Documentation

 

 

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
borderColor#000000
bgColorwhite
titleColorwhite
titleBGColor#000000
titleIntroduction

Login for Endpoints (available in SecureAuth IdP version 9.2+ only) adds SecureAuth’s Multi-Factor Authentication to the Windows desktop and remote server login experience, and the Mac desktop login experience. This product was introduced in SecureAuth IdP version 9.2 and supports these authentication methods:

  • Timed Passcode
  • Voice Call
  • Passcode sent via SMS / Text Message
  • Passcode sent via Email
  • One-time Passcode via Push Notification
  • Login Notification via Push Notification
  • YubiKey HOTP Device Passcode
  • Passcode from Help Desk

NOTE: Methods delivered via Push Notification require the use of the SecureAuth Authenticate App

In addition to the supported Multi-Factor Authentication methods, Login for Endpoints supports these setups / features for Windows and / or Mac:

FeatureWindowsMac
Offline mode loginxx
Multi-Factor Authentication for desktops and / or remote serversxN/A
Multi-Factor Authentication for single users only and / or multi-usersxN/A
Users in bypass group can skip Multi-Factor Authenticationxx
Bypass group lookup on a domain other than user's domainxx
Password expiration notificationxx
Password Reset link to SecureAuth IdP realm or 3rd party servicexN/A
Multiple login capabilityxx
Endpoint identified during login Multi-Factor Authentication requestxx
Use Third-party Credential ProvidersxN/A
YubiKey HOTP support for 2-Factor Authenticationxx
TOTP 2-Factor Authenticationxx
Cached user credentials let users sign in with fewer clicksxN/A
Installation API validationxN/A
Adaptive AuthenticationxN/A
Non-domain server supportxN/A
Validated with FIPS 140-2 compliant cryptographic librariesxx
UI Text Box
typenote

DISCLAIMERS:

  • Login for Windows does not support non-domain joined devices. Issues pertaining to account synchronization are the responsibility of the customer and not SecureAuth. 
  • Login for Endpoints ONLY supports the samAccountName login name format; userPrincipalName (UPN) is not supported.
    Note that UPN is supported at login, but if using a non-AD profile store containing OATHSeed/OATHToken/PNToken but not samAccountName, then the Multi-Factor Authentication lookup will fail and the user will not be able to use other Multi-Factor Authentication methods.
Info
typeinfo

NOTE: If you are currently using the SecureAuth Credential Provider, you do not need to uninstall before installing Login for Windows.

Refer to the Release Notes for more information about releases.

 

Panel
borderColor#444544
bgColorwhite
titleColorwhite
titleBGColor#444544
titlePrerequisites

1. Ensure SecureAuth IdP v9.2 or later is running and is using a SHA2 (or greater) certificate.

2. Create a New Realm or access an existing realm on which more than one Multi-Factor Authentication is required.

NOTE: This realm should not be configured for Single Sign-on.

3. Configure the following tabs on the Web Admin in preparation for configuring Login for Endpoints:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access the target must be defined
  • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access the target must be defined
  • Post Authentication – the target resource or post authentication action must be defined
  • Logs – the logs that will be enabled or disabled for this realm must be defined

4. Ensure target end-user machines are running any of the following supported OS versions:

Supported OS Versions
Windows OS versions:
  • Windows 7 (32/64-bit)
  • Windows 8.1 (32/64-bit)
  • Windows 10 (64-bit)

Windows Server OS versions:

  • Windows Server 2008 R2 (64-bit)
  • Windows Server 2012 (64-bit)
  • Windows Server 2012 R2 (64-bit)
  • Windows Server 2016 (64-bit)
Minimum macOS versions:
  • macOS High Sierra 10.13.2
  • macOS Sierra 10.12.6
 

NOTE: See SecureAuth Compatibility Guide for OS and SecureAuth IdP version support information.

