- 10 Sep 2024
- 5 Minutes to read
- Print
- PDF
Configure User Access and IdP User Settings
- Updated on 10 Sep 2024
- 5 Minutes to read
- Print
- PDF
Keycard plugin provides capability to configure settings with which you can control users' access to devices where users can be Identity Providers or otherwise. This article explains the settings.
- In Keycard configuration window, navigate to Keycard Settings on the left panel.
General Settings
- Allow Local User Login: Select an option to specify whether existing local users can log in, or if access should be restricted to local administrators or specific local users. Choose one from the following options in drop-down:
- Do not allow: Does not allow local user to login. This option will be visible if you are an IdP user.
- Enrolled User: Only the enrolled user can login to the device
- All Accounts (default): All the user accounts can login
- Administrator Accounts: The users belonging to Administrator are allowed to login.
- Specify User Accounts: Specify the user accounts with which users can login. On selecting this option, a grid will be displayed where you need to enter Local user short names which have been previously configured, from the Device details > User Accounts section on Scalefusion Dashboard. You can search for a particular user which will populate list of users created. To add more than one user, click on New User link. If users are not configured (do not exist in UAM section), they can be configured from this section. Custom properties are also supported for configuring local users.
- Compliance Check Frequency: Select a frequency to check whether the device is compliant with the conditions specified under Conditional Accessfor logged in user accounts. The frequency can be selected from one of the following:
- High: The compliance check is performed every 5 minutes. Selecting 'High' impacts the battery and device performance as the checks run very frequently.
- Medium: The compliance check is performed every 30 minutes.
- Low: The compliance check is performed every 60 minutes.
- Automatic FileVault Login: If this setting is toggled on, it will bypass the Keycard login window. The users will get the FileVault login screen to login to the device. Important Points to note for this setting:
- FileVault should be enabled
- It is supported only on Apple Silicon devices
- If you have provided any conditional checks, those will be performed post login only
- Automatic FileVault login will automatically login a user only if the user is allowed to login based on local account settings of Keycard.
- Save the account passwords locally: If this is enabled, the keycard will securely store the user's account password. As a result, during subsequent password sync operations, the system will validate whether the stored password matches the remote account password. If a password mismatch is detected, it will automatically get updated.On enabling this setting, for the first time, user will have to manually sync the password on the device by clicking on Sync Now inside Scalefusion MDM Client window > Settings or at the time logging in on the device.
How User settings work on device
Taking an example, if you have allowed local user login for All accounts, and pushed the configuration, then on the device you will get a list of all the local users. Select a user and enter password to login to the machine. This is also referred as offline login because you don't need internet access to login.
IdP User Settings
These settings are configurable if one of the following conditions are met:
- The account with which you have logged in on Scalefusion Dashboard, is an IdP account (Google Workspace / Microsoft Entra/ OneIdP / Okta / PingOne / OnPrem AD) For OnPrem AD, the OPC setup should be done on Scalefusion Dashboard
- You have created a Directory in OneIdP (with custom and/or default domain)
Also, the users should be existing under User Enrollment section on Scalefusion Dashboard.
Here are the settings:
- New User Account Type: For a new user account created on the device, you can select the new user's account type whether it will be Standard or Administrator. The user should be existing in the User Enrollment section on Scalefusion Dashboard.
- Password Sync: Synchronizes the remote account password with local account password after specified number of days to make sure that local account password and remote account password are the same. By default it is set to 3 days and can be selected anywhere between 1 to 30 days.
- Password Sync Reminder: This will notify user to complete sync password activity. Specify a time limit (in hours) and user will be notified to sync password within that timeframe. Reminder time can be set anywhere from 0 to 72 hours. Also, the users will not get logged off to perform the online login, the reminder window is shown to them to complete login.
For example, if you have selected password sync frequency as 1 day, the following prompt will display on device when user tries to login with local user credentials.
How IdP user settings work on the device
When you push Keycard configuration on the device with IdP user settings configured, you need to enter IdP credentials to login. This is also referred as online login.
- Taking an example of an account configured in google workspace, following will be the default screen in case of online login. Enter your email address on the login screen and click on the right arrow.
- The next screen will be from google for authentication. Enter your credentials (email address and password) and click on Allow on the next screen
- Once authenticated, a new user account will be created on the device with the user type (Standard or Administrator), as selected in the New User Account type in IdP User Settings, with which you can login on the device next time. The user will also be added in Device details > User accounts section.
- If a local user with the same username already exists on the device, then it will get linked to the existing user present on the device. Hence, it is up to the discretion of IT admins whether to have a new user created on the device or not. If they want a new user to be created then the username in User Enrollment section should be different from the users already existing on the device.
- If a local user with the same username already exists on the device, then it will get linked to the existing user present on the device. Hence, it is up to the discretion of IT admins whether to have a new user created on the device or not. If they want a new user to be created then the username in User Enrollment section should be different from the users already existing on the device.
- Local login: Local users can login to the device (offline) by entering their Username and password. On the default login screen, an additional link Local Login is there. Click on it and enter credentials.