Skip to main content


To have more control over how and when users can access places, Kisi offers configurable restrictions by:

  • Location: Geofence Restriction
  • Device: Kisi Reader Restriction, Primary Device Restriction, Allow App Access, Managed Device Restriction
  • Time: Access Schedules

Some restrictions can be applied to both groups and doors, some of them only to groups.


Users who are part of several groups will gain access if at least one group allows access. For example: Joe is a part of Group A and Group B. Group A allows access to Door A, but Group B doesn't. Since Joe is a part of Group A, he is allowed access to Door A.

Geofence Restrictions

The Geofence Restriction ensures that users must be in the vicinity of the building in order to open a door. Geofencing uses the GPS location of the user's mobile phone to determine proximity to a door based on the place's geographic location. With Kisi, the default allowed distance is within 300 meters (~0.2 miles) from the door.

Use cases

The Geofence restriction can be applied to groups and doors. Use the tabs below to understand the use cases.

If the Geofence Restriction is applied to a group, all users in this group must be within a distance of maximum 300 meters (~0.2 miles) from the building in order to unlock doors.

If you have remote employees, you can create a group for them and apply geofencing on that group. Thus, you can avoid that they accidentally unlock the door from their home.


While Bluetooth and NFC based unlocks by tapping the phone at the reader satisfy both geofence (300 meters ~ 0.2 miles radius) and reader restrictions, we recommend keeping location services turned on as they may in some cases significantly improve the performance of Tap to Unlock ("T2U"). For more information, please refer to our support article on how to enable location services.

Kisi Reader Restriction

The Kisi Reader Restriction ensures that users may only unlock when standing in front of a door. The accuracy is magnitudes higher than with a Geofence Restriction, but requires the door to be equipped with a Kisi Reader. Users will have to enable Kisi to access their device's location to ensure they gain proper access within the reader proximity. The allowed distance is within a few meters (10-20 feet) from the reader.

Every Kisi Reader is equipped with a BLE chip that periodically emits the lock ID, and a one time password (otp). The one time password is changing from time to time. If the user is able to provide the reader's current one time password to the unlock request, it means that they're standing close enough to the reader; otherwise they wouldn't be able to provide the one time password.

The Kisi Mobile SDK provides a BLE beacon scanner. When implemented, the user's device can scan the space for nearby Kisi readers and their one time passwords. Any time a reader is detected/lost, or any time a signal of a previously detected reader changes, the user gets a notification with a most recent one time password.

Use cases

The Kisi Reader Restriction can be applied to groups and doors.

If the Kisi Reader Restriction is applied to a specific group, all users in this group must use the Kisi Reader in order to unlock the door.

The use case is the same as for the Geofence Restriction, but it's even more accurate.


In case of an unlock error, please check if the user's location services are enabled, shared with Kisi, or that the user is within the allowed distance of 5 meters (or 16.4 ft) from the reader.

Primary Device Restriction

The Primary Device Restriction ensures that users in a group can unlock doors only from one specific mobile device. This makes audit trails easier by allowing organization admins to trace back all unlocks to one device for a particular user. Only one device can be promoted as primary.

Designate your phone as your primary device

  1. Sign in to your Kisi organization
  2. Tap the user icon to open the User settings
  3. Tap on Primary device
  4. Tap on Authorize

If the Primary Device Restriction is enabled for a group, but the user hasn't promoted any of their devices as primary, Kisi will set the currently active device that's used for unlock as primary.


To prevent misuse of the Primary Device Restriction, you can set up an alert policy to identify when the primary device restriction is being switched between multiple devices within the same Kisi account.

Allow App Access

With Allow App Access enabled, users may unlock using Kisi's mobile and web apps. User will be required to sign in before in order to unlock. If not allowed, they won't be able to use app access regardless of the settings.

The Allow App Access restriction can only be applied to groups.

Managed Device Restriction


This feature is available in Kisi upon request. Please contact Kisi Sales to enable it.

With Managed Device Restriction enabled, access will be permitted only for devices provided by the Mobile Device Management system. You can use the Managed Devices feature to list your company-provided devices in Kisi.

The Managed Device Restriction can only be applied to groups.

Access Schedules

Previously known as Time Restrictions, Access Schedules allow you to restrict users' access to defined time periods. If users attempt to unlock the door outside of that time period, they will be denied access.

Use cases

Access Schedules can be applied to groups, doors and elevators.

If the access schedule is applied to a specific group, users in this group will be allowed access only during the selected time periods.

Access schedule for the cleaning staff: You can enforce strict hours for the cleaning staff to clean the office only at a specific time (e.g. 6 AM to 8 AM). If they attempt to unlock the door outside of those allowed time frames, they will be denied access.


We recommend that your restrictions do not overlap or become redundant. For example, if you set an access schedule on a door, there is no need to also set the same restriction on a group using that door.