Configure MFA for a Computer or Server

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

The Logon app enables you to require authentication when users log in to a computer or server. This includes protection for RDP and RD Gateway.

There are two parts to the Logon app:

To configure MFA for a computer or server, you must configure a resource for the Logon app in the AuthPoint management UI and then install the Logon app on each computer or server that you want to protect. For Remote Desktop and RDS connections, you install the Logon app on the hosts that users authenticate to. To protect the RD Gateway server itself, you install the Logon app on the server. To protect the hosts behind the RD Gateway, you install the Logon app on the hosts.

When you install the Logon app, authentication is required to log in. On the login screen, users must type their password and then select one of the allowed methods of authentication (push notification, one-time password, or QR code).

On Mac computers and Windows computers with User Account Control (UAC) enabled, MFA is also required when users try to perform an action that requires administrative privileges, such as when they allow an app to make changes to the device. For more information about Windows User Account Control, refer to the Microsoft documentation.

Users can log in with domain or local user accounts, but all users must have an active AuthPoint user account with an authentication policy for the Logon app. Users that do not have an AuthPoint user account with an authentication policy for the Logon app cannot authenticate and log in to a computer with the Logon app installed unless you enable the option to allow non-AuthPoint users to log in without MFA.

If your AuthPoint license expires or you delete your Logon app resource, users can log in to their computers with only their password.

You can download the Logon app from the Downloads page in the AuthPoint management UI.

Requirements

When you set up and deploy the Logon app, be aware of these requirements:

  • All domain and local users must have an active AuthPoint user account and be part of an AuthPoint group with an authentication policy for the Logon app to authenticate and log in

    You can enable the option to allow non-AuthPoint users to log in without MFA for users that do not have an AuthPoint user account.

  • The user name for local and domain users must be the same as their AuthPoint user name
  • Users synced from Active Directory can only log in with a user name in the domain\user name if the computer is connected to the Internet
  • To log in as a local user (not part of the domain), you must have an AuthPoint user account with an active token
  • If your local user has the same user name as your domain user, you can use the same AuthPoint user to authenticate and log in to both accounts
  • If your local user name is different from your domain user name, you must have a separate AuthPoint user for each user account (one for the domain user and one for the local user)
  • When you install the Logon app, the computer must be connected to the Internet before you log in for the first time

    Caution: We recommend that you do not use 802.1x authentication for Wi-Fi connections. If your computer automatically connects to an 802.1x Wi-Fi network after you install the agent for macOS, and you have not set up your computer to support 802.1x authentication, this prevents you from connecting to the Internet and you cannot log in to change your Wi-Fi connection because the agent requires an Internet connection.

  • If you install the Logon app on a computer in an Active Directory domain, you must configure a group policy to allow domain users to authenticate (log on) locally
  • To support user login with Windows Hello, you must install the agent for Windows v3.0 or higher
  • To support user login with Touch ID, you must install the agent for macOS version 2.0 or higher
  • To support MFA for Windows user account control, you must install the Logon app v3.1 or higher
  • The Logon app supports up to 30 concurrent user logins without an Internet connection
  • For information about which operating systems the Logon app supports, go to Operating System Compatibility for AuthPoint Components in the AuthPoint release notes.

WARNING: Do not install the Logon app on computers that run Windows 7 or older or on servers that run Windows 2008 R2 or older.

Add a Logon App Resource

To start, you must add a resource for the Logon app. You do not need a separate Logon app resource for each computer that the Logon app is installed on. You can use one Logon app resource for all of your authentication policies, regardless of the OS.

After you add a Logon app resource in AuthPoint, you must add the resource to your existing authentication policies, or add new authentications policies for the Logon app resource that include any user groups that must authenticate to log in to their computers.

To add a Logon app resource:

  1. From the AuthPoint navigation menu, select Resources.

Screen shot of the Resources page.

  1. Click Add Resource.

    The Add Resource page opens.

Screen shot of the Add Resource page.

  1. From the Type drop-down list, select Logon App.
    Additional fields appear.

Screen shot of the Add Resource page.

  1. In the Name text box, type a name for this resource.
  2. (Optional) In the Support Message text box, type a message to show on the logon screen.

Screen shot of the Add Resource page.

