Preface_1

Preface

QRentry Overview

QRentry Overview

With the advent of mobile devices, our work habits have changed. Indeed, more and more enterprise applications must be accessed through mobile platforms. Users want to access their computers easily without having to remember several different passwords.

To help them access their computer(s) and enterprise applications easily with different security levels (PIN, biometrics), One Identity has created an application for mobile devices: QRentry.

QRentry makes access to your Web enterprise applications and to your computer(s) easier, allowing you to launch your applications without having to sign-in and to authenticate on your computer with your mobile device at all times. By protecting local administrator accounts, QRentry securely manages technical interventions on employees’ computers, with the required traceability.

QRentry to access your Web enterprise applications with a mobile device

QRentry enables you to access your applications with your mobile device. Your applications are launched in an integrated web browser without having to sign-in.

You can also store personal notes containing Wi-Fi, license keys or other application passwords to access personal applications.

For more information, see Using Enterprise SSO for Mobile Devices.

QRentry as a solution for accessing your computer

• No need to use an extra device: your own mobile device is enough.
• Just install the QRentry application on your mobile device and complete the enrollment wizard. Your mobile device is ready for computer access.
• QRentry can be used for emergency access (without the network) or normal access (with the network):
  • Emergency access (without the network): you cannot remember your Windows password; you forgot or you lost your authentication token (smart card, contactless token); your authentication device (smart card reader, fingerprint scanner) is broken. And you need to log on to Windows on your own (not enough time to call the help desk and wait for an answer).One Identity QRentry allows you to use your own mobile device to log on to Windows until normal access is restored. In this case, QRentry is an emergency access solution extremely easy to implement and very efficient:
  • Nothing to memorize. QRentry will provide you with a one-time code.
  • Your computer is disconnected from the network? Your mobile device does not get a signal? QRentry works anyway.
  • Normal access (with network): no need to remember a Windows password, no need to carry an authentication token with you.One Identity QRentry allows you to use your own mobile device to log on to Windows:
  • Nothing to memorize. Just scan the QR code and QRentry will authenticate you through the network.
  • You have several computers and do not want to enter a password for each of them. QRentry enables you to control your computers and open their Windows sessions.

For more information, see Using QRentry Authentication Manager.

QRentry to secure the local administrator account to a set of Windows computers

Every computer has a local administrator account: this account is automatically created upon the installation of the Windows operating system. This all-powerful account deserves special attention in any corporate systems, as it may have potentially access on every file and application on the network.

In many cases, multiple users can have access to the local administrator account. It is thus impossible to identify the actual person using this account.

QRentry helps you secure and improve the control of the local administrator account in your network:

• Any user can log on temporarily with the local administrative privileges without knowing the password of the local administrator. When these privileges are removed, the user can no longer authenticate as a local administrator.
• To secure the local administrator account, the QRentry configuration is based on the Access Point security profile (which is managed through the EAM Console). The local administrative privileges are limited to a group of computers. The security of the corporate system is enhanced.
• Using QRentry, any user who logs on as a local administrator is easy to identify by the reporting tool: his own audit ID is written in the audit event, and not the audit ID of the generic local administrator.
• You can log on as a local administrator even in case of network failure (computer disconnected from the network, no signal for your mobile device).

For more information, see Using QRentry Authentication Manager.

QRentry, a secure application

The QRentry authentication process relies on the use of 2048-bit RSA private/public key pair. Each key pair is associated with a user and/or a set of computers. The public key is stored in the directory. The private key is securely stored on the mobile device and optionally sequestered in the directory.

Preparing the mobile device to use

Preparing the mobile device to use QRentry

The following schema shows the different steps to prepare a mobile device for QRentry, which are:

1. Allowing users to enroll a mobile device.
2. Installing QRentry on your mobile device.
3. Enrolling your mobile device.

Allowing users to enroll a mobile device

Allowing users to enroll a mobile device

Subject

This section is intended to EAM administrators. It explains how to configure a User Security profile to allow users to use QRentry.

Before starting

You have the following administration role:

• In classic administration mode: Security object administrator.
• In advanced administration mode, your role must contain the following rights:
  • User Security Profile: creation/modification.
  • Mobile devices: Display mobile details.
  • Mobile devices: Management.
• A User Security Profile is created and the Mobile Authentication method is selected (Authentication tab).

• An Access Point Security profile is created and the Mobile Authentication method is selected (Security Services tab).

Procedure

1. In the EAM console, click the User Security Profile that contains the users for whom you want to allow the use of QRentry for emergency access.
2. Click the Mobile Device tab.
3. Complete the Security tabbed panel and click Apply.

Example:

1. The users associated with the selected User Security Profile can enroll their mobile device.
2. The enrollment wizard will be automatically launched upon their next authentication.
3. Everybody can use QRentry.
4. The configuration of QRentry is updated every x days. For example, if a new application for QRentry has been created in E-SSO, it will be available at the next configuration update (for more information, see Updating the configuration).

Security tabbed panel (detailed description)

Forcing Unique Identifier verification (Optional)

The following procedure:

• Must be done if the Verify the Unique Identifier of the device during enrolment check box from the Security tab is selected.
• Works only for Android mobile devices.

1. Select a user associated with a User Security Profile enabled for mobile enrollment.
2. Click the Mobile Devices tab.
3. In the Unique Identifier field, enter the Unique Identifier of the mobile device owned by the user and click Add.

• The mobile device appears in the Unique Identifier list above. When the mobile device is enrolled, the Unique Identifier is replaced with the mobile device name entered by the user through the enrollment wizard. The Unique Identifier appears in the Information tab of the mobile device access point.