Info
typenote

NOTE : To use the proxy bypass feature with Windows, a proxy server and proxy bypass list must be configured. See Login for Windows Installer Configuration for information about configuring the proxy server and proxy bypass list.

Info

If using Login for Windows in a PCI environment, see Login for Windows SSL configuration requirements if Login for Windows is not installing on a machine.

Panel
borderColor#CCCCCC
bgColorwhite
titleColorblack
titleBGColor#CCCCCC
titleLogin for Windows
Panel
borderColor#CCCCCC
bgColorwhite
titleColorblack
titleBGColor#EEEEEE
titleEnd-user: First-time Usage Requirements

SecureAuth strongly recommends using a timed passcode the first time you use Login for Windows to access the network.

To meet this requirement, you must have an account provisioned with a SecureAuth IdP realm that enables your device to generate timed passcodes for Multi-Factor Authentication:

Thereafter, you can use Login for Windows in the offline mode.

Panel
borderColor#CCCCCC
bgColorwhite
titleColorblack
titleBGColor#CCCCCC
titleLogin for Mac
Panel
borderColor#CCCCCC
bgColorwhite
titleColorblack
titleBGColor#EEEEEE
titleAdmin: User Account and Mac Workstation Requirements

Active Directory Profile Configuration on the Mac

The end-user Active Directory profile must be accurately configured on the Mac so that the endpoint can retrieve the AD end-user profile during the login process.

Preconfigured Enterprise WiFi System Level Policy

In an enterprise WiFi environment, before setting up Login for Mac on end-user workstations, the system level policy must be configured to allow the Mac to connect to the enterprise WiFi. This setup lets Login for Mac fetch the OATH seed which is used to authenticate the end-user.

Prevention of YubiKey Device Usage Conflicts

If an end-user is already using a YubiKey device for YubiKey Multi-Factor Authentication on a SecureAuth IdP realm, the OATH seed and associated YubiKey device must be removed from the end-user's account in order to prevent a conflict when the end-user attempts to use a YubiKey device for HOTP authentication. (See the steps under End-user Multi-Factor Authentication in the YubiKey Multi-Factor Authentication Configuration Guide to remove the YubiKey device from the user account profile.)

UI Text Box
typenote

Prevent and Troubleshoot End-user Lockouts

End-users can be locked out of their Mac workstations due to any of these factors:

  • Network Setup Issues
  • Login for Endpoints Installer Misconfiguration
  • End-user Mac Configuration Issues

Expand the section below for more information:

UI Expand
titlePrevent and Troubleshoot End-user Lockouts

Network Setup Issues

Matching Active Directory Profiles Required

Active Directory must include an account profile for each end-user, and that profile must match the AD profile set up on the Mac in order for the Mac endpoint to retrieve the AD profile.

Login for Endpoints Installer Misconfiguration

Edits Made in config.json File

If the configured config.json file is edited, caution must be taken to ensure Unicode characters — instead of UTF-8 charcters — are not entered and saved in the file. This scenario might occur if text is copied from another source and pasted into the file, and could result in an end-user being locked out of the Mac due to a misconfigured endpoint.

End-user Mac Configuration Issues

Misconfigured Active Directory Profile on Mac

If the end-user's new Mac has a misconfigured Active Directory account profile, the endpoint will not be able to retrieve the end-user's AD profile to complete the login process.

Lockout with Secure, Automatic Enterprise WiFi Endpoint Connection

If the endpoint is set to automatically connect to a secure, enterprise WiFi, and has not yet been configured to connect to a SecureAuth IdP realm, then the end-user will be locked out of logging on the Mac.

In this scenario, the Mac may need to be reset by the administrative user who can bypass the login endpoint in order to reset the machine.

Lockout without OATH Seed for YubiKey HOTP Device or Network Connectivity

If a YubiKey HOTP device is used for logging on the Mac, but the machine does not have an OATH seed stored on it or network connectivity, then the endpoint must wait for an available network connection.

If the end-user is attempting to log on for the first time, and the Mac does not have WiFi configured or is not using a wired connection, then the end-user will be locked out of logging on the Mac.

