How to enable MFA for Windows, macOS, and Linux

You can apply MFA for Windows, macOS, and Linux machines in two ways:

Note:The Professional Edition ADSelfService Plus Endpoint MFA is required for machine MFA to work on Windows server machines. If not, MFA will be bypassed on Windows servers..

Machines can be secured by MFA in two ways:

Prerequisites

General

Prerequisites for offline MFA

Steps to enable MFA for Windows, macOS, and Linux machines

  1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.
  2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
  3. Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  4. In the MFA for Machine Login section, select the check box to enable MFA for Machine Login and select the number of authentication factors to be prompted. Select the authentication method from the drop-down.
  5. Select the Choose Authenticators for Offline Machine Login MFA option and select the authentication methods you prefer for offline MFA from the drop-down. The following authenticators are supported:
    • Google Authenticator
    • Microsoft Authenticator
    • Custom time-based one-time password (TOTP) authenticator
    • Zoho OneAuth TOTP

    To force users to enroll for authenticators selected here, select the Force enrollment option in this advanced setting.

  6. Click Save Settings.
  7. Note:

    • If offline MFA isn't configured or a user's machine isn't enrolled for offline MFA, offline access is denied unless:
      • The Skip MFA when the ADSelfService Plus server is down or unreachable setting is enabled. This setting can be found under Configuration > Self-Service > Multi-factor Authentication > Advanced > Endpoint MFA > Machine Login MFA.
      • Machine-based MFA is not enforced for that machine. The Manage MFA setting under Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines is set to Exempt.

      To avoid degrading security by bypassing MFA, or hampering productivity by denying access when offline, it is recommended to enable offline MFA.

    • Changes to the offline MFA configuration, advanced settings, enrollment data, and disenrollment of the machine from offline MFA will be reflected only after the next successful online MFA attempt in that machine.
    • To enable local language support for MFA for Windows, click here.

Appendix

Enrolling Windows machines for offline MFA

How to enable MFA for Windows, macOS, and Linux

Authenticator enrollment by users

Once offline MFA is configured, after a user completes online MFA via the login agent or in the ADSelfService Plus portal, they will be prompted to enroll for authenticators configured for offline MFA, if not yet enrolled.

Machine enrollment for offline MFA

After online MFA is completed, depending on advanced setting configuration, the user's machine will either be automatically enrolled for offline MFA, or they will have to choose between enrolling their machine and skipping enrollment.

Once the machine is enrolled for offline MFA for the specific user, the user's authenticator enrollment data will be securely transmitted from the ADSelfService Plus server and stored as encrypted data in the specific machine for offline MFA. This process will repeat regularly, to keep the authenticator data up-to-date.

The device enrolled for offline MFA can be disenrolled by the admins or the end-users if required.

How offline MFA work?

How to enable MFA for Windows, macOS, and Linux

  1. The user enters their credentials to log in to their machine.
  2. If primary authentication is successful, the ADSelfService Plus login agent installed in the machine tries to access the ADSelfService Plus server to initiate MFA but fails due to lack of connection issues.
  3. The login agent then initiates offline MFA.
  4. If the user completes the required authentication levels successfully, they are logged into the machine.

Copyright © 2024, ZOHO Corp. All Rights Reserved.