Guest Pass App Overview
Pre-register visitors, issue digital badges with QR codes, manage check-in/check-out workflows, screen against watchlists, and track every access event β all from a centralized visitor management platform built into MangoApps Workforce.
What is Guest Pass?
Guest Pass is the visitor management system inside MangoApps Workforce. It handles the full visitor lifecycle β from pre-registration and approval, through digital badge issuance and check-in, to departure tracking and compliance reporting. Hosts can pre-register guests, receive real-time arrival notifications, and manage visitor access permissions. Security teams get a watchlist screening system, access logs, and audit-ready reports. Administrators configure approval workflows, badge types, notification rules, and data retention policies.
The module integrates with the notification system (email, in-app, and SMS alerts), calendar (iCal export for scheduled visits), and the broader MangoApps platform for role-based access control.
Core Value Proposition:
- π« Visitor Pre-Registration β Register visitors ahead of time with host assignment, purpose of visit, party size, and custom access permissions
- πͺͺ Digital Badges & QR Codes β Auto-generate color-coded badges with QR codes, Apple Wallet passes, and printable PDFs upon approval
- β Check-In / Check-Out β Track actual arrival and departure times with host notifications and overdue checkout alerts
- π‘οΈ Watchlist Screening β Screen visitors against a risk-rated watchlist with automatic security alerts for matches
- π Analytics & Compliance β Monitor visitor trends, host activity, badge usage, security incidents, and compliance scores
At a Glance
| π« Pre-Registration | πͺͺ Digital Badges | β Check-In/Out | π‘οΈ Security |
|---|---|---|---|
| Host assignment, purpose tracking, party size, custom fields | 4 badge types, 10 access levels, QR codes, Apple Wallet | Actual arrival/departure tracking, overdue alerts | Watchlist with 4 risk levels, security dashboard, audit logs |
| π€ Host Preferences | π§ Notifications | π Analytics | βοΈ Settings |
|---|---|---|---|
| Auto-approve, working hours, default access, quiet hours | Email, in-app, SMS for registration, arrival, departure | Visitor trends, peak hours, host activity, compliance score | Approval workflows, badge expiry, data retention, role permissions |
Visitor Lifecycle
βββββββββββββββ ββββββββββββ ββββββββββββ βββββββββββββ ββββββββββββββ
β Pre-Register ββββββΈβ Pending ββββββΈβ Approved ββββββΈβ Checked InββββββΈβ Checked Outβ
β Visitor β β Approval β β + Badge β β On-Site β β Departed β
βββββββββββββββ ββββββββββββ ββββββββββββ βββββββββββββ ββββββββββββββ
β β
βΌ βΌ
ββββββββββββ ββββββββββββ
β Rejected β β Overdue β
ββββββββββββ β Checkout β
β ββββββββββββ
βΌ
ββββββββββββ
βCancelled β
ββββββββββββ
Statuses: pending β approved β checked_in β checked_out
β rejected
β cancelled (from pending or approved)
β expired (past departure without check-out)
Every status transition is recorded in the access log with the acting user, timestamp, IP address, and user agent.
π« Visitor Pre-Registration
Registering a New Visitor
Any user with visitor management permissions can pre-register a guest. The registration form captures:
| Field | Required | Description |
|---|---|---|
| First Name / Last Name | Yes | Visitorβs legal name |
| Yes | Validated email for notifications and badge delivery | |
| Phone | No | Normalized to E.164 international format |
| Company | No | Visitorβs organization |
| Purpose of Visit | Yes | Free-text description (up to 1,000 characters) |
| Host | Yes | Employee who will receive the visitor (defaults to current user) |
| Expected Arrival | Yes | Must be a future date/time |
| Expected Departure | Yes | Must be after expected arrival |
| Party Size | Yes | Number of visitors in the group (1β50) |
| Vehicle License Plate | No | For parking and security tracking |
| Special Instructions | No | Notes for reception or security staff |
| Requires Escort | No | Flag visitors who need staff escort throughout their visit |
| Access Permissions | No | JSON-configurable floor, parking, and conference room access |
| Restricted Areas | No | Areas the visitor cannot access |
| Custom Fields | No | Dietary restrictions, accessibility needs, emergency contact |
Upon creation the system:
- Sets the initial status based on configuration (auto-approve or pending)
- Logs a
visitor_registeredaccess event - Sends registration notifications to the host and a confirmation email to the visitor
- Auto-approves and generates a digital badge if the auto-approve setting is enabled
My Visitors
Every employee can view a My Visitors tab showing only visitors where they are the designated host. This view is available to all authenticated users regardless of role.
