GINA/macOS/Linux login agent installation

    The ADSelfService Plus login agent secures machines with MFA and allows end users to reset their passwords and unlock their accounts directly from the Windows, macOS, or Linux login screen.

    Supported platforms

    Windows ServersWindows ClientsmacOS ClientsLinux Clients
    Windows Server 2025Windows 11macOS 26 TahoeSUSE Linux Enterprise Server/Desktop (SLES/SLED) 12.x to 15.x and openSUSE Leap 15.6 *
    Windows Server 2022Windows 10macOS 15 SequoiaRed Hat Enterprise Linux 8.x–9.x *
    Windows Server 2019Windows 8.1macOS 14 SonomaRocky Linux 8.x–9.x *
    Windows Server 2016Windows 8macOS 13 VenturaUbuntu 16.x–20.04.4
    Windows Server 2012 R2Windows 7macOS 12 MontereyFedora 27.x–31.x
    Windows Server 2012Windows VistamacOS 11 Big SurCentOS 7.x - 8.x and CentOS Stream 9.x *
    Windows Server 2008 R2macOS 10.15 Catalina
    Windows Server 2008macOS 10.14 Mojave
    macOS 10.13 High Sierra
    macOS 10.12 Sierra
    OS X 10.11 El Capitan
    OS X 10.10 Yosemite

    * Machines running SLES/SLED, openSUSE Leap 15.6, Red Hat Enterprise Linux, and Rocky Linux can be secured with machine login MFA. Self-service password resets and unlocks from the login screen are currently not supported for these platforms.

    Note: For Entra ID-joined environments, login agent deployment is supported on Windows machines only. macOS and Linux are not supported.

    Prerequisites

    • You must have administrative privileges in ADSelfService Plus.
    • HTTPS must be enabled in the Access URL before the login agent can be installed on remote machines. For more details, see enabling HTTPS in ADSelfService Plus.

    Limitations

    • The login agent cannot be installed on Windows workgroup machines from the admin console. Use the manual installation or CLI method for workgroup machines.
    • On Entra ID-joined Windows machines, authentication through the Windows Web Sign-in provider bypasses the login agent’s MFA flow. Disable the Web Sign-in provider to ensure MFA enforcement. See Disabling the Windows Web Sign-in provider using Microsoft Intune.
    • The login agent has been tested on the Linux distributions listed in the Supported platforms table. It may support additional distributions. Contact support@adselfserviceplus.com to verify compatibility for your organization’s environment.

    Configuration instructions

    The steps below cover login agent installation through the admin console for AD-joined machines. For all other deployment methods, follow the links to the corresponding admin guide pages.

    Installing the login agent from the admin console (AD-joined machines)

    The admin console method installs the login agent on multiple domain-joined Windows, macOS, and Linux machines simultaneously from within ADSelfService Plus.

    1. In the ADSelfService Plus portal, navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux installation.
    2. Click New Installation.
    3. Select a domain, then select the computers on which you want to install the login agent.
    4. Click Install.
    Note: ADSelfService Plus uses three methods for Windows login agent installation to improve success rate: Remcom, PAExec, and WMI. If Remcom fails, PAExec is attempted; if PAExec fails, WMI is used.

    The login agent installation key

    • The installation key is similar to a password. It is sensitive information and must not be shared. If the current key is compromised, regenerate a new one using the link in the admin portal.
    • After regenerating the key, copy the updated command from the admin portal and update the Installation Command field for all new installations done via GPO, Microsoft Configuration Manager, Endpoint Central, or other third-party tools.
    • Regenerating the key does not affect existing login agent installations.

    Other deployment methods for AD-joined machines

    Manual installation: Install the login agent on domain-joined or workgroup Windows, macOS, and Linux machines using the installer package or CLI. For more details, see installing the login agent manually.

    Via GPO: Deploy the login agent on domain-joined Windows machines using Group Policy. For more details, see installing the login agent via GPO.

    Via Microsoft Configuration Manager: Deploy the login agent on domain-joined Windows machines using Microsoft Configuration Manager. For more details, see installing the login agent via Microsoft Configuration Manager.

    Via Endpoint Central: Deploy the login agent on domain-joined Windows, macOS, and Linux machines using Endpoint Central. For more details, see installing the login agent via Endpoint Central.

    Deployment methods for Entra ID-joined machines

    Login agent deployment for Entra ID-joined machines is supported on Windows only. Use one of the following methods to deploy the login agent:

    Manual installation: Install the login agent on Entra ID-joined Windows machines using the installer package. For more details, see Installing the login agent manually on Entra ID-joined Windows machines.

    Via scripts: Deploy the login agent on Entra ID-joined Windows machines using installation scripts. For more details, see Installing the login agent via scripts on Entra ID-joined Windows machines.

    Via Microsoft Configuration Manager: Deploy the login agent on Entra ID-joined Windows machines using Microsoft Configuration Manager. For more details, see installing the login agent via Microsoft Configuration Manager.

    Disabling the Windows Web Sign-in provider using Microsoft Intune (Entra ID-joined machines)

    On Entra ID-joined Windows machines, authentication through the Windows Web Sign-in provider bypasses the login agent’s MFA flow. To ensure MFA is enforced through the login agent, disable the Web Sign-in provider using Microsoft Intune.

    1. Open the Microsoft Intune Admin Center.
    2. Go to Devices > Configuration profiles.
    3. Click Create profile.
    4. Set Platform to Windows 10 and later.
    5. Set Profile type to Settings catalog.
    6. Click Create.
    7. In the Settings catalog, search for Enable Web Sign In and add the setting.
    8. Set the value to Disabled.
    9. Assign the policy to the required Entra device groups.
    10. Sync the policy on the client machines, or wait for the next Intune policy sync cycle.
    11. After the policy applies:
      • The Web Sign-in option no longer appears on the Windows logon screen.
      • End users authenticate using the supported Windows login agent credential providers.
      • MFA enforcement through the login agent functions as expected.

    Uninstalling or updating the login agent

    For the steps to uninstall or update the login agent on Windows, macOS, and Linux computers, see uninstalling and updating the ADSelfService Plus login agent.