Background
Our innovative solution eliminates the need for passwords when logging into Windows machines. Instead, we provide a secure and efficient method for technicians using a mobile application (QTech) to access machines without relying on shared admin accounts commonly used by MSPs.
This solution enables technicians to securely log in from anywhere and allows MSPs to assign Just-In-Time (JIT) accounts tailored to each technician.
This guide outlines the steps for administrators to enable passwordless authentication within CyberQP, enabling its use for technicians and administrators in the QTech mobile app.
Benefits include:
-
Enhanced Security
Individual user accounts, JIT access, and MFA mitigate security risks associated with shared credentials. -
Productivity Gains
Streamlined login processes save up to 30-45 seconds per login, boosting technician productivity. -
Simplified Centralized Compliance
Adherence to compliance standards with clean audit logs and fine-grained admin controls ensures regulatory confidence."
This article will go in-depth with configuring Passwordless Authentication inside of CyberQP and the sign-in scenario using the QTech mobile app.
Prerequisites
- Your tenant has QGuard, QGuard Pro, or the Bundle plan
- Either the Primary or Super login role
- Enablement of Just-in-Time Accounts Access (this will be explained in this article)
- Mobile App requires:
- iOS 12.4 or Higher
- Android 10 or Higher
Default Behaviour
- The feature will not be enabled even if you enable Just-in-Time accounts by default
Steps
CyberQP Dashboard
- Login to CyberQP
- Navigate to Settings > Ensure Just-in-Time Accounts Access is enabled. See Enabling Just-in-time privileged accounts feature for QGuard
- Ensure that you have enabled the Directory Source Just in Time Policy that you might want to use. If the JIT Policy is not configured, your Technicians will not be able to use Passwordless for that Directory Source type.
WARNING: As of Agent version 5.2.1.0 RDS, AVD, and Citrix environments that force the Login Credential Screen to not display previously logged in users are not supported. Our team is still working on isolating how Microsoft alters the Login Credential screen. We will update this KB as development progresses.
- Ensure that you have enabled the Directory Source Just in Time Policy that you might want to use. If the JIT Policy is not configured, your Technicians will not be able to use Passwordless for that Directory Source type.
- Click the toggle for "Enable Passwordless sign-ins.". By default, it is enabled for all customers in your Tenant. You can then click on "Manage Access" to select the customers you want to have this Feature enabled/disabled for.
-
Warning: All customers that have this enabled will see all agent-equipped devices display a new "Technician Sign-in" option. Your tenant's MSP logo will also be displayed on the systems sign-in screen.
-
When you hit the Manage Access, you need to uncheck the "All current and future customers" before having the ability to select which customers to turn on this feature for.
- For any new customers created going forward, you will have to manually check their name to have this feature enabled for them here.
-
Warning: All customers that have this enabled will see all agent-equipped devices display a new "Technician Sign-in" option. Your tenant's MSP logo will also be displayed on the systems sign-in screen.
QTech Mobile Application (Technician configuration)
- Navigate to your mobile device's app store and search for "CyberQP - QTech".
- Apple: App Store Listing, Android: Play Store Listing
NOTE: These links are for the US-based mobile app stores. You may need to adjust them for your country's specific app store. You can also navigate to the general sites for the Apple App Store or Google Play Store and search for "CyberQP - QTech"
- Apple: App Store Listing, Android: Play Store Listing
- Download, install, and launch the QTech mobile app.
- Sign in with your CyberQP username, password, and MFA. If your tenant has an SSO provider integrated, tap "Continue with SSO" and proceed to enter your credentials from your SSO provider.
- You may also set your "Region" from North America to Europe if your Tenant resides in our EU environment.
- The QTech app will ask for your consent to access app-related data for tracking purposes. This is necessary because we use your device’s ID to uniquely link you, the technician (via a Dashboard Login), to the mobile device configured with QTech. This helps restrict your dashboard user to a maximum of two mobile apps, reducing access points for approving Just-in-time accounts and passwordless sign-in requests, thereby enhancing security.
