User Management - Provisioning

All user management takes place in the Users section of the Web Console.

Provisioning is the process of providing users with the ability to authenticate with a second factor when accessing devices/services protected by ESET Secure Authentication.

Since ESA version 3.0, phone number is not essential to use the ESA mobile application unless SMS provisioning is used. The phone number for each user is typed either manually when creating/editing the user in the Web Console, or imported automatically along with the user information if synchronizing with LDAP, or typed by the user if self-enrollment is enabled.

Each user belongs to a realm (domain, computer name, etc.). Realms and users are created automatically when a user logs on a machine with an ESA component installed, logs in to a service protected by ESA, or if ESA is synchronized with LDAP. You can also create custom realms manually.

The image below shows a custom realm and an automatic realm. The custom realm was created manually (Custom Realm), and Test User user was added to it. The automatic realm and its two users were created automatically (admin, Test). The realm name was derived from the computer where the Windows Login protection is installed, and the two users logged on. The status column indicates if the user has 2FA enabled (and used 2FA at least once) or 2FA setup is pending. The Display Name column shows the value of the Display Name field. It can either be defined manually per user or automatically synchronized from Active Directory (or LDAP) based on the configuration at Settings > Default Fields > select Default display name field as the Field type.

users

 

Create a custom realm manually

1.Click the icon_add-or-create icon next to Realms and click Create custom Realm.

2.Type the desired string for both Realm ID and Realm Name, select Category,and click Save.

To create a realm corresponding to an Active Directory domain manually, you must find the GUID.

Obtain domain GUID from ADUC

1.Open Active Directory Users and Computers.

2.Right-click the domain name, select Properties.

3.Click the Attribute Editor tab, look up ObjectGUID.

4.Use the ObjectGUID value in the Realm ID field when creating the realm manually.

Obtain domain GUID via PowerShell

1.Open Windows PowerShell.

2.Run one of the following commands:

Get-ADDomain | select -Property ObjectGUID

or

wmic ntdomain list full

To manually create a realm that corresponds to a local computer (non-domain users), you need the SID.

1.Download PsGetSid.

2.Run PsGetsid.EXE or PsGetsid64.EXE (depending on your Windows bit version) from Windows Command Prompt or Windows PowerShell.

Add user to a realm manually

1.Select the realm where you want to add the user.

2.Click Add user.

3.Type the name, phone number, and optionally e-mail address of the user.

4.Click Create user.


important

Phone number format

Mobile numbers must be in the international format "+421987654321", where +421 is the country code. For example, a Slovak phone number 0987654321 would be typed as +421987654321, replacing the leading zero "0" with the country code "+421". A US phone number "201-321-4567" would be typed as "+12013214567", where "+1" is the country code.

You can also import users to a custom realm from a file.

Send the mobile application to users

The default provisioning method is ESET servers, meaning SMS delivery, which requires a valid phone to send the installation link.

1.Select the check box next to users who will receive the mobile application.

2.Click Send application.

3.Close the confirmation window.


note

The validity of the provisioning link

The time validity of the provisioning link is 24 hours or until first use.

Enabling 2FA per user

Click a user and select the desired authentication options. OTP and Push authentication are the most convenient ones. If Hard Token OTPs have been enabled and imported, then Hard Tokens will be available in the drop-down menu under the Hard Token slider bar. Click Save to save the changes.

users_enable-2fa_per-user

 

If an authentication method requires any information, a notification is displayed. You can still save the user's profile, and if self-enrollment is enabled, the user can fill in the missing information after they sign up for 2FA.

If Mobile Application OTP or Mobile Application Push has been turned on, a notification will display to remind you to send the enrollment/provisioning message to the user to activate the mobile application.

users_2fa_per-user_enabled_send-provisioning-message

 

If you click Do not send or Cancel, you can use the Actions button to send the enrollment/provisioning message later. If you click Send, an information window will show you the unique application URL sent to the user.

Enabling 2FA for multiple users at one time

1.Select the check box next to the users you are enabling 2FA for.

2.Click 2FA, select Enable and select the desired authentication option.

3.Close the confirmation window.

 

For instructions on installing and using the mobile application, click the desired mobile OS to be redirected to the corresponding article:

Android

iPhone

See a list of IP addresses and ports used for communication with ESET Secure Authentication Provisioning Server.