What users see for multi-factor authentication in UEM client

If multi-factor authentication is configured, device users can authenticate and access enterprise cloud services from an unmanaged device. Users see the Authenticate option in the UEM client on their managed device.

Figure 1. Authenticate option in Go

The following topics provide information about multi-factor authentication on the UEM client:

Ivanti Access cloud services

When users attempt to access an enterprise cloud service from an unmanaged device, they are prompted to enter their user name and then prompted to confirm the request on the managed device that has the UEM client.

The configured IdP challenges users for their credentials. Access does not ask users for their credentials.

A prompt appears on the managed device alerting the user to the access request. If users accept the prompt, they are allowed access from the unmanaged device. If users decline the prompt, they see an authentication failed message on the device and the authentication request from the device is blocked.

Figure 2. prompt to allow Ivanti access from unmanaged device

Custom service provider

The interaction pages and push notification for two-factor authentication display the service provider (SP) name and logo. For a custom service provider, if a name is not configured, the interaction pages and push notifications display Custom Service Provider for the SP name. If a logo is not configured for the custom SP, the name of SP is seen where the logo would have been displayed.

Generating one-time passcode (OTP)

Device users can generate a one-time passcode in the UEM client. Users may want to generate an OTP if the managed device does not have access to the Internet.


  1. Launch the UEM client.
  2. Tap Authenticate > One-Time PIN.

    Figure 3. One-time pin