Users Disabled in Active Directory

If an end-user is disabled on Active Directory, the local account will not know the history of the AD account, and the user will not be able to log on the Mac.

Panel
borderColor#CCCCCC
bgColorwhite
titleColorblack
titleBGColor#EEEEEE
titleEnd-user: Account and Mac Workstation Requirements
UI Text Box
typewarning

IMPORTANT: Before Installing Login for Mac

Your local username and password on the Mac must be the same as your Active Directory username and password. If you are using a different local username than your Active Directory username, then you will need to contact IT to synchronize the IDs.

If the IDs are synchronized, be sure you can log on the Mac before installing Login for Mac.

First-time Usage Requirements

The first time you use Login for Mac to log on the network:

A timed passcode is required. You must have an account provisioned with a SecureAuth IdP realm that enables your device to generate timed passcodes for Multi-Factor Authentication:

Your Mac must either be hardwired to the network, or you must have a preconfigured WiFi connection within range to which your Mac can be manually connected.

Thereafter, you can use Login for Mac in the offline mode.

...

Panel
borderColor#145570
bgColorwhite
titleColorwhite
titleBGColor#145570
titleEnd-user Experience
UI Expand
titleLogin for Windows End-user Experience
Info
titleKnown Issues
typeinfo
  • On Windows 10 desktops, a Login Notification request cancelled on the desktop—but accepted on the SecureAuth Authenticate app on a mobile device—still gives the user login access on the machine. This issue has been raised with Microsoft, but at this time remains unaddressed by them.
  • On Windows Server versions 2008 R2 and 2012 R2, users may be unable to complete the self-service password reset process due to default Internet Explorer settings in the operating systems.
  • If using a proxy which becomes unavailable, Login for Windows behaves as if it is offline. This issue may impact laptop users who connect their laptops to networks in which the proxy is unavailable.
  • The Self-Service Password Reset feature – which opens a browser to a Self-Service Password Reset page – does not function in environments using a proxy to access SecureAuth IdP. In these scenarios, contact SecureAuth Support and inquire about workarounds. Note this feature differs from the inline password reset feature that is used when a user’s password expires – this feature functions properly in proxy environments.

  • The Self-service Password Reset may not function correctly for certain operating systems. On Windows Server versions 2008 R2 and 2012 R2, users are unable to complete the self-service password reset process due to default Internet Explorer settings in the operating systems.

Panel
borderColor#3e7fa0
bgColorwhite
titleColorwhite
titleBGColor#3e7fa0
titleWindows 10: First-time Login Experience
Section
Column
width50%

Column
width50%

 

1. Enter your username on the Windows login screen.

2. The first time you use Login for Windows, SecureAuth recommends selecting a timed passcode authentication option from the list of Multi-Factor Authentication methods for which you have enrolled. This could be one that uses the SecureAuth Authenticate App on your mobile device or another device provisioned with the SecureAuth IdP realm to supply timed passcodes, such as a YubiKey

After selecting a timed authentication option and entering your password, the timed passcode option will be available for you to use when logging on this machine offline.

If you do not have an authentication method that provides a timed passcode, then select any other option available to you.

 


 

Section
Column

 

Column
width50%

Timed passcode from app

For this option:

1. If there is more than one provisioned OATH OTP app, select the device.

2. Enter your Windows Password.

3. Click the arrow to log on Windows.

Column
width50%

Passcode from voice call

For this option:

1. Select the phone number if more than one mobile phone is included in your user profile.

2. Enter your Windows Password.

3. Click the arrow to log on Windows.

Section
Column

 

Column
width50%

Column
width50%

 


 

Section
Column

 

Column
width50%

Passcode from SMS / text

For this option:

1. Select the phone number if more than one mobile phone is included in your user profile.

2. Enter your Windows Password.

3. Click the arrow to log on Windows.

Column
width50%

Passcode from email

For this option:

