2FA Base Logon Policy
This policy requires the user to provide second factor authentication. The supported second factor authentication types are listed in the ‘Require 2FA’ Section of the Policy.
Note: The ‘Set Allowed Methods’ section with all options unchecked MUST be included.
Policy With Internal IP Restrictions
If you would like to create a policy that allows you to grant/deny permissions based on the Private IP (Local IP) address of the machine which is connected via Remote Desktop Connection to the machine with WLA installed, you can do this using the ‘Internal IP‘ option. It works only for WLA and only when Remote Desktop Connection is established.
This policy adds an ‘Internal IP‘ restriction. In this case, if Internal IP is 10.1.1.1 then user won't be prompted to use 2FA, otherwise 2FA is required.
NOTE: The ‘Set Allowed Methods’ section with all options unchecked MUST be included.
Policy With Sign In IP Restrictions
-
Sign In IP: If you would like to create a policy that allows you to grant/deny permissions based on the External IP address of the machine authenticated to Passly, you can do this using the “Sign In IP” option.
For Windows Logon agents “Sign In IP” is an External IP of the machine where the agent is installed.
To get machine’s Sign In IP address you may use https://www.myexternalip.com/ or any other option. (Passly processes “Sign in IP” as an IP address from the incoming TCP package)
- This Policy adds a ‘Sign In IP’ restriction. In this case if IP address is within the range of 4.34.208.146/31 then user won't be prompted to use 2FA, otherwise 2FA is required.
Note: The ‘Set Allowed Methods’ section with all options unchecked MUST be included.
Policy With Group Restrictions
If you would like to create a policy that allows you to grant/deny permissions based on the Group membership, you can do this using the ‘Is member of group‘ option.
This Policy adds a ‘Is member of group’ restriction. If you login to the machine with WLA installed using RDP and would like to require 2FA for admins or when user logins outside of you private network, you can use the following policy. In this case if user belongs to DomainAdmin group or if his Internal IP is not 10.1.1.1, then user is prompted to use 2FA, otherwise no 2FA is required. If 2FA is not required when no RDP is established to the machine with WLA installed, it could be set up using WLA configuration ‘Enforce 2FA on RDP Only‘.
Note: The ‘Set Allowed Methods’ section with all options unchecked MUST be included.
Policy With Trusted Devices
This policy will trust the device where the Windows Logon Agent is deployed once the user has successfully signed in using 2FA. The trust will remain in place based on the Time criteria set in the ‘Device Behaviors’. This means that the next time the users log in to that device, they will not be prompted for 2FA if the device is still trusted, otherwise 2FA is required.
NOTE: The ‘Set Allowed Methods’ section with all options unchecked MUST be included.