Password-less login from unmanaged devices

The following describes the configuration in Ivanti Access for Zero Sign-on.

Before you begin 

• Ensure that you have an Ivanti Access deployment with UEM.
  See Overview of configuration with Ivanti Neurons for MDM.
  OR
  See Overview of configuration with Ivanti EPMM

• Ensure that mobile app single sign-on (SSO) is configured for the service provider (SP).
  For a federated pair, see Configuring Mobile App Single Sign-on (SSO).
  For delegated IdP, see Configuring Ivanti Access as the delegated IdP .

Procedure: Overview of steps

• Enabling Password-less Authentication on Go and Mobile@Work

• Adding a Zero Sign-on Rule in the Policies

A green tick displays when these steps are configured correctly. This shows that the authentication is configured correctly.

Enabling Password-less Authentication on Go and Mobile@Work

Before you begin 

• Configure the user information for Zero Sign-on.

  • To configure the user information, map the fields in the certificate from which Ivanti Access gets user identifying information. This is the identity certificate used for setting up the configuration. Configuring the user information enables password-less authentication.

Procedure 

1. In Ivanti Access, go to Profile > Zero Sign-on.
2. Under Steps to deploy, expand Enable Password-less Authentication on Go and Mobile@Work.
   
3. Click See Details to view the existing configuration details for the devices.
   
   
   
4. To enable more devices follow the steps i) and ii) as shown above.
   1. Deploy SaaS Sign-On on managed mobile devices.
   2. Sync UEM.

Adding a Zero Sign-on Rule in the Policies

In the policy associated with the SAML pair for which Zero Sign-on is required, add a Zero Sign-on Rule conditional rule. If the rule is added, users accessing the cloud service from an unmanaged device see an interaction page. The interaction page contains a QR code, which device users can scan from a managed device to authenticate to the cloud service. Alternately, the interaction page also contains a link to authenticate with username and password.

Before you begin 

• Ensure that mobile app single sign-on is configured for the federated pair or delegated IdP to which you want to assign the Zero Sign-on Rule. If mobile app single sign-on is not configured, you will see errors when creating or assigning the Zero Sign-on Rule.

Procedure 

1. In Ivanti Access, go to Profile > Zero Sign-on.
2. Under Steps to deploy, expand Add Zero Sign-On Rule in the Policies.
   

3. Click See Details to view the existing UEMs with SaaS on configuration created and synced with Ivanti Access.

4. Verify that the rule is configured.
   Else add a rule in Profile > Conditional Policies.
   
5. In Ivanti Access, go to Profile > Conditional Access.
6. Expand Default Policy.
   If you want Zero Sign-on only for some federated pairs or delegated IdP, create a new policy.
   The Zero Sign-on rule can be added to any policy. Adding the Zero Sign-on rule to the default policy makes it available to all pairs to which the default policy is applied. Add the Zero Sign-on rule to another policy if you want to apply the rule to only some federated pairs or delegated IdP.

7. Click +Add Rule > Zero Sign-on Rule to add the conditional rule for Zero Sign-on.
   

8. Enter a name and description for the rule.
   
   
9. Configure the rule for one of the following devices.
   1. For unmanaged devices: Enable the toggle switch to allow access on unmanaged devices. Users are authenticated with one of the following methods: QR code, Push notification, One Time Password (OTP), FIDO Authenticator.
      
      
   2. Step-Up Authentication: Enable the toggle switch to step-up authentication such as Push notifications or biometric for managed desktops.
10. For Rule Action, select Allow.
11. Click Done to save the policy and rule.

The order of the conditional rules matters. When you create a Zero Sign-on Rule, Ivanti Access automatically orders the rules such that the Zero Sign-on Rule follows the Trusted App and Device rule. The order of rules, if they are configured, is as follows: Trusted App and Device rule, Zero Sign-on Rule, Multi-Factor Authentication rule. However, the rules can be manually reordered. Ensure that the order of the rules matches the order stated in this note.

Configuring portal for FIDO security

The Configure Portal section is required for users without MobileIron Go or Mobile@Work to sign-in to service providers using registered FIDO hardware key, macOS TouchID or Windows Hello.

The section provides information if the portal is configured. Else it provides a link to configure the portal.

Configuring branding for Zero Sign-on

Customize the user experience for your enterprise users by uploading your company logo to Ivanti Access. The user notification screen as well as the interaction page with the QR code are customized to display your company logo.

Ensure that your company logo is no more than 260 pixels wide by 30 pixels high. Supported file types are: PNG, JPG, JPEG, and SVG.

Procedure 

1. In Ivanti Access, go to Profile > Branding.
2. In the Company Logo section, drag and drop your company logo or click Choose to navigate to the location of the file and add.

Next steps 

Publish the updates. See Publishing the changes.

Publishing the changes

Publish the changes to make the updates available. In the Ivanti Access administrative portal, a publish banner appears in any of the Profile tabs when there are configuration changes.

Procedure 

1. In the Ivanti Access, go to Profile > Overview.
2. Click Publish.
3. Click OK.