  1. From the Access for Non-AuthPoint Users drop-down list, select whether to allow users who do not have an AuthPoint user account to log in to protected computers without MFA. You can choose from three options:
    • Do not allow non-AuthPoint users
    • Allow specific non-AuthPoint users to log in without MFA
    • Allow all non-AuthPoint users to log in without MFA

    Non-AuthPoint users can only log in without MFA if an AuthPoint user account with the same user name does not exist.

  1. If you chose to allow specific non-AuthPoint users to log in without MFA, in the Add User Names text box, type the user name of each non-AuthPoint user that can log in without MFA. You can specify up to 50 non-AuthPoint users that can log in without MFA.

Screen shot of the Add Resource page.

  1. Click Save.
  2. Add the Logon app resource to your existing authentication policies, or add new authentications policies for the Logon app resource (see About AuthPoint Authentication Policies). We recommend that the authentication policy for the Logon app includes the QR code or OTP authentication options so users can authenticate when they are not connected to the Internet.

Download and Install the Logon App

You can use a Windows command prompt to install the Logon app. You can also use the command line option for deployment through Active Directory Group Policy Objects (GPO). To install the Logon app from a Windows command prompt, you must download the Logon app .MSI installer file and configuration file.

When you install the Logon app, the computer you install the Logon app on must connect to the Internet before the user logs on for the first time. This is required so that the Logon app can communicate with AuthPoint to check the authentication policies.

The Logon app stores a copy of the authentication policies locally on the computer. The Logon app uses this local policy file when a user who is offline authenticates, and the local policy file updates when the computer next connects to the Internet. The local policy file stores policy information for only the last 30 user accounts to authenticate. If 30 or more other users authenticated since the last time a user logged in to a computer, an Internet connection is required to log in.

Download the Logon App Installer and Configuration File

To download the Logon app installer and configuration file:

  1. From the navigation menu, select Downloads.
    The Downloads page appears.
  2. In the Logon App section, next to your operating system, click Download Installer.
  3. To download the configuration file for the Logon app, click Download Config. You can use the same configuration file for every installation of the Logon app, regardless of the operating system.

Screen shot that shows the Logon App section of the Downloads page.

Manually Install the Logon App

To manually install the Logon app, on your computer, move the downloaded configuration file to the same directory as the Logon app installer (.MSI or .PKG file). Run the Logon app installer and install the Logon app on the computer or server that you want to protect.

Install the Logon App from a Windows Command Prompt

To install the Logon app from a Windows command prompt:

  1. In the Windows Start menu, right-click Command Prompt and select Run as Administrator.
    A Windows Command Prompt window opens.
  2. Change directory to the location of the .MSI file.
  3. To run the Logon app installer, run one of these commands:
    • To pass the path to the configuration file:
      msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi CONFIG_PATH="[path]\wlconfig.cfg"
    • To pass the content of the configuration file:
      msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi CONFIG_CONTENT="config_file_content_without_spaces"

    Make sure to update the command to match the version of the installer you want to run.

    To install the Logon app silently, with no user interaction required, append /q or /qn to the command. To prevent a computer restart when the installation completes, append /norestart to the command. For more information, see the Microsoft documentation for the msiexec command.

Use an Active Directory GPO to Install the Logon App

You can use the commands described in the previous procedure to install the Logon app remotely on multiple computers through an Active Directory Group Policy Object (GPO). You must use an installation method that supports command line parameters.

You could configure your script to prevent the installation of the Logon app on computers that already have the agent installed.

There are two methods to configure a GPO to install from an .MSI file with command line parameters:

Configure a GPO for a startup script or logon script that runs a batch file that installs the Logon app. The batch file contains only one line, which specifies the network path to the .MSI file. The other parameters are the same as described in the previous procedure for installation from a Windows command prompt.

  • To pass the path to the configuration file:
    msiexec -i "[path]\AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi" CONFIG_PATH="[path]\wlconfig.cfg"
  • To pass the content of the configuration file:
    msiexec -i "[path]\AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi" CONFIG_CONTENT="config_file_content_without_spaces"

Make sure to update the command to match the version of the installer you want to run.

Create a transform file (.MST) that contains the required command line parameters. The Orca tool to create the .MST file is in the Windows SDK, which is available from Microsoft.