1. Select the email address if more than one address is included in your user profile.

2. Enter your Windows Password.

3. Click the arrow to log on Windows.

Section
Column

 

Column
width50%

Column
width50%

 


 

Section
Column

 

Column
width50%

Passcode from notification

For this option:

1. Select the mobile device on which the provisioned SecureAuth Authenticate app is installed.

2. Enter your Windows Password.

3. Click the arrow to log on Windows.

Column
width50%

Approve login notification on mobile

For this option:

1. Select the mobile device on which the provisioned SecureAuth Authenticate app is installed.

2. Enter your Windows Password.

3. Click the arrow to log on Windows.

Section
Column

 

Column
width50%

Column
width50%

 


 

Section
Column

 

Column
width50%

Contact help desk for passcode

For this option:

1. Select the phone number to use for contacting the help desk.

2. Enter your Windows Password.

3. Click the arrow to log on Windows.

Column
width50%

Passcode from token

For this option:

1. If there is more than one provisioned token, select the device on which the provisioned SecureAuth passcode app is stored.

2. Enter your Windows Password.

3. Click the arrow to log on Windows.

Section
Column

 

Column
width50%

Column
width50%

Panel
borderColor#3e7fa0
bgColorwhite
titleColorwhite
titleBGColor#3e7fa0
titleWindows 10: Subsequent Login Experience
Section
Column
width50%

Column
width50%

 

When logging on the same machine in subsequent sessions, the Login for Windows page includes a selection of all Multi-Factor Authentication methods for which you enrolled.

Info
typeinfo

The login screen defaults to the authentication method used in the last login session.

Section
Column
width10%

Column
width35%

Column
width50%


Timed passcode from app

1. In the Enter passcode field, enter the OATH OTP from your SecureAuth One-time Passcode app.

2. Click the arrow to log on Windows.

Section
Column
width10%

Column
width35%

Column
width50%


Contact help desk for passcode

1. Enter the passcode received by contacting the help desk.

2. Click the arrow to log on Windows.

Section
Column
width10%

Column
width35%

Column
width50%


Approve login notification on mobile

1. Accept the login notification sent to the SecureAuth Authenticate app on your mobile device.

2. Access Windows.

Section
Column
width10%

Column
width35%

Column
width50%


Passcode from notification

1. Enter the passcode sent to the SecureAuth Authenticate app on your mobile device.

2. Click the arrow to log on Windows.

Section
Column
width10%

Column
width35%

Column
width50%


Passcode from email

1. Enter the passcode sent to your email address.

2. Click the arrow to log on Windows.

Section
Column
width10%

Column
width35%

Column
width50%


Passcode from voice call

1. Enter the passcode received by a voice call to your mobile phone.

2. Click the arrow to log on Windows.

Section
Column
width10%

Column
width35%

Column
width50%


Passcode from SMS / text

1. Enter the passcode sent via SMS to your mobile phone.

2. Click the arrow to log on Windows.

Section
Column
width10%

Column
width35%

 

Column
width50%


Passcode from Token

1. Plug in the token to receive a passcode from the device.

2. Click the arrow to log on Windows.

UI Expand
titleLogin for Mac End-user Experience
UI Text Box
typewarning

 IMPORTANT:

  • The enterprise WiFi connection must be disabled on the Mac in order to log on to the domain. A public WiFi connection or a wired connection can be used for Internet access.
  • If you are included in a bypass group, you should patiently wait for the network group to be fully connected before logging on.
Section
Column
width50%

Column
width50%

 

1. Enter your domain username and password on the Mac login screen.

Section
Column
width50%

Column
width50%

 

2. When using Login for Mac for the first time, you must supply a timed passcode from either the SecureAuth Authenticate App on your mobile device or another device provisioned with the SecureAuth IdP realm to supply timed passcodes, such as a YubiKey. This window (pictured left) only appears the first time you use Login for Mac.

Enter the passcode that appears on the device, and then click Submit.

