How to enable offline MFA in ADSelfService Plus

How to enable offline MFA in ADSelfService Plus

ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is unreachable.

Windows machines can be secured by MFA in two ways:

  • Online MFA: The default or online MFA process in ADSelfService Plus uses a network connection between the ADSelfService Plus server and user machines to verify the identities of users based on the authenticator data registered in the ADSelfService Plus server.

  • Offline MFA: To ensure identity security even in the absence of a proper network connection or communication with the ADSelfService Plus server, offline MFA verifies a user's identity with authenticator data securely stored in the user's machine by the Windows or macOS login agent. Offline MFA can be used to secure interactive logins, RDP server authentication, and UAC prompts. Click here to learn more about the enrollment and verification process.

This page explains:

  • How offline MFA works

  • How to enable the feature

  • How to enroll end users in offline MFA

  • How to use Advanced settings

How does offline MFA work?  

  1. The user enters their credentials to log in to their machine.
  2. Upon successful primary authentication, the ADSelfService Plus login agent installed on the machine tries to access the ADSelfService Plus server to initiate MFA, but it fails due to connection issues.
  3. The login agent then initiates offline MFA. If the user has enrolled their device in offline MFA, they will be able to verify their identity when offline. Otherwise, their authentication flow may be blocked based on the organization's policy.
If the user completes the required authentication levels successfully, they are logged in to the machine.

How offline MFA for Windows logins works         


 How offline MFA for macOS logins works     

Offline MFA configuration

We'll outline the prerequisites, as well as the steps to enable offline MFA for Windows, enroll and disenroll users, address scenarios for offline MFA verification, and discuss advanced offline settings.

Prerequisites   

  • Offline MFA is supported only for Windows machines (except Windows 10 version 1803). For remote logins, offline MFA is not supported for RDP client authentication.

  • If the login agent is already installed, make sure it is version 6.3 and above or reinstall it to upgrade to this version. Otherwise, install the agent after configuring offline MFA to ensure that the changes are updated.

  • ADSelfService Plus with Endpoint MFA  is required to enable the MFA for machine logins feature. Visit the store to purchase Endpoint MFA.

  • SSL must be enabled. Log in to the ADSelfService Plus web console with admin credentials. Navigate to Admin > Product Settings > Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply for an SSL certificate and enable HTTPS.

  • The access URL must be set to HTTPS. Navigate to Admin > Product Settings > Connection > Configure Access URL and set the Protocol option to HTTPS.

  • Enable the required authentication methods. ADSelfService Plus supports the following methods for offline MFA:

    • Google Authenticator

    • Microsoft Authenticator

    • Custom time-based one-time password (TOTP) authenticators

    • Zoho OneAuth's TOTPs

  • For steps on enabling the authentication methods, refer to the authenticators guide.

  • Install the ADSelfService Plus login agent on the machines on which you want to enable offline MFA. Click here for the steps to install the ADSelfService Plus login agent. 

Steps to enable offline MFA

  1. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.

  2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.

Note: ADSelfService Plus enables you to create OU and group-based policies. To create a policy, go to Configuration Self-Service > Policy Configuration Add New Policy. Click Select OUs/Groups, and make the selections based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

  1. In the MFA for Machine Login section, select the check box to enable online MFA for machine logins and select the number of authentication factors you want to prompt users for. Select the preferred authentication methods from the drop-down.

  2. Click Choose authenticators for Offline MFA and select the authentication method you prefer for offline MFA from the drop-down. 

  3. Click Save Settings.

Offline MFA is now successfully configured using the preferred authenticators for users belonging to the selected policy.

Enrolling end users for Offline MFA  

Enrollment for offline MFA takes place in two stages: authenticator enrollment and machine enrollment.

1. Authenticator enrollment   

There are three methods of authenticator enrollment:

 

A. Enrollment by users during identity verification

  1. When a user is enrolled for online MFA: Once offline MFA is configured, after a user completes online MFA via the login agent or in the ADSelfService Plus portal, they will be enforced to enroll for authenticators configured for offline MFA, if not yet enrolled. This flow can be altered by changing the Force enrollment/Deny access/Allow access if the user is not enrolled in MFA setting.
  2. When a user is not enrolled for online MFA: If online MFA and offline MFA are configured, but the user has not enrolled for any of the authenticators required, they will be enforced to enroll as soon as they complete the primary authentication on their machine. This flow can be altered by changing the Force enrollment/Deny access/Allow access if the user is not enrolled in MFA setting.

 

B. Enrollment by users from the user portal

A user can log in to the ADSelfService Plus user portal, navigate to the Enrollment tab and enroll for the authenticators configured for offline MFA.