Searching Visitors
The search feature matches across first name, last name, email, and company with case-insensitive partial matching. Results are paginated at 25 per page.
π Approval Workflow
Host/Manager registers visitor
β
βΌ
ββββββββββββββββββββββ
β auto_approve = ON? β
ββββββββββ¬ββββββββββββ
Yes β No
βΌ βΌ
βββββββββββββ ββββββββββββ
β Approved β β Pending β
β + Badge β β Queue β
βββββββββββββ ββββββ¬ββββββ
β
Manager / Admin reviews
β β
βΌ βΌ
ββββββββββββ ββββββββββββ
β Approved β β Rejected β
β + Badge β β + Reason β
ββββββββββββ ββββββββββββ
Pending Approval Queue
Managers and admins access a dedicated Pending Approval view listing all visitors awaiting review, sorted by expected arrival time (soonest first). From this queue they can:
- Approve β sets status to
approved, records the approver and timestamp, generates a digital badge, and sends an approval notification to the visitor - Reject β sets status to
rejectedwith an optional rejection reason, and sends a rejection notification - Bulk Approve / Reject / Cancel β select multiple visitors for batch processing
Auto-Approve Rules
When auto-approve is enabled at the business level, visitors are immediately approved unless:
- The
require_host_approvalsetting is active and the registering user is not the host - The visitor matches a watchlist entry
Cancellation
Hosts, the registering user, and managers can cancel a visit from pending or approved status. Cancellation deactivates any active digital badges and logs the event.
πͺͺ Digital Badges & QR Codes
When a visitor is approved, the system automatically generates a digital badge containing a unique QR code.
Badge Types
| Type | Color | Default Access Level | Use Case |
|---|---|---|---|
| Standard Visitor | Blue (#007bff) |
1 β Basic | Regular guests and meetings |
| Contractor | Orange (#fd7e14) |
3 β Standard | Contractors and service providers |
| VIP Guest | Purple (#6f42c1) |
5 β VIP | Executive visitors and VIP guests |
| Escort Required | Red (#dc3545) |
1 β Basic | Visitors requiring staff escort at all times |
Access Levels
The system supports 10 access levels: Basic (1), Limited (2), Standard (3), Extended (4), VIP (5), Executive (6), Contractor (7), Maintenance (8), Security (9), and Emergency (10). Each badge type has a default access level that can be overridden per visitor.
Badge Identifiers
Each badge receives:
- Badge Number β unique per business, formatted as
GP-{business_id}{date}{random_hex}(e.g.,GP-12260307A1B2C3) - Security Token β 32-byte URL-safe random token for QR code verification
- QR Code Data β encodes a verification URL with the security token for contactless check-in
Badge Display Fields
Configurable per badge:
- Visitor photo (on by default)
- Company name (on by default)
- Host name
- Purpose of visit
- Expiry time (on by default)
Badge Output Formats
| Format | Description |
|---|---|
| QR Code (PNG/SVG) | Scannable code for contactless check-in |
| Digital Badge (HTML) | Browser-viewable badge with all visitor details |
| Printable PDF | Formatted for physical badge printing |
| Apple Wallet (.pkpass) | Add badge to iPhone Wallet for tap-to-show |
| iCal (.ics) | Calendar event for the scheduled visit |
Badge Lifecycle
Badges are created with a configurable validity period (default: 24 hours). They can be:
- Regenerated β creates a new security token, invalidating the old QR code
- Revoked β permanently deactivated (e.g., when a visit is cancelled)
- Activated β re-enabled if not expired
- Extended β validity period pushed forward
- Bulk Revoked β batch revocation from the badge management view
Badges record every scan with a scan_count counter and last_scanned_at timestamp.
