How to enable MFA for Windows, macOS, and Linux

You can apply MFA for Windows, macOS, and Linux machines in two ways:

• User-based MFA: To protect desktop or laptop logins, including remote desktop logons using MFA for a specific group of users. Click here for the configuration steps.
• Machine-based MFA: To apply MFA specific to machines, irrespective of the users accessing it, their enrollment status and ADSelfService Plus connectivity. The authenticators configured under User-based MFA are prompted during the Machine-based MFA process. Click here to know more about Machine-based MFA.

Prerequisites

• The Endpoint MFA add-on for ADSelfService Plus is required to enable the MFA for machine logins feature. Visit the store to purchase the add-on.
• SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to the Admin tab → Product Settings → Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply for a SSL certificate and enable HTTPS.
• Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.
• Enable the required authentication methods. For steps on enabling the authentication methods, refer to the Authenticators section.
• Install ADSelfService Plus client software login agent for Windows, macOS, and Linux on the machines where you want to enable MFA. Click here for steps to install the ADSelfService Plus login agent.

Steps to enable MFA for Windows, macOS, and Linux machines:

1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.
2. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
3. In the MFA for Machine Login section, select the check box to enable MFA for Machine Login and select the number of authentication factors to be prompted. Select the authentication method from the drop-down.
4. Click Save Settings.
Note:
• Advanced MFA Settings: If ADSelfService Plus is not reachable or down, users will be left stranded in the login screen unable to finish MFA. You can enable users to bypass MFA in such situations. Refer to the Advanced Settings for more information.
• Windows MFA settings: You can also configure settings to prompt MFA during specific scenarios for Windows machines. Click here to learn more about Advanced Machine MFA settings.