs in

  • The link will be emailed x amount of time before scheduled arrival.

  • The link will not be emailed on sign-in (no duplicate emails).

  • The link will be texted once the invitee signs in.

Invite created with advance access, but deleted > 24 hours of scheduled arrival

  • A credential will be created and removed, and no link will be emailed.

Invite created with advance access, but deleted on the day of scheduled arrival

  • A credential will be created and removed, but a link may still be emailed (though the access control page informs the user that they do not have access).

Invite is created with a visitor type that has access but updated to a visitor type without access

  • A credential will be created, but on an update, that credential will be removed.

Invite is created with a visitor type without access but updated to a visitor type with access

  • A credential will be created on the update.

Invite is created and then updated with a different arrival time

  • The existing credential will be updated with a new start and expiry time.

On any sign-out

  • If access was granted, access will be revoked during sign out.

Did this answer your question?