Badge CSV Export
Admins can export badge data to CSV with columns for badge number, visitor name, email, company, badge type, status, access level, validity period, issued by, last scanned, scan count, and creation date.
β Check-In and Check-Out
Check-In
When a visitor arrives, staff confirm their identity and trigger check-in. The system:
- Verifies the visitorβs status is
approved - Sets status to
checked_inand records theactual_arrivaltimestamp - Sends an arrival notification to the host (if configured)
- Updates the digital badgeβs
last_scanned_attimestamp - Logs a
check_inaccess event with IP and user agent
Check-Out
When the visitor departs:
- Verifies the visitor is currently
checked_in - Sets status to
checked_outand records theactual_departuretimestamp - Sends a departure notification to the host (if configured)
- Deactivates all active digital badges
- Logs a
check_outaccess event
Overdue Checkout Detection
The system identifies visitors who are still checked in past their expected departure time. These appear in the dashboard and can trigger:
- Host Notification β urgent email/in-app alert to the visitorβs host
- Security Alert β escalation to security personnel when configured
Filtered Views
| View | Shows |
|---|---|
| Expected Today | Visitors with expected arrival today, sorted by arrival time |
| Checked In | Currently on-site visitors, sorted by arrival time |
| Pending Approval | Visitors awaiting manager/admin review |
| My Visitors | Visitors where current user is the host |
π€ Host Preferences
Every employee who hosts visitors can configure personal preferences that customize how their visits are managed.
Notification Settings
Hosts control which channels are active (email, SMS, push, in-app), which events trigger notifications (registration, arrival, departure, issues), the delivery frequency (immediate, hourly, or daily digest), and quiet hours (default 22:00β08:00) during which non-urgent notifications are held.
Availability Schedule
Hosts define their working hours per day (start/end times, available flag) with timezone support and optional lunch break windows. The system shows the hostβs next available time, determines real-time availability, and displays an out-of-office message when unavailable.
Default Visitor Settings
Hosts can configure: auto-approve for known visitors (off by default), default visit duration (8 hours), require escort by default, accept visitors when away, maximum daily visitors, and minimum advance booking hours. They also set default area access permissions for their visitors (floors, parking, conference rooms, cafeteria, gym, roof).
π‘οΈ Watchlist & Security
Watchlist Management
Admins maintain a watchlist of individuals who require additional screening. Each entry requires a name, reason, and risk level, with optional fields for email, phone, ID number, expiry date, notes, and additional info (physical description, known associates, previous incidents, alert contacts). Entries have four statuses: Active, Inactive, Expired, and Resolved.
Risk Levels
| Level | Priority | Use Case |
|---|---|---|
| Low | 1 | Flagged for awareness only |
| Medium | 2 | Requires additional verification |
| High | 3 | Requires security escort or senior approval |
| Critical | 4 | Deny entry; notify security immediately |
Automatic Matching
When a visitor registers, the system checks their name, email, and phone against active watchlist entries. A match sets the on_watchlist flag and can:
- Block auto-approval
- Trigger a security review requirement
- Alert security personnel via the
SecurityAlertService
Watchlist Audit Trail
Every watchlist action β addition, removal, status change, reason update, visitor linking β is logged to the access log with the acting user and timestamp.
π Security Dashboard
The security dashboard provides managers and admins with real-time visibility into facility security.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SECURITY DASHBOARD β
ββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ€
β Total Access β Failed β Watchlist β Security β
β Attempts β Attempts β Matches β Alerts Today β
ββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββ΄βββββββββββββββ€
β β
β Active Badges: βββ β Expired Badges: βββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β RECENT SECURITY ALERTS β
β ββββββββββββββββββββββ β
β β’ Access denied - J. Smith at Main Entrance 2 min ago β
β β’ Badge revoked - Badge GP-12A3B4 15 min ago β
β β’ Failed scan - Unknown badge at Gate B 1 hr ago β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β WATCHLIST SUMMARY β
β ββββββββββββββββββ β
β Total Entries: 12 β Active: 8 β High Risk: 3 β
β Recent Matches (7 days): 2 β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Alerts
The system automatically flags suspicious activity:
- Failed access attempts β badge scan denied or invalid token
- Multiple failures β 3+ failed attempts within 10 minutes from the same visitor
- Overdue checkouts β visitors past their expected departure
- Watchlist matches β visitor registration matching a watchlist entry
- Badge revocations β manual or automatic badge deactivation
Security alerts are delivered via the SecurityAlertService which sends emails with alert type, severity, description, and recommended actions.