- An app sign-in email will be sent to the email address specified for your dashboard login (See CyberQP Dashboard > "Login Management" > "Email" column).
- Open the "New Technician App Registration" email and approve the binding of the QTech app to your dashboard user.
- Note: For security purposes, CyberQP lets you bind a maximum of two instances of the QTech app to a dashboard user. On the 3rd QTech registration, you will be asked to remove one of your previously configured devices.
- You may now enroll your device's biometrics with the QTech app. Approve and verify your biometrics within the app if you don't want to have to enter your Username/Password/MFA or SSO credentials every time you open the app.
- Click the "Hamburger" in the top right corner.
- Click the Toggle for Biometrics.
- Use your Biometric to confirm.
You are now ready to sign into a CyberQP agented system.
Technician Sign-in for a system
CyberQP relies heavily on its Just-In-Time (JIT) accounts system to facilitate on-demand access for Technicians. Essentially, if there are no existing JIT accounts that can be used to sign into a system, the QTech app will guide users through the process of provisioning a JIT account on the spot. This enables technicians to quickly and conveniently gain access to the system whenever needed.
- Remote to or interact with the agented system you wish to sign into.
- On the left-hand side of the sign-in screen click the option for "Technician Sign-in"
- Enter the email address that you use to log into the Quickpass Dashboard or the PSA Insight/POD you use.
- A random two-digit number will appear on the screen.
- On your mobile device, tap the QTech Sign-in Request or launch the QTech app directly from your app list.
Notification Pop Up - You will now be presented with information about your sign-in request. You will be prompted to create a new JIT account, Enable a JIT that was previously created (the timer had expired), or Utilize an existing Active JIT Account
-
Use Existing JIT Account - Active
- In this case, a previously created and active JIT account has been created for the Technician.
- You will simply provide the 2 2-digit code from the System login screen and tap Approve.
- A new JIT Expiration duration can be selected during this process if you wish to extend beyond the displayed expiration by clicking the Pencil icon.
- A new JIT Expiration duration can be selected during this process if you wish to extend beyond the displayed expiration by clicking the Pencil icon.
-
Use Existing JIT Account - Disabled
- In this case, a previously created JIT account expired (Timer ran out) and it will be re-used for logging on.
- Specify the Reason, Duration, and the 2 2-digit code displayed on the system.
- Click Approve
-
Create a new JIT Account
- In this case, no existing JIT account exists for the technician. A new one will need to be created.
- Click Create JIT Account
- Depending on the System role you will be prompted to create either a Local Account or an Active Directory JIT Account.
Non-AD Joined Machine AD Joined Machine - Select the appropriate Source that you want the JIT account created in and click Next.
- If this is a Local JIT account you want to be created, you will next select the System Name from the list provided of all systems with an Agent installed.
- Search for or scroll through the list and select the system you wish to create the JIT on and click Next.
- If this is a Local JIT account you want to be created, you will next select the System Name from the list provided of all systems with an Agent installed.
- For either Local JIT or AD JIT accounts, you will then be presented with the Built-In Security groups, which were previously configured on the JIT accounts policy screen (see step 1). CyberQP suggests using the least privileged security group for the task you wish to accomplish.
- Click Next
- You will then provide the JIT Account name (we suggest you go with the default), the Duration that the JIT will be active for, and the reason you are creating the JIT account.
- You will then be prompted to enter the 2 Digit code shown on the System login screen.
-
Use Existing JIT Account - Active
- Tap the "Approve" button. If the number provided is correct, you will automatically be signed into the system.
Next Steps:
- Using QTech Mobile to manually manage Just in Time Accounts.
- Using Passwordless with other Credential Providers
Comments
1 comment
4.30.2024 - Noted Agent update fix for RDS/AVD environments. Supported after version 4.1.4.0 of the Agent.
Please sign in to leave a comment.