How to enable MFA for Windows, macOS, and Linux

To enable MFA for desktop or laptop logins, including remote desktop logons, follow the steps given below:

Prerequisites

• SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab → Product Settings → Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.
• Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.
• Enable the required authentication methods. For steps on enabling the authentication methods, refer to the Authenticators section.
• Install ADSelfService Plus client software for Windows, macOS, and Linux on the machines where you want to enable MFA. Click here for steps to install the ADSelfService Plus client software.

Steps to enforce MFA for Windows, macOS, and Linux machines:

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.
2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
3. In the MFA for Machine Login section, check the Enable the second authentication factor box and select the authentication method from the drop-down.
4. Click Save Settings.
Note: If ADSelfService Plus is not reachable or down, users will be left stranded in the login screen unable to finish MFA. You can enable users to bypass MFA in such situations. Refer to the Advanced Settings for more information.