NOTE: After successfully logging on the Mac using a timed passcode, timed passcodes from that device can be used for login access in the offline mode, i.e. when the Mac is not connected to the Internet.

3. Log Out of the Mac.

Section
Column
width50%

Column
width50%

 

4. Log back on the Mac, and select an authentication option from the list of Multi-Factor Authentication methods for which you have previously enrolled.

NOTE: If your list of available authentication options is lengthy, you may need to scroll down the list if the option you wish to choose does not appear on the main page.

5. Optionally, check the Remember my selection box if you want to use this same authentication method the next time you log on the Mac.

6. Click Submit to access the Mac on the network.

NOTE: Authentication method workflows are described in the sub-sections below.

No matter which option you choose, you can return to this selection window by clicking the link: I want to choose a different two-factor authentication method.

Panel
borderColor#126591
bgColorwhite
titleColorwhite
titleBGColor#126591
titleSecureAuth Authenticate Mobile App Options
Section
Column
width50%

Column
width50%

 

Receive passcode from notification

When selecting this option, the Enter Passcode window appears.

1. Enter the passcode that was sent to the SecureAuth Authenticate App on your mobile device.

2. Click Submit to log on the Mac.

Section
Column
width50%

Column
width50%

 

Approve login notification

When selecting this option, the Waiting for Your Approval window appears.

1. Accept the login notification sent to the SecureAuth Authenticate App on your mobile device to log on the Mac.

Section
Column
width50%

Column
width50%

 

Enter timed passcode from app

When selecting this option, the Enter Passcode window appears.

1. Enter the OATH OTP from your SecureAuth OTP App.

2. Click Submit to log on the Mac.

Panel
borderColor#126591
bgColorwhite
titleColorwhite
titleBGColor#126591
titleSMS / Text Message
Section
Column
width50%

Column
width50%

 

Receive passcode

When selecting this option, the Enter Passcode window appears.

1. Enter the passcode sent via SMS to your mobile phone.

2. Click Submit to log on the Mac.

Panel
borderColor#126591
bgColorwhite
titleColorwhite
titleBGColor#126591
titleEmail
Section
Column
width50%

Column
width50%

 

Receive passcode

When selecting this option, the Enter Passcode window appears.

1. Enter the passcode sent to your email address.

2. Click Submit to log on the Mac.

Panel
borderColor#126591
bgColorwhite
titleColorwhite
titleBGColor#126591
titleVoice Call
Section
Column
width50%

Column
width50%

 

Receive passcode

When selecting this option, the Enter Passcode window appears.

1. Enter the passcode received by a voice call to your mobile phone.

2. Click Submit to log on the Mac.

Panel
borderColor#126591
bgColorwhite
titleColorwhite
titleBGColor#126591
titleAdditional Methods Options
Section
Column
width50%

Column
width50%

 

Contact the help desk

When selecting this option, the Enter Passcode window appears.

1. Input the passcode supplied by the help desk.

2. Click Submit to log on the Mac.

Section
Column
width50%

Column
width50%

 

Enter passcode - HOTP Device

When selecting this option, the Enter Passcode window appears.

1. With the YubiKey HOTP device inserted in the machine, tap / press the device to populate the passcode in the field.

2. Click Submit to log on the Mac.

...

Panel
borderColor#145570
bgColorwhite
titleColorwhite
titleBGColor#145570
titleRelease Notes

