Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - QRentry Users Guide

Preface_1 QRentry Overview Preparing the mobile device to use Using Enterprise SSO for Mobile Devices Using QRentry Authentication Manager Managing Mobile Devices

Using QRentry Authentication Manager

Using QRentry Authentication Manager

The following schema outlines all the different tasks that can be done either by the EAM administrator or the QRentry end-user with QRentry Authentication Manager. These tasks are:

IMPORTANT: To use QRentry Authentication Manager on your mobile devices and all the associated features described in the section above, you must own the corresponding license. For more information, please contact your One Identity marketing representative.

Enabling computer access with QRentry

Enabling computer access with QRentry

The following schema shows the main steps to enable emergency or normal access with QRentry.

The EAM administrator allows a set of users to log on with their mobile device for emergency or normal access. Once the permission is effective, these users can now use their mobile device to log on to Windows and/or to open applications and if necessary, reset their password. If the network is:

  • Unavailable: the user logs on with his emergency access and must enter the OTP displayed on his mobile device.
  • Available: the user logs on with his normal access without entering any type of password.

Allowing users to log on with a mobile device

Allowing users to log on with a mobile device

Subject

This section is intended to EAM administrators. It explains how to configure a User Security profile to allow users to use QRentry for emergency and normal access to their computers.

Before starting
  • You have the following administration role:
    • In classic administration mode: Security object administrator.
    • In advanced administration mode, your role must contain the following rights:
      • User Security Profile: creation/modification.
      • Mobile devices: Display mobile details.
      • Mobile devices: Management.
  • You have allowed users to enroll a mobile device: see Allowing users to enroll a mobile device.
Procedure
  1. In the EAM console, select the Security Profile of the users for whom you want to allow the use of QRentry for computer access.
  2. Click the Mobile Device tab.
  3. Select and complete the Authentication Manager tabbed panel and click Apply.

Example:

  1. The users associated with the selected User Security Profile can authenticate only when they are connected to the network.
  2. The users associated with the selected User Security Profile can use the QRentry remote control to manage (open, lock and close) their Windows session.

IMPORTANT: For a complete description of this tabbed panel, please refer to the Authentication Manager tabbed panel (detailed description) sub-section hereunder.

Authentication Manager tabbed panel (detailed description)

Field

Description

Required protection level

Protection method of the authentication on the user’s mobile device:

  • None: everybody can authenticate.
  • Requires a dedicated secret: the user must assign a PIN to QRentry and then use it to authenticate.
  • Biometrics: the user must authenticate with his fingerprints (previously enrolled in his mobile device) to authenticate. If the biometric authentication does not work, he will have to enter a PIN (at first request, the user will have to assign a PIN to QRentry).

NOTE:

Users can authenticate using their device

  • Always: if the cache is:
    • Available: it is used to authenticate the user.
    • Unavailable: the E-SSO controller is used if the mobile device is connected to the network. If it is not, then the user cannot authenticate.
  • Only when off-line: the authentication process is done using the cache data stored on the user’s computer. To use the cache, the user must first authenticate at least once in connected mode.
  • Only when on-line: the user’s computer must be connected to the EAM controller.

Length of mobile device secret code

Length of the OTP displayed by QRentry on the mobile device.

User can reset the primary password and use it for x hours

When this option is selected, the user can reset his/her primary password after logging on using his/her mobile device (see Resetting your primary password).

When you select:

  • This password is only valid locally: the password is reset only on the current computer and is valid for the number of hours you enter.
  • This password is valid on all workstations (requires network): if the user is:
    • Authorized to authenticate with password, the primary password is reset and the new password has no limit of duration.
    • Not authorized to authenticate with password, a temporary password is created and is valid for the number of hours specified.

NOTE: If you enter 0 hour, the primary password is reset and the new password has no limit of duration.

Allow Workstation Remote Control on the device

Users can use the Enrolled Computers feature of QRentry to take control of their computer(s).

Local Administrator Access > Required protection level

Protection method of QRentry start on the local admin’s mobile device to access the user’s computer:

  • None: the admin can access QRentry.
  • Requires a dedicated secret: the admin must assign a PIN to QRentry and then use it to access the application.
  • Biometrics: the admin must authenticate with his fingerprints (previously enrolled in his mobile device) to access the application. If the biometric authentication does not work, he will have to enter a PIN (at first request, the administrator will have to assign a PIN to QRentry).

NOTE:

Logging on with your mobile device

Logging on with your mobile device

Subject

You can use QRentry to log on to Windows or to log on to an application, as detailed in the following procedures.

Depending on the configuration defined by the EAM administrator, you might have to enter a PIN or place your finger on the biometric device to start QRentry.

Before starting
  • QRentry is installed on your mobile device.
  • Your mobile device is enrolled.
Related Documents