ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is unreachable.

Windows machines can be secured by MFA in two ways:

• Online MFA: The default or online MFA process in ADSelfService Plus uses a network connection between the ADSelfService Plus server and user machines to verify the identities of users based on the authenticator data registered in the ADSelfService Plus server.

• Offline MFA: To ensure identity security even in the absence of a proper network connection or communication with the ADSelfService Plus server, offline MFA verifies a user's identity with authenticator data securely stored in the user's machine by the Windows or macOS login agent. Offline MFA can be used to secure interactive logins, RDP server authentication, and UAC prompts. Click here to learn more about the enrollment and verification process.

This page explains:

• How offline MFA works

• How to enable the feature
  

• How to enroll end users in offline MFA
  

• How to use Advanced settings

How does offline MFA work?  

1. The user enters their credentials to log in to their machine.
   
2. Upon successful primary authentication, the ADSelfService Plus login agent installed on the machine tries to access the ADSelfService Plus server to initiate MFA, but it fails due to connection issues.
   
3. The login agent then initiates offline MFA. If the user has enrolled their device in offline MFA, they will be able to verify their identity when offline. Otherwise, their authentication flow may be blocked based on the organization's policy.
   

How offline MFA for Windows logins works         

 How offline MFA for macOS logins works     

Offline MFA configuration

Prerequisites   

• Offline MFA is supported only for Windows machines (except Windows 10 version 1803). For remote logins, offline MFA is not supported for RDP client authentication.

• If the login agent is already installed, make sure it is version 6.3 and above or reinstall it to upgrade to this version. Otherwise, install the agent after configuring offline MFA to ensure that the changes are updated.

• ADSelfService Plus with Endpoint MFA  is required to enable the MFA for machine logins feature. Visit the store to purchase Endpoint MFA.

• SSL must be enabled. Log in to the ADSelfService Plus web console with admin credentials. Navigate to Admin > Product Settings > Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply for an SSL certificate and enable HTTPS.

• The access URL must be set to HTTPS. Navigate to Admin > Product Settings > Connection > Configure Access URL and set the Protocol option to HTTPS.

• Enable the required authentication methods. ADSelfService Plus supports the following methods for offline MFA:

• Google Authenticator

• Microsoft Authenticator

• Custom time-based one-time password (TOTP) authenticators

• Zoho OneAuth's TOTPs

• For steps on enabling the authentication methods, refer to the authenticators guide.

• Install the ADSelfService Plus login agent on the machines on which you want to enable offline MFA. Click here for the steps to install the ADSelfService Plus login agent. 

Steps to enable offline MFA

1. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.

2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.

Note: ADSelfService Plus enables you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selections based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

3. In the MFA for Machine Login section, select the check box to enable online MFA for machine logins and select the number of authentication factors you want to prompt users for. Select the preferred authentication methods from the drop-down.
   

4. Click Choose authenticators for Offline MFA and select the authentication method you prefer for offline MFA from the drop-down. 
   

5. Click Save Settings.
   

Offline MFA is now successfully configured using the preferred authenticators for users belonging to the selected policy.

Enrolling end users for Offline MFA  

Enrollment for offline MFA takes place in two stages: authenticator enrollment and machine enrollment.

1. Authenticator enrollment   

There are three methods of authenticator enrollment:

A. Enrollment by users during identity verification

1. When a user is enrolled for online MFA: Once offline MFA is configured, after a user completes online MFA via the login agent or in the ADSelfService Plus portal, they will be enforced to enroll for authenticators configured for offline MFA, if not yet enrolled. This flow can be altered by changing the Force enrollment/Deny access/Allow access if the user is not enrolled in MFA setting.
   

2. When a user is not enrolled for online MFA: If online MFA and offline MFA are configured, but the user has not enrolled for any of the authenticators required, they will be enforced to enroll as soon as they complete the primary authentication on their machine. This flow can be altered by changing the Force enrollment/Deny access/Allow access if the user is not enrolled in MFA setting.

B. Enrollment by users from the user portal

A user can log in to the ADSelfService Plus user portal, navigate to the Enrollment tab and enroll for the authenticators configured for offline MFA.

C. Enrollment by admins

ADSelfService Plus also supports bulk user enrollment by admins via importing data from CSV files or external databases like Oracle, Microsoft SQL Server, MySQL, and PostgreSQL. Learn how to enroll users in bulk using these methods from the help document.

2. Machine enrollment  

If a user has enrolled for the authenticators needed for offline MFA, during their next successful online MFA, the user's machine will either be automatically enrolled for offline MFA, or they will have to choose between enrolling their machine and skipping enrollment based on the configured settings.

Once the machine is enrolled for offline MFA for the specific user, the user's authenticator enrollment data will be securely transmitted from the ADSelfService Plus server and stored as encrypted data in the specific machine for offline MFA. This process will repeat regularly, to keep the authenticator data up-to-date.

Disenrolling a machine from offline MFA  

Disenrolling a user's machine restricts their access to the offline MFA feature. A user's machine can be disenrolled from offline MFA in two ways:

A. From the Offline MFA Enrollment Report:  

This report generates the list of machines enrolled by users for offline MFA. The information listed in the report includes the user who is enrolled in the machine for offline MFA, the name of the machine, the operating system, the time of enrollment, and last synced time. It also allows admins to disenroll machines and users from offline MFA. Here's how to use the disenrollment capability in the report:

1. Log in to the ADSelfService Plus admin portal.

2. Go to Reports > Enrollment Reports > Offline MFA Enrolled Machines Report. The Offline MFA Enrolled Machines Report will open.

3. From the listed usernames and their machines, select the machines you want to disenroll, and click the Disenroll option.

B. From the end user self-service portal:   

1. Log in to the ADSelfService Plus portal.

2. Go to the Enrollment tab. Click on Manage.

3. Click on Offline MFA - Manage Enrolled Devices.

4. Here, click on Disenroll for the machines you want to revoke your offline MFA enrollment from.

Scenarios for offline MFA verification

Offline MFA enable status	User enrollment status for Offline MFA	Machine-based MFA status	Skip MFA when ADSelfService Plus server is down or unreachable setting	Machine login status
True	True	Enforced / exempted	Enabled/Disabled	User will be allowed to log in after MFA verification
True	False	Exempted	Enabled	MFA will be bypassed and users will be allowed to login
True	False	Enforced	Enabled/Disabled	Users will be denied access to login
False	-	Exempted	Enabled	MFA will be bypassed and users will be allowed to login
False	-	Enforced / exempted	Disabled	Users will be denied access to login

Advanced offline MFA settings  

The following advanced settings enhance offline MFA's functionality.

• Automatically enroll the user's device for offline MFA after successful online authentication: This setting is enabled by default. When enabled, once a user completes online MFA in a machine, it is automatically enrolled for offline MFA without notifying the user. If not enabled, the user can choose to enroll their machine for offline MFA or skip it.

• Restrict users from performing offline MFA after _ days/attempts: When this setting is enabled, offline MFA is restricted to a certain number of days or attempts and users are mandated to connect back to ADSelfService Plus once this limit is exhausted.

To access these settings, log in to the admin portal and navigate to Configuration > Multi-factor Authentication > Advanced Settings > Endpoint MFA > Machine Login MFA. Ensure your preferred policy is enabled in the Multi-factor Authentication page.