Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - QRentry Users Guide

Preface_1 QRentry Overview Preparing the mobile device to use Using Enterprise SSO for Mobile Devices Using QRentry Authentication Manager Managing Mobile Devices

Preface_1

Preface

Subject

This guide explains how to configure and use QRentry to control, from your mobile device, the access to your:

  • Applications.
  • Computers with QR codes.
Audience

This guide is intended for:

  • QRentry end-users.
  • Authentication Manager and E-SSO administrators.
Required Software EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes.
Typographical Conventions

Bold Indicates:

  • Interface objects, such as menu names, buttons, icons and labels.
  • File, folder and path names.
  • Keywords to which particular attention must be paid.
  Italics - Indicates references to other guides.
  Code - Indicates portions of program codes, command lines or messages displayed in command windows.
  CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules).
  < > Identifies parameters to be supplied by the user.
 

Legend

Warning: A WARNING icon indicates a potential for property damage, personal injury, or death.

Caution: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
   
Documentation support The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website.

QRentry Overview

QRentry Overview

With the advent of mobile devices, our work habits have changed. Indeed, more and more enterprise applications must be accessed through mobile platforms. Users want to access their computers easily without having to remember several different passwords.

To help them access their computer(s) and enterprise applications easily with different security levels (PIN, biometrics), One Identity has created an application for mobile devices: QRentry.

QRentry makes access to your Web enterprise applications and to your computer(s) easier, allowing you to launch your applications without having to sign-in and to authenticate on your computer with your mobile device at all times. By protecting local administrator accounts, QRentry securely manages technical interventions on employees’ computers, with the required traceability.

NOTE: In this guide, the term mobile device designates smartphones and/or tablets.

QRentry to access your Web enterprise applications with a mobile device

QRentry enables you to access your applications with your mobile device. Your applications are launched in an integrated web browser without having to sign-in.

You can also store personal notes containing Wi-Fi, license keys or other application passwords to access personal applications.

For more information, see Using Enterprise SSO for Mobile Devices.

NOTE: To use E-SSO on your mobile devices and all the associated features described in the section above, you must own the corresponding license. For more information, please contact your One Identity marketing representative.

QRentry as a solution for accessing your computer
  • No need to use an extra device: your own mobile device is enough.
  • Just install the QRentry application on your mobile device and complete the enrollment wizard. Your mobile device is ready for computer access.
  • QRentry can be used for emergency access (without the network) or normal access (with the network):
    • Emergency access (without the network): you cannot remember your Windows password; you forgot or you lost your authentication token (smart card, contactless token); your authentication device (smart card reader, fingerprint scanner) is broken. And you need to log on to Windows on your own (not enough time to call the help desk and wait for an answer).One Identity QRentry allows you to use your own mobile device to log on to Windows until normal access is restored. In this case, QRentry is an emergency access solution extremely easy to implement and very efficient:
    • Nothing to memorize. QRentry will provide you with a one-time code.
    • Your computer is disconnected from the network? Your mobile device does not get a signal? QRentry works anyway.
    • Normal access (with network): no need to remember a Windows password, no need to carry an authentication token with you.One Identity QRentry allows you to use your own mobile device to log on to Windows:
    • Nothing to memorize. Just scan the QR code and QRentry will authenticate you through the network.
    • You have several computers and do not want to enter a password for each of them. QRentry enables you to control your computers and open their Windows sessions.

For more information, see Using QRentry Authentication Manager.

IMPORTANT: To use QRentry Authentication Manager on your mobile devices and all the associated features described in the section above, you must own the corresponding license. For more information, please contact your One Identity marketing representative.

QRentry to secure the local administrator account to a set of Windows computers

Every computer has a local administrator account: this account is automatically created upon the installation of the Windows operating system. This all-powerful account deserves special attention in any corporate systems, as it may have potentially access on every file and application on the network.

In many cases, multiple users can have access to the local administrator account. It is thus impossible to identify the actual person using this account.

QRentry helps you secure and improve the control of the local administrator account in your network:

  • Any user can log on temporarily with the local administrative privileges without knowing the password of the local administrator. When these privileges are removed, the user can no longer authenticate as a local administrator.
  • To secure the local administrator account, the QRentry configuration is based on the Access Point security profile (which is managed through the EAM Console). The local administrative privileges are limited to a group of computers. The security of the corporate system is enhanced.
  • Using QRentry, any user who logs on as a local administrator is easy to identify by the reporting tool: his own audit ID is written in the audit event, and not the audit ID of the generic local administrator.
  • You can log on as a local administrator even in case of network failure (computer disconnected from the network, no signal for your mobile device).

For more information, see Using QRentry Authentication Manager.

IMPORTANT: To use QRentry Authentication Manager on your mobile devices and all the associated features described in the section above, you must own the corresponding license. For more information, please contact your One Identity marketing representative.

