Transcription of Installing ADSelfService Plus client software using System ...
1 Installing ADSelfService Plusclient software using System CenterConfiguration Manager CenterConfiguration Manager Table of ContentsDocument summaryThe ADSelfService Plus login agentADSelfService Plus login agent installation using SCCMStep 1 Create a network shareStep 2 Create an MSI packageStep 3 Deploy an MSI package1111211 Document summaryThis document briefly describes the ADSelfService Plus login agent (GINA/Credential Provider agent) and its uses. This document will also guide you through the steps involved in Installing the agent in a set of computers of a domain, using System Center Configuration Manager (SCCM).The ADSelfService Plus login agent is an extension of the standard Credential Provider from Microsoft. When installed, it can enable multi-factor authentication (MFA) for local Windows logins, RDP logins, and User Access Control actions to protect machines from credential-based attacks.
2 It also adds a button labeled "Reset Password/Unlock Account" to the native Windows login screen, allowing users to reset their passwords and unlock their accounts directly from that ADSelfService Plus login agentSystem Center Configuration Manager (SCCM) is a systems management software product developed by Microsoft for managing large groups of computers running Windows NT, Windows Embedded, macOS (OS X), Linux, or UNIX, as well as many other operating systems. using its software distribution capability, you can deploy ADSelfService Plus client software to the desired computers in a Plus login agent installation using SCCML icense prerequisitesStep 1 Create a network share1. Go to [install_dir] > ManageEngine > ADSelfService Plus > Copy the file located in the bin folder, and paste it in a network : Make sure that the SCCM administrator has read access to the network share inwhich the file is The Endpoint MFA add-on for ADSelfService Plus is required to enable MFA for Windows logins.
3 Visit the store to purchase the The ADSelfService Plus Professional Edition is required to enable self-service password reset and account unlock on Windows login 2 Create an MSI package1. Go to the System Center Configuration Manager Navigate to software Library > Application Management drop-down > Packages > Create In the Package tab of the Create Package and Program Wizard, enter an appropriate Name for the Provide a Description, the Manufacturer name, Language, and Version based on the Click Browse next to the Source folder Enter the location of the Source folder ( the network share which contains the required file).37. Click Ok and Click Select Standard program from the Program Type tab and click Enter the Name of the In the Command field, enter the MSI command to be used for installation via : msiexec /i "\\ " SERVERNAME= " PORTNO="443" PROTOCOL="https" INSTALLATION_KEY="19d82629b4e540fc873df8 775d3630cb" BUTTONTEXT="Reset Password / Unlock Account" BYPASS="true" FRAMETEXT="Can't log on?
4 Please click on the Reset Password/Unlock Account button to reset your password or unlock your account" GINAHOSTEXCLUDE="okta,onelogin" MFAENROLLMENTWINDOWTITLE="Multi-Factor Authentication - Enrollment" MFAWINDOWTITLE="Multi-Factor Authentication" PPE_POPUP="true" PROD_TITLE=" ADSelfService Plus" RESTRICTBADCERT="false" SERVERUNREACH="This action requires you to be verified with MFA. Please make sure the ADSelfService Plus server is reachable, has a proper SSL certificate, and is connected to the domain controller." SHOWADSSPLINK="true" SHOWADSSPTILE="true" WINDOWSLOGONTFA="true" MACHINEMFAUSAGESCENARIO="31"The full list of all the parameters that can be used during installation of the Login Agent is given below. If you want your client software to have the default layout, only enter the default command shown above; otherwise, you can customize it with any of the other 1 The starred(*) parameters are applicable only in cases where the server is offline or unreachable.
5 Otherwise, the enforced status will be decided in real time based on the policy configuration settings in the server on whichADSelfService Plusis running (based onthe Access URLconfigured).Specifies the ADSelfService Plus DNShostname to be contacted, after GINA login agent startup during machinelogin or self-service password rest andaccount unlockPORTNOPortNumberThe port numberof the ADSelfServicePlus server (basedon the Access URLconfigured).Defines the port number used by theADSelfService Plus find the command, log into the ADSelfService Plus admin portal and go to Configuration >Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > Installation Help Guide >GINA Login using SCCM ( System Center Configuration Manager) > View Parameters. Click View Parameters to view the command, then copy or HTTPS based on the AccessURL configuredSpecifies the protocol used by theADSelfService Plus server to send orreceive installation key that links theADSelfService Plus server and Password / Unlock AccountSpecifies the button text visible on theWindows login to launch the ResetPassword/Account Unlock whether MFA should bebypassed when the ADSelfService Plusserver is unreachable duringmachine 't logon?