π Access Logs
Every action in Guest Pass is recorded in a comprehensive audit trail.
Activity Types
The system tracks 22+ distinct activity types across five categories: Visitor Lifecycle (registered, approved, rejected, cancelled, updated, status changed), Check-In/Out (check_in, check_out), Badge Operations (issued, revoked, activated, deactivated, scanned, token regenerated), Notifications (host notification, sent, resent), and Security Events (access granted/denied, watchlist changes, emergency, compliance).
Log Entry Details
Each entry records the activity type and description, timestamp, success/failure status with failure reason, acting user, visitor and badge references, IP address and user agent, location and access point, and arbitrary JSON metadata.
Filtering & Real-Time Status
Logs can be filtered by visitor, location, date range, and success/failure status. The real-time status view provides a live snapshot of current facility activity.
π Analytics & Reports
Analytics Dashboard
The analytics dashboard (manager+ access) provides insights across five dimensions:
| Metric Group | Key Metrics |
|---|---|
| Visitor Trends | Daily/weekly/monthly counts, status breakdown, peak hours, average visit duration, repeat visitor count |
| Popular Times | Hourly and daily distribution, peak hour analysis, busiest/quietest day identification |
| Host Activity | Top hosts by visitor count, approval rates per host, average response times |
| Security Metrics | Total/failed access attempts, security incidents, watchlist matches, badge revocations |
| Badge Usage | Total issued, active count, scan frequency, type distribution, average badge lifetime |
Compliance Score
The system calculates a weighted compliance score (0β100) from five factors:
| Factor | Weight | What It Measures |
|---|---|---|
| Proper Approval Rate | 30% | Percentage of visitors that go through approval |
| Badge Issuance Rate | 20% | Approved visitors who receive digital badges |
| Check-In Rate | 20% | Expected visitors who actually check in |
| Check-Out Rate | 15% | Checked-in visitors who properly check out |
| Security Incident Rate | 15% | Inverse of failed access attempts |
Reports
| Report | Access | Formats | Description |
|---|---|---|---|
| Visitor Summary | Manager+ | HTML, CSV, PDF | Comprehensive visitor statistics and trends |
| Security Audit | Admin+ | HTML, CSV, PDF | Security events and compliance audit trail |
| Compliance Export | Manager+ | CSV, XLSX | Regulatory compliance data export |
| Security Report | Manager+ | HTML, JSON, PDF | Detailed security analysis with date range filtering |
π§ Notifications
Guest Pass sends multi-channel notifications at each stage of the visitor lifecycle.
Visitor Notifications (sent to the guestβs email)
| Event | Subject Line |
|---|---|
| Registration Confirmed | βRegistration confirmed for {Business}β |
| Visit Approved | βYour visitor request has been approved - {Business}β |
| Visit Rejected | βYour visitor request has been declined - {Business}β |
| Visit Reminder | βReminder: Your visit to {Business} tomorrowβ |
Host Notifications (sent to the employee hosting the visitor)
| Event | Subject Line | Urgency |
|---|---|---|
| Visitor Registered | βNew visitor registration: {Name}β | Normal |
| Visitor Arrived | βYour visitor {Name} has arrivedβ | Urgent |
| Visitor Departed | β{Name} has checked outβ | Normal |
| Overdue Checkout | βURGENT: {Name} is overdue for checkoutβ | Urgent |
Channels & Preferences
Notifications are sent via email (all types), in-app (all types for platform users), and SMS (urgent notifications only). Security alerts include alert type, severity, visitor details, and recommended actions.
