Versions Compared

Old Version 1

changes.mady.by.user Paul Ruvin

Saved on

compared with

New Version Current

changes.mady.by.user Paul Ruvin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Section
bordertrue


Column

On the Administration Console go to Shortcuts>Check Policies


Column
width60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px




First, create a domain-held policy Logon Policy to ensure MFA is required for all users on the StandAlone machine

Section
bordertrue


Column

Click on  on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Computer Logon Client

Holder:

Domain

Domain:Enter the virtual domain name
Name:Enter a user-friendly name
Enabled:True



Column
width60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image RemovedImage Added




Section
bordertrue


Column

Scroll down the Expand Authentication and select  MFA is required for all users from the drop down,


Column
width50%60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image Removed

Image Added




Save the new Logon policy.


It is also recommended to exempt at least one local account from MFA (usually the local administrator account)  just in case there is an issue that prevents the end user from being able to log on, the administrator will still have access without being challengedClick on Image Removed on the top right.

Section
bordertrue


Column

Click on Image Added on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Logon

Holder:

User

Domain:Enter the virtual domain name
User:Enter the name of the account you wish to exempt (e.g Administrator) 
Name:Enter a user-friendly name
Enabled:True
Fill in the details as per screenshot on right and make sure you select SAML 2.0(Without Metadata) as Type.



Column
width50%60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image RemovedImage Added




Section
bordertrue


Column

Expand Authentication and select  MFA is not required for all users from the drop down,


Column
width60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image Added




Save the new Logon policy.

Now create the offline policies that will be needed once you remove the machine from the network.

Section
bordertrue


Column

Click on Image Added on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Computer Logon Client

Holder:

Domain

Domain:Enter the virtual domain name
Name:Enter a user-friendly name
Enabled:True



Column
width60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image Added




Section
bordertrue


Column

Expand General and check Enable MFA on local computer logon


Now fill out Entity ID and ACS URL.

Column
width60%
OptionValue
Entity ID:

https://prefix.yourdomainname.com

ACS URL:

https://prefix.yourdomainname.com/ServicesPortal/saml

Column
width50%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image RemovedImage Added




Section
bordertrue


Column

Scroll down the policy and expand Offline Logon

Check Enforce MFA on Local Computer Logon and Download Offline Tokens AutomaticallyThe completed Service Provider dialogue box will look like this:


Column
width50%60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image RemovedImage Added




Save the new Computer Logon Client policy

Create an additional Computer Client Logon Policy which will exempt the Administrator account from MFA logonClick Save.

Section
bordertrue

Download the IDP Metadata file.


Column

Click on Image Added on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Computer Logon Client

Holder:

User

Domain:Enter the virtual domain name
User:Enter the name of the account you wish to exempt (e.g Administrator)
Name:Enter a user-friendly name
Enabled:True



Column
width60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image Added




Section
bordertrue


Column

Go to SSO>SSO ServersExpand General. Leave all checkboxes blank.


Column
width50%60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image Added

Image Removed




Section
bordertrue


Column

Scroll down the policy and expand Offline Logon

Leave all checkboxes blank.


Column
width60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image Added




Save the new Computer Logon Client policy

Section
bordertrue


Column

Click on Image Added on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Windows Offline

Holder:

Domain

Domain:Enter the virtual domain name
Name:Enter a user-friendly name
Enabled:True

Check Enforce MFA on Local Computer Logon and Download Offline Tokens Automatically



Column
width60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image Added



Save the new Windows Offline policy

Create an additional Windows Offline Policy which will exempt the Administrator account from MFA logon.

Section
bordertrue


Column

Click on Image Added on the top right.

Set these Values in the Policy - New Window

OptionValue
Category:

Computer Logon Client

Holder:

User

Domain:Enter the virtual domain name
User:Enter the name of the account you wish to exempt (e.g Administrator)
Name:Enter a user-friendly name
Enabled:True

Leave all the enforce MFA checkboxes blank

Select the drop down menu corresponding to the SSO server you will be using and click on Download IDP Metadata

.


Column
width50%60%


Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Image RemovedImage Added