C. Enrollment by admins

ADSelfService Plus also supports bulk user enrollment by admins via importing data from CSV files or external databases like Oracle, Microsoft SQL Server, MySQL, and PostgreSQL. Learn how to enroll users in bulk using these methods from the help document.

2. Machine enrollment  

If a user has enrolled for the authenticators needed for offline MFA, during their next successful online MFA, the user's machine will either be automatically enrolled for offline MFA, or they will have to choose between enrolling their machine and skipping enrollment based on the configured settings.

 

Once the machine is enrolled for offline MFA for the specific user, the user's authenticator enrollment data will be securely transmitted from the ADSelfService Plus server and stored as encrypted data in the specific machine for offline MFA. This process will repeat regularly, to keep the authenticator data up-to-date.



Disenrolling a machine from offline MFA  

Disenrolling a user's machine restricts their access to the offline MFA feature. A user's machine can be disenrolled from offline MFA in two ways:

A. From the Offline MFA Enrollment Report:  

This report generates the list of machines enrolled by users for offline MFA. The information listed in the report includes the user who is enrolled in the machine for offline MFA, the name of the machine, the operating system, the time of enrollment, and last synced time. It also allows admins to disenroll machines and users from offline MFA. Here's how to use the disenrollment capability in the report:

  1. Log in to the ADSelfService Plus admin portal.

  2. Go to Reports > Enrollment Reports > Offline MFA Enrolled Machines Report. The Offline MFA Enrolled Machines Report will open.

  3. From the listed usernames and their machines, select the machines you want to disenroll, and click the Disenroll option.

The machine is now disenrolled from offline MFA.

B. From the end user self-service portal:   

  1. Log in to the ADSelfService Plus portal.

  2. Go to the Enrollment tab. Click on Manage.

  1. Click on Offline MFA - Manage Enrolled Devices.

  2. Here, click on Disenroll for the machines you want to revoke your offline MFA enrollment from.

 


Note: Changes to the offline MFA configuration, advanced settings, enrollment data, and disenrollment of the machine from offline MFA will be reflected only after the next successful online MFA attempt in that machine.

Scenarios for offline MFA verification

Offline MFA enable status
User enrollment status for Offline MFA
Machine-based MFA status
Skip MFA when ADSelfService Plus server is down or unreachable setting
Machine login status
True
True
Enforced / exempted
Enabled/Disabled
User will be allowed to log in after MFA verification
True
False
Exempted
Enabled
MFA will be bypassed and users will be allowed to login
True
False
Enforced
Enabled/Disabled
Users will be denied access to login
False
-
Exempted
Enabled
MFA will be bypassed and users will be allowed to login
False
-
Enforced / exempted
Disabled
Users will be denied access to login

Advanced offline MFA settings  

The following advanced settings enhance offline MFA's functionality.

  • Automatically enroll the user's device for offline MFA after successful online authentication: This setting is enabled by default. When enabled, once a user completes online MFA in a machine, it is automatically enrolled for offline MFA without notifying the user. If not enabled, the user can choose to enroll their machine for offline MFA or skip it.

  • Restrict users from performing offline MFA after _ days/attempts: When this setting is enabled, offline MFA is restricted to a certain number of days or attempts and users are mandated to connect back to ADSelfService Plus once this limit is exhausted.

To access these settings, log in to the admin portal and navigate to Configuration > Multi-factor Authentication > Advanced Settings > Endpoint MFA > Machine Login MFA. Ensure your preferred policy is enabled in the Multi-factor Authentication page.

 


                    New to ADSelfService Plus?

                      • Related Articles

                      • How to enable Zoho OneAuth TOTP for MFA?

                        In enterprise networks, user identity verification is no longer carried out simply through usernames and passwords. This is because without additional authentication layers, i.e., multi-factor authentication, enterprise networks and resources become ...
                      • Sequential ADSelfService Plus Windows agent login installation process

                        This article highlights the process sequence for the ADSelfService Plus Windows login agent installation via the admin portal and the prerequisites to be addressed to successfully complete each step. Additionally, we're also discussing some common ...
                      • ADSelfService Plus product startup issues

                        What do you need to know before troubleshooting You need to have administrator access to ADSelfService Plus. When you experience an error with ADSelfService Plus, check if these prerequisites are satisfied: Install ADSelfService Plus as a service ...
                      • How to enable multi-factor authentication for RDP

                        Generally, remote employees use Microsoft Remote Desktop Protocol (RDP) to connect to their work devices from an external network, using only a password to authenticate their devices. This makes RDP-based access highly vulnerable to password-based ...
                      • How to migrate the ADSelfService Plus installation from one machine to another

                        Description This article will guide you through the process for migrating the ADSelfService Plus installation from one machine to another. Important: Before you start the migration process, please update your ADSelfService Plus installation to the ...