How to disable Two-Factor Authentication(TFA) for users?

Description

In certain cases, you might need to disable Two-Factor Authentication for the users logging into the MDM console. You can do so as explained below:

Steps 

On specifying the code generated by Google Authenticator, you get an error stating 'Invalid Code'

You can refer to these troubleshooting steps and retry logging in.

Uninstalled Google Authenticator or issues with the Google Authenticator account

In this case, an Admin or technician with sufficient previlege can resend the QR code by navigating to Admin -> User Administration(under Global Settings) and clicking on the ellipsis icon under Action, present against the user to whom the QR code is to be sent. Select Resend QR code from the dropdown and the QR code is mailed to the user, after which they can retry logging in.

If there are no administrators available or you are the only administrator, you can disable TFA as explained below:

 

  • On the machine running MDM, open Services.msc and stop ManageEngine Mobile Device Manager Plus.
  • Now, navigate to <Install_Dir>\MDM_Server\bin directory and open Command Prompt. Once done, execute the query ExecuteQuery.bat disable2FA.xml, to disable TFA.
  • Start ManageEngine Mobile Device Manager Plus from Services.msc
  • Login to MDM server from a different browser, to avoid caching issues.

NOTE: You can enable Two-Factor Authentication on MDM server again as explained here.