To create the .MST file in Orca:

  1. Open Orca.
  2. Select File > Open and select the .MSI file you downloaded.
  3. To start a new transform, select Transform > New Transform.
  4. In the Property list, add a property:
    • To pass the path to the configuration file, add the CONFIG_PATH property with the path to the configuration file.
    • To pass the content of the configuration file, add the CONFIG_CONTENT property with the content of the configuration file (without spaces).
    • If the installer and the configuration file are in the same location, you do not have to add a property.
  5. To generate the transform file, select Transform > Generate Transform.
  6. To save the transform file, select File > Save Transformed As.
  7. Copy the original .MSI file to the directory that contains the .MST file.
  8. To manually test the installation, type this command: 
    install: msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi -t TRANSFORMS=[Logon app mst file]

    Make sure to update the command to match the version of the installer you want to run.

After you create the .MST file, create a Software Installation GPO that includes both the .MSI and .MST files.

To create the Software Installation GPO:

  1. Open the Group Policy Management Editor.
  2. Navigate to the software installation settings.
  3. Right-click and select New > Package.
  4. Specify the network path to the .MSI file.
  5. Select Advanced.
  6. Select the Modifications tab.
  7. Click Add.
  8. Specify the network path to the .MST file.
  9. Click OK.
  10. In the Windows Start menu, right-click Command Prompt and select Run as Administrator.
    A Windows Command Prompt window opens.
  11. Use gpupdateto refresh the group policy settings.
  12. To test the GPO, reboot a computer in the domain.

Configure Windows to Require Credentials for UAC

The behavior of the Windows UAC elevation prompt can be configured to prompt users for credentials or to just prompt users to approve the action (no credentials required). In order for the AuthPoint agent for Windows to enforce MFA for UAC prompts, the computer must be configured to require credentials for UAC prompts.

You can configure this setting from the group policy editor.

  1. Open Group Policy Editor.
  2. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
  3. Edit the group policy settings to and change the security setting to Prompt for credentials.
    • User Account Control: Behavior of the elevation prompt for standard users
    • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

For more information, go to Microsoft User Account Control settings and configuration.

Update the Logon App

The Logon app does not automatically upgrade to the latest version. To upgrade the Logon app, you must download and install the updated version of the agent for Windows or the agent for macOS. The most current version of the agent is available on the Downloads page.

You do not have to uninstall the Logon app or download a new configuration file when you install an updated version of the agent.

To update the agent for Windows:

  1. In the AuthPoint management UI, select Downloads.
  2. In the Logon App section, next to your operating system, click Download Installer. You do not have to download the configuration file.

Screen shot that shows the Logon app section of the Downloads page.

  1. Run the downloaded Logon app installer on the computer or follow the steps in the previous sections to install the agent with the command line or a GPO.

Uninstall the Logon App

You might uninstall the Logon app when you no longer need to protect a computer or server with AuthPoint MFA.

If your AuthPoint license expires and the Logon app is installed, users can log in to their computers with only their password.

  1. Open the Windows Start menu and select Settings.
  2. Navigate to Apps & Features.
  3. Select AuthPoint Agent for Windows.
  4. Click Uninstall.
  5. After the Logon app is uninstalled, restart your computer.

To uninstall version 1.5.21 or higher of the Logon app for macOS, you must run the Logon_App_for_Mac_uninstall.pkg package file.

  1. Navigate to /Users/$USER/Applications/WatchGuard.
  2. Run the Logon_App_for_Mac_uninstall.pkg package file.
  3. Follow the steps in the wizard. When you finish, you must restart your computer.

To uninstall version 1.5.20 or lower of the Logon app for macOS, you must use the Terminal app to run the uninstall.sh script. You can find the uninstall.sh script in the Applications folder (/Users/$USER/Applications/WatchGuard/uninstall.sh).

  1. When the computer starts, press Command + S to enter Single User Mode.
  2. To set the disk to readwrite, type the command mount -o update /.
  3. To run the uninstall script, type the command sudo sh /Applications/WatchGuard/Logon\ App\ for\ Mac/uninstall.sh.
  4. After the Logon app is uninstalled, restart your computer.

If your user login fails, you can still uninstall the Logon app with your computer in Safe Mode.

The Windows Installer (msiserver) does not work by default in Safe Mode. To enable Windows Installer in Safe Mode, you must modify a registry key.