All notifications respect the platform-wide notification settings service, categorized into arrivals, departures, status changes, security events, and general Guest Pass notifications.
πΌοΈ Visitor Photos
Guest Pass supports photo capture and storage via ActiveStorage. Each visitor can have multiple photos with one designated as primary (auto-set on first upload). Photos are available in four sizes β thumbnail (100x100), medium (300x300), large (600x600), and badge format (200x250). Supported formats are JPEG, PNG, GIF, and WebP with a 5 MB size limit. Automated cleanup removes orphaned photos and photos older than 365 days for completed visits.
βοΈ Admin Configuration
Administrators configure Guest Pass through the Settings page. Key settings by category:
| Category | Settings (defaults in parentheses) |
|---|---|
| Core | Require pre-registration (on), auto-approve visitors (off), self-registration (off) |
| Digital Badges | Enable QR codes (on), badge expiry hours (24), include photo (on) |
| Notifications | Notify on arrival (on), notify on departure (off), methods (email + in-app) |
| Security | Require host approval (on), data retention (365 days), enable watchlist (off) |
| Access Control | Enable access control (off), access system type (none), restricted areas (empty) |
| Permissions | Allowed roles, who can manage visitors, who can approve visitors (all default to manager+) |
Admins can reset all settings to default values from the Settings page.
π Roles & Permissions
| Capability | Employee | Manager | Admin | Super Admin |
|---|---|---|---|---|
| View own visitors (as host) | Yes | Yes | Yes | Yes |
| Pre-register visitors | Config | Yes | Yes | Yes |
| Edit pending visitors (own) | Yes | Yes | Yes | Yes |
| Approve / Reject visitors | β | Yes | Yes | Yes |
| Bulk actions | β | Yes | Yes | Yes |
| View all visitors | β | Yes | Yes | Yes |
| Security Dashboard | β | Yes | Yes | Yes |
| Analytics & Reports | β | Yes | Yes | Yes |
| Manage Watchlist | β | β | Yes | Yes |
| Configure Settings | β | β | Yes | Yes |
| Reset to Defaults | β | β | Yes | Yes |
| Access Compliance Export | β | Yes | Yes | Yes |
| Security Audit Report | β | β | Yes | Yes |
Frequently Asked Questions
How do I pre-register a visitor?
Navigate to Guest Pass and click Pre-Register Visitor. Fill in the visitorβs details, select a host, set arrival and departure times, and submit. If auto-approve is enabled, the visitor receives their digital badge immediately; otherwise they enter the approval queue.
How does QR code check-in work?
When a visitor is approved, a digital badge with a QR code is generated. The QR code encodes a verification URL containing the badgeβs security token. Reception staff scan the code, which validates the token and badge status, then triggers the check-in workflow.
What happens if a visitor is on the watchlist?
The system checks visitor details against the active watchlist during registration. If a match is found, the on_watchlist flag is set, auto-approval is blocked, and a security review may be triggered depending on the watchlist entryβs risk level.
Can visitors add their badge to Apple Wallet?
Yes. When viewing a digital badge, visitors can download a .pkpass file generated by the Apple Wallet integration. This adds the badge to their iPhone Wallet for convenient tap-to-show access at check-in.
How are overdue visitors handled?
The system detects visitors who are still checked in past their expected departure. It can send urgent notifications to the host and escalate to security personnel. Overdue visitors appear prominently on the dashboard.
What reports are available?
Guest Pass provides four report types: Visitor Summary (trends and statistics), Security Audit (compliance trail), Host Activity (engagement metrics), and Badge Usage (issuance and scanning data). Reports are available in HTML, CSV, and PDF formats.
How long is visitor data retained?
By default, visitor records are retained for 365 days. Administrators can change this via the visitor_data_retention_days setting. The photo cleanup utility removes photos for completed visits older than the configured threshold.
Related Apps
- Bookings β Reserve meeting rooms and desks for visitor meetings
- Safety Hub β Report safety incidents involving visitors
