Articulate Mobile App --> Block Access for Inactive LMS Users

I'm using an LMS that does not support Tin Can API (if that matters for this) and have noticed this behaviour:

1. Active user launches course from LMS which loads in Articulate Mobile App.

2. User gets deactivated from LMS.

3. Deactivated user can still launch course on the App as long as he has a Wifi connection.  Publishing with "Allow downloading for offline viewing" naturally blocks access, but soon as they enable their wifi they can freely access the course, even if they should have no more permissions to the LMS.

Clearly the App is not authenticating with the LMS, it's like it's reading cached data.  It looks like that once the course is first accessed, they can freely access it again and again directly from the App, without any link to the LMS whatsoever.

Thoughts and suggestions to improve security?

7 Replies
Ashley Terwilliger

Hi Alexander, 

If you're not using the Tin Can API the browser isn't able to pass the security credentials to the iPad apps unless the LMS supports Tin Can API.

The way that it works for private courses with Tin Can API is that we get a content token when the user accesses their course through their LMS and we launch the course in AMP.

We continue to use that content token until the LMS invalidates it. So when the customer removes the learners access, it’s up to the LMS to invalidate the token.

If the customer is deleting the course completely, the LMS would need to remove the course from their server and/or remove the content token.

It basically comes down to the responsibility of the LMS to either invalidate the content token, or truly remove the content from the server.

Hope that helps clarify, and you may want to look at utilizing the mobile player output as then the user would likely need to log in each time no matter what.

Brian Allen

We deselect the mobile app option for any SCORM content we publish for our LMS because we are also using a LMS that is not Tin Can compliant, and the app only works with Tin Can.

By deselecting the mobile app option when publishing for SCORM it forces the mobile device to use the HTML5 published content which is SCORM compliant and we can track in our LMS.

Brian Allen

Alexander, it is fully correct - Please note that I never said your content would not load in the mobile player, but it will not track in your LMS if the LMS does not support Tin Can.  Take a look at this article for more info -

We've been requesting Tin Can support from our vendor for a couple of years as well, but until then we will continue publishing without mobile player support so that we can track our LMS content via SCORM.