Release Date: June 13, 2018

Info
titleVersion 1.0.2
UI Expand
titleLogin for Windows

Resolved Issues and Enhancements

CP-187RDP users utilizing NLA (Network Level Authentication) no longer receive a second prompt after providing credentials to the RDP client.
CP-267The Multi-Factor Authentication device order now remains consistent on subsequent login attempts.
CP-320Login for Windows now remembers the most recently entered login username on a non-server.
CP-340An active hover link now appears when attempting to select another Multi-Factor Authentication method.
CP-339The correct HOTP icon now appears on passcode entry window.
CP-379Log details have been added to help troubleshoot common installation errors.
CP-388Users in offline mode now correctly receive Multi-Factor options that are usable offline.
CP-393Re-installing Login for Windows now applies configuration file updates.
CP-398The installer error message for a missing configuration file has been revised for clarification.
CP-400First-time users must now use an OATH-based method (if enrolled in one) to ensure at least one OATH seed is cached for offline use.
CP-403The most recently used Multi-Factor Authentication device now appears when logging on / off Windows 7 or Windows 10.
CP-408SADiag.exe no longer returns an error when 'set logging off' and 'test api' log level settings are used.
CP-410The installer now accepts a relative path to the configuration file during a silent installation.
CP-411The correct username now appears on the lock screen on Windows 7 / Windows Server 2008.

Known Issues

CP-386SMS / Voice telephone numbers are not completely masked for registered Multi-Factor Authentication methods.
CP-414User details are missing when choosing a registered user on the "Other user" login screen
CP-416Manual uninstallation from the "Programs and Features" menu on Windows 10 results in an error.
UI Expand
titleLogin for Mac

Resolved Issues and Enhancements

CP-309Login for Mac .pkg files have been renamed for consistency with Login for Windows .msi file names.
CP-317Login for Mac now validates the configuration file correctly.
CP-327The initial Multi-Factor Authentication method window now shows a selected option.
CP-359The installation failure log (Command+L) now identifies a missing configuration file.
CP-379Log details have been added to help troubleshoot common installation errors.
CP-398The installer error message for a missing configuration file has been revised for clarification.
CP-390Users are no longer locked out on Sierra 10.12.x machines with a FileVault encrypted drive.
CP-392Device names receiving push requests now appear on Login for Mac waiting screens.

Known Issues

CP-346Bypass groups are only enforced when a system is online and can check group membership.
CP-386SMS / Voice telephone numbers are not completely masked for registered Multi-Factor Authentication methods.

Release Date: May 14, 2018

Info
titleVersion 1.0.1
UI Expand
iconfalse
titleLogin for Windows

Resolved Issues

  • Incorrect IP addess used for Adaptive Authentication

When logging on locally, SecureAuth IdP now correctly uses the endpoint's public-facing IP address instead of a local adaptor IP address.

In this issue, a private IP address was being used which prevented IP-related Adaptive Authentication features from functioning properly. Remote / RDP logins were not impacted by this issue.

  • AD bad password count incorrectly incremented 

When attempting to log on using a bad password, the bad password count now increments appropriately – i.e. one time for each login attempt.

In this issue, the Active Directory bad password count would increment multiple times for a single login attempt, causing the user to be locked out immediately or sooner than anticipated. In certain scenarios, the bad password count incremented once for each OATH seed-based Multi-Factor Authentication method – e.g. for each app-based OTP or hardware token.

  • Re-installation breaks login functionality

Login for Windows can now be re-installed on the same machine.

In this issue, the Login for Windows software could become corrupted if re-installed on a machine which already had the software installed. This issue prevented users from logging in and required the user to boot up the machine in safe mode to repair the software.

  • Non-proxy aware

Beta support is now available for proxies in Login for Windows – see Login for Windows Installer Configuration to configure Login for Windows 1.0.1 for use with a proxy. Note the known issues when using a proxy in the 1.0.1 release.

This issue affected environments in which direct access to the SecureAuth IdP appliance is blocked and users must use a proxy.

  • Login failure for users with a space in sAMAccountName 

The issue has been resolved for users who were unable to log in if a space exists in their sAMAccountName property. 

  • Users in a bypass group unable to use Self-Service Password Reset function

The Self-Service Password Reset link now appears for users who are in a bypass group. 

Known Issues

  • Installation requires an absolute path to the configuration file

The installer does not accept a relative path to the configuration file, which prevents deploying the installer from a directory that cannot be defined in advance (such as when using a Group Policy).