  1. Start your computer in Safe Mode.
  2. After you have logged in, type cmd in the Cortana search box.
  3. Right-click the Command Prompt app and select Run as administrator.
    The User Account Control dialog box appears.
  4. Click Yes.
  5. In the Command Prompt dialog box, type one of these commands and press Enter:
    • If your computer is in Safe Mode, type reg add "hklm\system\currentcontrolset\control\safeboot\minimal\msiserver" /ve /t reg_sz /f /d "service".
    • If your computer is in Safe Mode with Networking, type reg add "hklm\system\currentcontrolset\control\safeboot\network\msiserver" /ve /t reg_sz /f /d "service".
  6. To start the msiserver, in the Command Prompt dialog box, type net start msiserver. Press Enter.
  7. You can now uninstall the Logon app in Safe Mode:
    1. Open the Windows Start menu and select Settings.
    2. Navigate to Apps & Features.
    3. Select AuthPoint Agent for Windows.
    4. Click Uninstall.
  8. After the Logon app is uninstalled, restart your computer.
  1. When the computer starts, immediately press and hold the Command (⌘)/ALT + R keys.
    The Apple logo appears .
  2. Release the Command (⌘)/ALT + R keys when you see the recovery options.
  3. If FileVault is enabled, when you enter recovery mode you are prompted to specify an account that you know the password for. You must unmount and remount the disk before you uninstall the Logon app. If FileVault is not enabled, continue to Step 4.
    1. Select the user account and enter the password to unlock the drive.
    2. Launch the Disk Utility application.
    3. Select Macintosh HD.
    4. To unmount the disk, select File > Unmount.
    5. To mount the disk again, select File > Mount.
  4. Select Utilities > Terminal.
  5. In the Terminal window, type the command cd /Volumes/Macintosh\ HD/Applications/WatchGuard/Logon\ App\ for\ Mac/.
  6. Type the command sh .recovery.sh.
  7. Type reboot.
  8. Log in to the computer with your user name and password. After you log in, click and close the AuthPoint window that appears.
  9. To uninstall the Logon app, navigate to /Users/$USER/Applications/WatchGuard.
  10. Run the Logon_App_for_Mac_uninstall.pkg package file.
  11. Follow the steps in the wizard. When you finish, you must restart your computer.

Authentication with the Logon App

When the Logon app is installed on a computer, authentication is required to log in. On the login screen, users must type their password and then select one of the allowed methods of authentication. Which authentication methods are available is determined by the highest authentication policy that includes the Logon app resource and the user's group.

The Logon app for Windows does not validate user passwords until after MFA is complete. When a user enters their password, the Logon app proceeds to the MFA portion of the authentication flow, even if the password is incorrect. After MFA completes successfully, the Logon app validates the password. If the password is incorrect, authentication fails.

If push authentication is enabled, users can select the Automatically send a push notification when I log in check box to make the authentication process easier. When this option is selected, the Logon app automatically sends a push notification to the user after they enter their user name and password.

The Logon app does not support automatic logon for Windows.

To log in to a computer with the Logon app installed:

  1. In the User name text box, type the user name for your domain user. To log in as a local user, type your user name as host name\user name.
  2. In the Password text box, type your Windows or Mac password or authenticate with biometric ID (fingerprint or face). For Active Directory user accounts, type your AD password.
  3. Click Next.
    If MFA is required, you see the authentication screen. If the authentication policy for your group only requires a password, you are logged in.
  4. If MFA is required, below Sign-in options, select an authentication option. Push is the default authentication method. If you select a different authentication option, that becomes the default authentication method.

    If your computer does not have an Internet connection and MFA is required, you must select the one-time password or QR code authentication options to authenticate offline.

  5. Press Enter or Return and authenticate.
    • Push — Approve the push notification that is sent to your mobile device.
    • QR Code — Use the AuthPoint mobile app to scan the QR code, then type the verification code shown in the app.
    • One-Time Password — Type the one-time password for your token.

If you do not have your token, you must use the Forgot Token feature to log in to a computer with the Logon app installed. For more information, see Authentication Without Your Mobile Device.

See the Version of the Installed Logon App

When you log in to a computer that has the Logon app installed, on the authentication screen you can click the ? icon to see information about the Logon app.

Related Topics

Configure MFA

About AuthPoint Authentication Policies

About Authentication