QRentry, a secure application

The QRentry authentication process relies on the use of 2048-bit RSA private/public key pair. Each key pair is associated with a user and/or a set of computers. The public key is stored in the directory. The private key is securely stored on the mobile device and optionally sequestered in the directory.

Preparing the mobile device to use

Preparing the mobile device to use QRentry

The following schema shows the different steps to prepare a mobile device for QRentry, which are:

  1. Allowing users to enroll a mobile device.
  2. Installing QRentry on your mobile device.
  3. Enrolling your mobile device.

Allowing users to enroll a mobile device

Allowing users to enroll a mobile device

Subject

This section is intended to EAM administrators. It explains how to configure a User Security profile to allow users to use QRentry.

Before starting

You have the following administration role:

  • In classic administration mode: Security object administrator.
  • In advanced administration mode, your role must contain the following rights:
    • User Security Profile: creation/modification.
    • Mobile devices: Display mobile details.
    • Mobile devices: Management.
  • A User Security Profile is created and the Mobile Authentication method is selected (Authentication tab).

  • An Access Point Security profile is created and the Mobile Authentication method is selected (Security Services tab).

Procedure
  1. In the EAM console, click the User Security Profile that contains the users for whom you want to allow the use of QRentry for emergency access.
  2. Click the Mobile Device tab.
  3. Complete the Security tabbed panel and click Apply.

Example:

  1. The users associated with the selected User Security Profile can enroll their mobile device.
  2. The enrollment wizard will be automatically launched upon their next authentication.
  3. Everybody can use QRentry.
  4. The configuration of QRentry is updated every x days. For example, if a new application for QRentry has been created in E-SSO, it will be available at the next configuration update (for more information, see Updating the configuration).

NOTE: For a complete description of this tabbed panel, please refer to the Security tabbed panel (detailed description) sub-section hereunder.

 

Security tabbed panel (detailed description)

Field

Description

Users can enroll their mobile device

This check box enables the users associated with the user security profile to enroll their mobile device for QRentry.

Launch the enrollment wizard if necessary

This check box allows you to start automatically the enrollment wizard on the user’s computer except if:

  • His/her mobile device is already enrolled.
  • He/she has deactivated the wizard automatic start.

Maximum number of devices per user

Self-explanatory

If you enter 0, then the user can have as many mobile devices as he wants.

Verify the Unique Identifier of the device during enrolment

When this option is selected, the Unique Identifier (a.k.a IMEI) of the user’s mobile device is checked upon the enrollment process. This allows you to restrict the set of mobile devices a user can use.

IMPORTANT:

  • This feature works only for Android mobile devices.
  • If you select this option, you must enter the Unique Identifiers of all the users’ mobile devices associated with this profile, as detailed in Forcing Unique Identifier verification (Optional) hereunder.

NOTE: This piece of data is stored as a plain text attribute in the directory: external applications can therefore manage it.

Required protection level

Protection method of QRentry start on the user’s mobile device:

  • None: everybody can access QRentry.
  • Requires a dedicated secret: the user must assign a PIN to QRentry and then use it to access the application.
  • Biometrics: the user must authenticate with his fingerprints (enrolled in his mobile device beforehand) to access the application. If the biometric authentication does not work, he will have to enter a PIN (at first request, the user will have to assign a PIN to QRentry).

NOTE:

Update configuration when application starts

The configuration is updated each time the application starts.
Example: if an E-SSO application has been created for a user, it will be available in QRentry the next time the application is started.

Update configuration every x days

The configuration is updated every x days.

NOTE: QRentry must be started to be updated.

Upload Audit events immediately

Each time the Web server is reachable, the audit events are uploaded immediately.

List of Servers

List of the servers that can be reached by the mobile device to download the Enterprise SSO configuration and to upload audit events.

Forcing Unique Identifier verification (Optional)

The following procedure:

  • Must be done if the Verify the Unique Identifier of the device during enrolment check box from the Security tab is selected.
  • Works only for Android mobile devices.

 

  1. Select a user associated with a User Security Profile enabled for mobile enrollment.
  2. Click the Mobile Devices tab.
  3. In the Unique Identifier field, enter the Unique Identifier of the mobile device owned by the user and click Add.

NOTE: On many devices, the Unique Identifier can be retrieved by keying

*#06#.

  • The mobile device appears in the Unique Identifier list above. When the mobile device is enrolled, the Unique Identifier is replaced with the mobile device name entered by the user through the enrollment wizard. The Unique Identifier appears in the Information tab of the mobile device access point.

IMPORTANT: You can add a Unique Identifier, even if the Verify the Unique Identifier of the device during enrolment option is not selected. This is useful if you want to restrict the set of mobile devices for a particular user only.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents