Documentation

 

 

The following optional steps are for organizations that use Microsoft Intune® to manage employee mobile devices. The goal is for administrators to pre-populate the enrollment URL. This will enable end users to bypass entering the enrollment URL to create an account in the SecureAuth Authenticate app. After you configure Intune, end users will need to only register their account to authenticate.

Prerequisites

  • SecureAuth Identity Platform v19.07 or later, with a SecureAuth IdP 9.3 or later realm configured for URL enrollment
  • SecureAuth Authenticate App v19.12 or later
  • Mobile device management (MDM) tool that supports the AppConfig Community standard, such as Intune, MobileIron, Meraki, VMWare Workspace One (formerly called AirWatch); ensure your MDM tool is installed
  • End user iOS mobile devices must be running an operating system of 11.0 or later
  • End user Android mobile devices must be running an operating system of 5.0 or later



Configure the enrollment URL 

Administrators can use the following information to add a policy associated with the correct SecureAuth URL enrollment realm, and assign the policy to end users; Microsoft Intune is an example of setting up the integration in one kind of MDM tool. The policy causes end users to be redirected automatically to the correct realm so all they need to do is register their account to authenticate. Registering an account is discussed at the end of this topic.

You might need to use the iOS integration steps, Android integration steps, or both depending on the types of devices your end users will use to authenticate.

In both sets of instructions, the steps start from the Intune main menu on the left side, as shown in the following example:

iOS integration
  1. Configure certificates and Apple credentials in Intune. This gives Microsoft permission to send user and device information and save changes.
  2. Set the enrollment target in Device enrollment.
  3. Add the Authenticate app in Client apps under the Manage section.

    You can set the Authenticate app to Required to automatically push the app to end user phones when they download the Intune Company Portal.
    1. Set the Minimum operating system to iOS 11
    2. Select Display this as a featured app in the company portal so end users can find the Authenticate app easily.
  4. Add a policy in Client apps
    1. In Associated app, click Authenticate and confirm by clicking OK.
    2. In the Configuration settings format dropdown, select Use configuration designer and click the empty field under Configuration key in the new section. Enter enrollment_url and select String as the value type. Under Configuration value, add the enrollment realm. An example of an enrollment realm is  https://portal.secureauth.com/secureauth39
  5. You can set up your corporate Helpdesk email address to display the "Send Email to Helpdesk" link on the Settings screen in the Authenticate app. See Optional Helpdesk contact set up.
  6. Continue to End user setup.
Android integration
  1. Add your Google Play corporate account in Intune. This gives Microsoft permission to send user and device information and save changes.
  2. Set the work profile in Device enrollment.
  3. Add the Authenticate app in Client apps in Google Play.

    You can set the Authenticate app to Required to automatically push the app to end user phones when they download the Intune Company Portal.
    1. An application search bar opens and displays the Authenticate app. Occasionally the Authenticate app is not displayed; go to Managed Google Play and click Open the managed Google Play store to associate the app.
    2. Select OK to sync changes. If the sync does not occur, go to the the Client apps menu, select Managed Google Play, and click Sync to force the sync.
  4. Add a policy in Client apps. An example of an enrollment realm is  https://portal.secureauth.com/secureauth39 
    1. In Configuration settings dropdown, select Use configuration designer.
    2. Click Add, select URL enrollment, then click OK.
    3. Select the new key. Enter the enrollment realm, under Configuration value, and click OK. An example of an enrollment realm is  https://portal.secureauth.com/secureauth39
  5. Assign the policy to end users in Client apps. Under Include, select All Users + All Devices.
  6. You can set up your corporate Helpdesk email address to display the "Send Email to Helpdesk" link on the Settings screen in the Authenticate app. See Optional Helpdesk contact set up.
  7. Continue to End user setup.



End user setup 

End users can now use the Authenticate mobile app through the Intune Company Portal. Use the following steps to guide end users, customizing where needed.

To use personal mobile devices to access your company portal and resources, you will need to download and set up Intune Company Portal and the SecureAuth Authenticate mobile app. <Admins: If you set the Authenticate app to Required when you added the app during Intune configuration above, you can remove "and the SecureAuth Authenticate mobile app" from the previous sentence.>

The following steps show you how to do this.

  1. Download the Intune Company Portal from Google Play Store or iTunes. <Admins: Please send Android and iOS links to end users for their convenience.>
  2. Complete the Intune Company Portal setup. Follow your administrator's configuration instructions for details. <Admins: Please provide any configuration steps your end users need to complete.>
  3. Download and install the SecureAuth Authenticate app:

    <Admins: If you set the Authenticate app to Required when you added the app during Intune configuration above, you can remove step 3.>

    iOS – https://itunes.apple.com/us/app/secureauth-otp/id615536686
    Android – https://play.google.com/store/apps/details?id=secureauth.android.token&hl=en_US
  4. Select the Authenticate mobile app and log in. The following occurs:
    1. The time-based one-time passcode (TOTP) is displayed the first time you authenticate and then you are authenticated. The device you used to authenticate with is now a trusted device. 
    2. Each successive authentication on the trusted device occurs automatically, after you select the mobile app. A second factor is not required because SecureAuth IdP and Intune are integrated and take care of added security for the device and end user combination.

Note that you must accept push notifications from the mobile app.

Delete and reconnect an account

If you delete the Authenticate mobile app and then need to reconnect, do the following.

  1. Download the mobile app again.
  2. Select the mobile app to log in. If the device is the same one that the admin already configured through Intune, the device will still be configured. You will see the following screen, rather than automatically being authenticated:

Tap Continue to Login, and then authenticate with your password to reconnect your account. After reconnecting, subsequent authentication on the trusted device occurs automatically, after selecting the mobile app.

If you want to enroll your device with a different SecureAuth IdP realm or if you want to use the mobile app for third-party software, such as GitHub, you can  Connect with a URL or Connect with a QR code (must have a working camera on the device).

If you want to enroll a different device, for example, a new phone or tablet, you must contact your administrator and ask for the new device to be added through Intune.