  • Potential offline lockout for new users

To use the offline mode, a user must first use an OATH-based authentication method – such as a one-time code (OTP) generated by the SecureAuth Authenticate App – at least one time while online in order to cache the OATH seed used for authenticating the user. SecureAuth recommends instructing users how to enable the offline mode before they attempt to go online.

A future release of Login for Windows will address the potential new user lockout issue by providing guidance to users during the login process.

  • Double prompting for RDP logins

Users utilizing NLA (Network Level Authentication) when logging on a system with RDP enabled may still be prompted for a username and password once the session is established.

  • Self-service Password Reset function is non-proxy aware

The Self-service Password Reset feature – which opens a browser to a Self-Service Password Reset page – does not function in environments using a proxy to access SecureAuth IdP.

In these scenarios, contact SecureAuth Support and inquire about workarounds.

Note this feature differs from the inline password reset feature that is used when a user’s password expires – this feature functions properly in proxy environments. 

  • Self-service Password Reset may not function correctly for certain Operating Systems

On Windows Server versions 2008 R2 and 2012 R2, users are unable to complete the self-service password reset process due to default Internet Explorer settings in the operating systems.

  • Offline endpoint when proxy is unavailable

Use of any proxy configured for Login for Windows becomes mandatory. If the proxy is unavailable, Login for Windows behaves as if it is offline.

This issue may impact laptop users who connect their laptops to networks in which the proxy is unavailable.

  • Re-installing Login for Windows does not apply configuration file updates

Re-running the installer with a new or updated configuration file does not result in configuration changes made to the current installation. Administrators must uninstall and then re-install Login for Windows to apply the new settings.

  • SMS and Voice numbers are not correctly masked

Users prompted for Multi-Factor Authentication can view the full telephone number for a registered Multi-Factor Authentication method.

  • Incorrect username shown on lock screen

Users in a bypass group are shown the wrong username on a Windows 7 workstation lock screen.

 

UI Expand
iconfalse
titleLogin for Mac

Known Issues

  • Login failure for users with a space in sAMAccountName

The issue for users who are unable to log in if a space exists in their sAMAccountName property cannot be resolved because macOS does not support using spaces in login names.

  • Critical issue with FileVault on Sierra

Do not install Login for Mac 1.0 on MacOS 'Sierra' (10.12.x) in a domain-joined system that uses FileVault encryption on the boot volume; this may render the system unbootable and require recovery.

  • SMS and Voice numbers are not correctly masked

Users prompted for Multi-Factor Authentication can view the full telephone number for a registered Multi-Factor Authentication method.

  • Additional Authentication methods may be hidden

Since many MacOS configurations do not display a scrollbar, users who are prompted to select an authentication method may not know there are additional methods available to them if they do not see them on the screen currently displayed.

  • Multi-Factor Authentication only prompts users at login

Login for Mac does not currently support prompting users for additional factors when unlocking the screen of an already logged-in user.

  • Offline login may not complete

Users attempting to login offline for a second time using a TOTP code (after logging on and logging off) may have their machine after entering the code.

  • Login for Mac will install on unsupported MacOS versions

Login for Mac is only supported and tested on MacOS versions 10.12.x (Sierra) and 10.13.x (High Sierra), but currently the installer allows installation to proceed on versions 10.10.x and 10.11.x.

 

Release Date: February 1, 2018

Info
titleVersion 1.0

The new Login for Endpoints product gives end-users a secure login experience on a Mac or Windows workstation, or on a remote Windows server, using a SecureAuth Multi-Factor Authentication method. This product, with FIPS 140-2 compliant cryptographic libraries, is newly designed and engineered and replaces the Credential Provider application. After the initial setup and first-time usage, the end-user subsequently logs on without a password by just using a 2-Factor Authentication method. 

...

https://docs.secureauth.com/display/SAT/Login+for+Endpoints+Configuration+Guide+v1.0.2#expand-LoginforWindowsAccessLevelConfiguration 

SecureAuth Authenticate App