6 Pleaseclick Reset Password/ Unlock Accountbutton to reset yourpassword or unlockyour the text to be displayed as thedescription. (Applicable only forWindows XP.)GINAHOSTE-XCLUDEGinaHostExcludeokta, oneloginSpecifies the hosts to which a connectioncan be established from the login default, all hosts except theADSelfService Plus server will berestricted. But this parameter must beused if SAML authentication is enabledfor MFA and third-party IdPs -EnrollmentDefines the text that will be used as thetitle in the MFA enrollment only when enrollment isenforced for MFA for machine the title of the MFA windowdisplayed when MFA gets promptedby the login whether password policyrequirements must be displayed in theCtrl+Alt+Del change passwordscreen or PlusSpecifies the title to be displayed whenthe login agent window opens duringself-service actions or whether the usage of expired,self-signed, or invalid SSL certificatesduring self -service actions and MFA isrestricted or the ADSelfService Plus linkin the Ctrl-Alt-Del unreachabledue to intermittentnetwork connectivityor improper SSLcertification, or asthe DomainControllerconfigured inADSelfService Plusis down.
7 Pleasecontact the error message to bedisplayed if the server is unreachableduring password reset, accountunlock, or whether the ResetPassword/Account Unlock button isdisplayed as a credential tile on the loginscreen or *MFAU sageScenarioMask5 Determines whether the MFA forMachine Logins feature will be enabledfor specific scenarios or not based on thevalue provided. Learn whether MFA for MachineLogin has been enabled or machine login1 Scenariowhere MFAis requiredCorrespondingparametervalueFor locked machinesFor UAC2 For RDP server48 For RDP client16 Note 2 If you wish to enable MFA for multiple scenarios, you will have to mention the valueof the sum of those scenarios in the MACHINEMFAUSAGESCENARIO instance, if you want to enable MFA for both logging in to a machine and unlocking amachine, add their respective values (1 + 2) and pass the result (3) as the *isMFAE nforcedFALSEIf set to true, MFA will be enforced for allusers accessing the machinesirrespective of their enrollment status,self-service policy membership, orADSelfService Plus connectivity whether the cached credentialsupdate feature is enabled or ENABLEDISTPVPNE nabledNoneSpecifies whether a third-party VPN(VPN providers other than WindowsNative VPN)
8 Is enabled or the VPN server's the ADSelfService Plus server'sport number used to connect to the the value of the pre-shared keyconfigured while setting up WindowsNative VPN for the cached credentialsupdate the VPN group name used whenconfiguring Updating CachedCredentials over VPN feature. Requiredonly when a Cisco AnyConnectVPN is usedVPN_DOMAIN_NAMEVpnDomainNameNoneDefi nes the domain name to which theVPN should be connected duringcached credentials update. Applicableonly when SonicWall NetExtender or acustom VPN provider is the VPN connection behavior forcached credentials update based on theprovider used. This pre-set number keyis used to denote the VPN VPN0 VPNPROVIDERNUMBERVALUEF ortinet and Cisco IPSec1 Windows Native VPN2 Cisco AnyConnect3 SonicWall NetExtender4 Checkpoint RemoteAccess VPN andSonicWall Global VPN5 Open VPN7 VPN_CLIENT_ LOCATIONVpnClientLocationNoneSpecifies the VPN client location.
9 (Example: C:\Program Files (x86)\Fortinet\FortiClient\ )VPN_CONNECT_CMDVpnConnectCmdNoneVPN provider-specific command that isused to connect to the VPN during cachecredentials _CMDVpnDisconnectCmdNoneVPN provider-specific command that isused to disconnect from the VPN duringcache credentials of your third-party whether a custom icon isuploaded for the GINA browser title or ifthe default icon should be used. Beforesetting the parameter as true, ensure thatthe custom title icon is uploaded atC:\\Windows\\ System32\\ If the parameter is setas false, the default title icon will be 3 If a new Installation Key is generated, the admin will need to copy the command with the new Installation Key from the product admin portal as described in step 10 and update the Command field with the new command for all new Select Hidden from the Run Select Only when a user is logged on option from the Program can run Select Run with administrative rights option from the Run mode drop-down.
10 Click In the Requirements tab, select This Program can run on any platform option and then click Click Close to In the Summary tab, confirm the selected settings by clicking 3 Deploy an MSI package1. Select the package you have created in the Packages tab, then click In the Deploy software Wizard, click Browse next to the Collection In the Select Collection window, select the machines in which the client software should be deployed, click OK, then click In the Content tab, select Distribution Point from the Add Select the required Distribution Points from the list provided, then click Make sure that the distribution points that you selected are shown in the list. Click In the Deployment Settings tab, select Required to configure a custom schedule for installation of the client software . Click In the Scheduling tab, specify the schedule for the deployment. Click Make the necessary changes in the User Experience tab.
