Previous Topic

Machine-based MFA

Machine-based MFA is a setting intended to protect business-critical machines in an organization by preventing them from being compromised.

Note: Machine-based MFA requires the Professional Edition of ADSelfService Plus with Endpoint MFA. If not, machine-based MFA will not be enforced.

• How does machine-based MFA work?
  • Steps to enforce machine-based MFA
  • Steps to exempt a machine from machine-based MFA
• Advanced Machine MFA Settings
  • MFA settings for Windows machines
  • MFA for GUI logins on Windows machines
  • MFA for User Account Control
  • MFA for Remote Desktop access
  • MFA for machine unlocking

How does Machine-based MFA work?

When Machine-based MFA is enforced for a particular machine, any user trying to access the machine has to prove their identity using MFA to successfully log in. The MFA authenticators in the prompt will be based on the authenticators configured for the user in the MFA for Machine Login section.

When this setting is enabled, users will not be allowed to log in to the machine on which Machine-based MFA is enforced if:

• The ADSelfService Plus server is not reachable.

Note: If Offline MFA is enabled, Machine-based MFA will still work on Windows machines when the ADSelfService Plus server is not reachable.

• The user account is restricted in ADSelfService Plus.
• The user does not belong to any policy that has MFA for Machine Login configured.
• The user has not enrolled for any of the authenticators configured in the MFA for Machine Login (both online and offline MFA) section, regardless of the Force enrollment option enabled for the user policy.
• The user license consumption limit has been exceeded or the Endpoint MFA has not been purchased. To purchase the Endpoint MFA,click here.

However, users who have selected the Trust this machine setting on the login screen will be allowed to log in to the machine without performing MFA for the specified duration after initial identity verification.

Note: Make sure to update the login agent to the following latest versions for proper enforcement of MFA: Windows 5.10, macOS 1.7, or Linux 2.4 and above. If an older version of the login agent is installed on the machine, and the ADSelfService Plus server is not reachable, the user will be allowed to access the machine if the Skip MFA when ADSelfService Plus server is down or unreachable option is enabled.

Steps to enforce Machine-based MFA

1. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines.

   

2. Select the required domain from the drop-down list.
3. Select the machines on which you want to enforce machine-based MFA.

   

4. Click Manage MFA and select Enforce.

   

Steps to exempt a machine from Machine-based MFA

1. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines.
2. Select the required domain from the drop-down list.
3. Select the machine that you want to exempt from machine-based MFA.
4. Click Manage MFA and select Exempt.

   

Advanced Machine MFA Settings

The authenticators in the prompts for the enabled scenarios will be based on the MFA factors configured in the MFA for Machine Login section. The settings enabled here will be applied to all Windows machines where the ADSelfService Plus login agent is installed.

Windows MFA settings

Enable MFA during interactive logins to machines running Windows, macOS and Linux via the GUI:

When this setting is enabled, MFA will be required during interactive or GUI-based logins on Windows, macOS, and Linux machines. Users will be able to perform subsequent actions only upon successful identity verification.

Note: MFA for interactive logins to Windows servers requires the Professional Edition of ADSelfService Plus with Endpoint MFA. If not, MFA will be bypassed on Windows servers.

To enable this setting:

• Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines > Advanced Machine MFA Settings.
• Select Enable MFA during interactive logins to machines running Windows, macOS and Linux via the GUI.

MFA for User Account Control on Windows machines

Note: MFA for UAC, RDP, and machine unlocking are currently supported only for Windows machines. To request these features for Mac or Linux, click here.

When this setting is enabled, MFA will be required for all User Account Control (UAC) credential prompts, and the user will be able to perform the desired action only upon successful identity verification. This setting is compatible with Windows 7 and above and Windows Server 2008 and above. This setting is supported by version 5.10 and above of the ADSelfService Plus Windows login agent.

Note: Actions performed by selecting the Run as a different user option will not require credentials as prompted for by other UAC actions.

To enable this setting:

1. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines > Advanced Machine MFA Settings.
2. Select Enable MFA for User Account Control.

MFA for Remote Desktop Access

Note: MFA for RDP Access to Windows machines requires the Professional Edition of ADSelfService Plus with Endpoint MFA.

The admin can configure MFA to be required when establishing connections with machines through the RDP. This will ensure that RDP connections to machines are secured with an additional layer of authentication.

There are two ways in which MFA can be configured for Remote Desktop access:

• RDP server authentication

  When this setting is enabled, all incoming Remote Desktop connections to Windows machines where the ADSelfService Plus login agent is installed will be authenticated and protected using MFA.

• RDP client authentication

  This setting can be enabled to require MFA for all outgoing Remote Desktop connections via the Windows Remote Desktop application (mstsc.exe) on machines where the ADSelfService Plus login agent is installed. This setting is supported by version 5.10 and above of the ADSelfService Plus Windows login agent. This setting is applicable for Windows 7 and above and Windows Server 2008 and above.

  Note/Tip: With RDP client authentication, you can protect remote access using MFA only for users accessing the machine from the internet or other public IP addresses via Remote Desktop Gateway (RD Gateway) by configuring a conditional access rule with IP restrictions. Click here to learn more about conditional access.

  To enable MFA for RDP client authentication, the following prerequisites need to be satisfied:

  • Network-level authentication needs to be enabled. You can enable network-level authentication via Group Policy by navigating to Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security..
  • To require MFA for Remote Desktop connections in a multi-forest AD environment, there must be a trust relationship between the two domains. Domain trusts can be added between forests either through a forest trust (a trust relationship at the forest level) or through an external trust (a trust relationship at the domain level). For steps to configure a trust relationship, please refer to this document.

To enable MFA for RDP server and RDP client authentication:

1. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines > Advanced Machine MFA Settings.
2. Select Enable MFA for Remote Desktop access during and check the RDP server authentication or RDP client authentication check boxes based on the scenario during which you want MFA to be required.

   

MFA for machine unlocking

Note: MFA for Windows machine unlocks requires the Professional Edition of ADSelfService Plus with Endpoint MFA.

Enabling this setting will enforce MFA during Windows machine unlocking..

To enable this setting:

1. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines > Advanced Machine MFA Settings.
2. Select Enable MFA when unlocking Windows machines.

Next Topic