Modules
Sign in
Get Help

Windows Logon Agent Advanced Policies

The Passly Windows Logon Agent has some unique policies that can be enabled. This article contains some working examples that will help you with your agents.
Note: For help deploying a Windows Logon agent please see this article

2FA Base Logon Policy

This policy requires the user to provide second factor authentication. The supported second factor authentication types are listed in the ‘Require 2FA’ Section of the Policy.
Note: The ‘Set Allowed Methods’ section with all options unchecked MUST be included.

1.png

"Internal IP" versus "Sign In IP"

  • “Internal IP”: If you would like to create a policy that allows for certain permissions to be granted/denied depending on the Remote Desktop Connection Local IP Address of the user that connects to the machine with WLA installed, you may do so with the Internal IP option. It means that it’s LOCAL IP of the machine from which RDC is established.
  • “Sign In IP”: If you would like to create a policy that allows for certain permissions to be granted/denied depending on theExternal IP Address of the machine, you may do so with the Sign In IP option. For WLA agent “Sign In IP” is the External IP of the machine where WLA is installed.

Policy With Internal IP Restrictions

This policy adds an Internal IP restriction. In this case, if the Internal IP is 10.1.1.1 then the Authentication request will be rejected.
NOTE: The ‘Set Allowed Methods’ section with all options unchecked MUST be included.

2.png

Policy With IP Restrictions

This Policy adds a ‘Sign In IP’ (IP address of the device) restriction. In this case any IP address that in within the range of 4.34.208.146/31 (this is CIDR notation and this range means anything between 4.34.208.146 and 4.34.208.147) will be rejected.
Note: The ‘Set Allowed Methods’ section with all options unchecked MUST be included.
3.png

Policy With Trusted Devices

This policy will trust the device where the Windows Logon Agent is deployed once the user has successfully signed in using 2FA. The trust will remain in place based on the Time criteria set in the ‘Device Behaviors’. This means that the next time the user signs into this device, here will be no 2FA prompt. Assuming the loggin attempt falls within the given time criteria range.
NOTE
: The ‘Set Allowed Methods’ section with all options unchecked MUST be included.

4.png

 

 

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section