Configure User Access and IdP User Settings

Keycard plugin provides capability to configure settings with which you can control users' access to devices where users can be Identity Providers or otherwise. This article explains the settings.

1. In Keycard configuration window, navigate to Keycard Settings on the left panel.
   

General Settings  

1. Allow Local User Login: Select an option to specify whether existing local users can log in, or if access should be restricted to local administrators or specific local users. Choose one from the following options in drop-down:
   
   1. Do not allow: Does not allow local user to login. This option will be visible if you are an IdP user.
   2. Enrolled User: Only the enrolled user can login to the device
   3. All Accounts (default): All the user accounts can login
   4. Administrator Accounts: The users belonging to Administrator are allowed to login. 
   5. Specify User Accounts: Specify the user accounts with which users can login. On selecting this option, a grid will be displayed where you need to enter Local user short names which have been previously configured, from the Device details > User Accounts section on Scalefusion Dashboard. You can search for a particular user which will populate list of users created. To add more than one user, click on New User link. If users are not configured (do not exist in UAM section), they can be configured from this section. Custom properties are also supported for configuring local users.
      
2. Compliance Check Frequency: Select a frequency to check whether the device is compliant with the conditions specified under Conditional Accessfor logged in user accounts. The frequency can be selected from one of the following:
   1. High: The compliance check is performed every 5 minutes. Selecting 'High' impacts the battery and device performance as the checks run very frequently. 
   2. Medium: The compliance check is performed every 30 minutes. 
   3. Low: The compliance check is performed every 60 minutes.
      
3. Automatic FileVault Login: If this setting is toggled on, it will bypass the Keycard login window. The users will get the FileVault login screen to login to the device. Important Points to note for this setting:
   1. FileVault should be enabled
   2. It is supported only on Apple Silicon devices
   3. If you have provided any conditional checks, those will be performed post login only
   4. Automatic FileVault login will automatically login a user only if the user is allowed to login based on local account settings of Keycard.
      
      
4. Save the account passwords locally: If this is enabled, the keycard will securely store the user's account password. As a result, during subsequent password sync operations, the system will validate whether the stored password matches the remote account password. If a password mismatch is detected, it will automatically get updated.
   On enabling this setting, for the first time, user will have to manually sync the password on the device by clicking on Sync Now inside Scalefusion MDM Client window > Settings or at the time logging in on the device.
   
   

How User settings work on device

Taking an example, if you have allowed local user login for All accounts, and pushed the configuration, then on the device you will get a list of all the local users. Select a user and enter password to login to the machine. This is also referred as offline login because you don't need internet access to login.

IdP User Settings

These settings are configurable if one of the following conditions are met:

• The account with which you have logged in on Scalefusion Dashboard, is an IdP account (Google Workspace / Microsoft Entra/ OneIdP / Okta / PingOne / OnPrem AD)  
  
  For OnPrem AD, the OPC setup should be done on Scalefusion Dashboard
• You have created a Directory in OneIdP (with custom and/or default domain) 
  Also, the users should be existing under User Enrollment section on Scalefusion Dashboard.
  
  Here are the settings:

1. New User Account Type: For a new user account created on the device, you can select the new user's account type whether it will be Standard or Administrator. The user should be existing in the User Enrollment section on Scalefusion Dashboard.
2. Password Sync: Synchronizes the remote account password with local account password after specified number of days to make sure that local account password and remote account password are the same. By default it is set to 3 days and can be selected anywhere between 1 to 30 days. 
3. Password Sync Reminder: This will notify user to complete sync password activity. Specify a time limit (in hours) and user will be notified to sync password within that timeframe. Reminder time can be set anywhere from 0 to 72 hours. Also, the users will not get logged off to perform the online login, the reminder window is shown to them to complete login.
   
   For example, if you have selected password sync frequency as 1 day, the following prompt will display on device when user tries to login with local user credentials.
   

How IdP user settings work on the device

When you push Keycard configuration on the device with IdP user settings configured, you need to enter IdP credentials to login. This is also referred as online login.

1. Taking an example of an account configured in google workspace, following will be the default screen in case of online login. Enter your email address on the login screen and click on the right arrow.
   
2. The next screen will be from google for authentication. Enter your credentials (email address and password) and click on Allow on the next screen
   
3. Once authenticated, a new user account will be created on the device with the user type (Standard or Administrator), as selected in the New User Account type in IdP User Settings, with which you can login on the device next time. The user will also be added in Device details > User accounts section.
   1. If a local user with the same username already exists on the device, then it will get linked to the existing user present on the device. Hence, it is up to the discretion of IT admins whether to have a new user created on the device or not. If they want a new user to be created then the username in User Enrollment section should be different from the users already existing on the device.
      
      
4. Local login: Local users can login to the device (offline) by entering their Username and password. On the default login screen, an additional link Local Login is there. Click on it and enter credentials.

Two Factor Authentication

Traditional offline login methods often rely solely on stored credentials, such as passwords or cached tokens, which can be vulnerable to misuse if a device is lost or compromised. To enhance user authentication and reduce the risk of unauthorized access, implementing a one-time password (OTP) requirement for offline login provides an added layer of verification. This approach not only strengthens security by requiring users to verify their identity through an additional factor but also ensures that only the legitimate user can access the system, even without an active internet connection.

With the "Enforce Two-Factor Authentication using an OTP" option, you can now enforce users to enter an OTP from the Scalefusion Authenticator app from a managed mobile device (Android or iOS) or a 3rd party authenticator app during offline login in the Keycard login screen.

Prerequsites

1. The user must have at least one managed device with the Scalefusion Authenticator app installed or access to a third-party authenticator app that can generate the required OTP. 
2.  The user(s) must be migrated to OneIdP.

Enabling Two-Factor Authentication

1. Navigate to OneIdP > Keycard > click on Edit.
2. Go to Keycard settings > scroll down to the Two-Factor Authentication section.
3. Toggle on the Enforce Two-Factor Authentication using an OTP option.
   
4. Click on Update.

User experience

A. User(s) have a managed mobile device with the Scalefusion Authenticator app installed

1. Once the setting is successfully applied to the device, the user(s) may see the following message when they try to log in locally on the device.
   
2. They will be asked to complete an online login to synchronize the settings with the device.
3. If the user(s) already have a managed mobile device (Android or iOS) with the Scalefusion Authenticator app installed, they can use the OTP from that device for their next local login.
   

B. User(s) do not have a managed mobile device with the Scalefusion Authenticator app installed

1. Once the setting is successfully applied to the device, the user(s) may see the message (as shown above in point 1)when they try to log in locally on the device.
2. They will be asked to complete an online login to synchronize the settings with the device.
3. In this case, where the user(s) don't have a managed device, they can set up a 3rd party authenticator app on their device.
4. However, for this to work, you will have to enable the option "Enable MFA using third-party authenticator app" in Directory Settings.
   1. Navigate to OneIdP > Directory.
   2. Click on the 3-dots for the concerned domain > Settings.
      
   3. Go to the Multi-factor Authentication tab and select the Enable MFA using third-party authenticator app option.
   4. Next, select the Use MFA for Keycard-based logins option.
      
   5. Click on Save.
5. Please note that the user must complete the online login using an OTP generated by a third-party authenticator app.
6. Once this is done, on the next local login, they can use the OTP from a 3rd-party authenticator app.