What users see for FIDO2
FIDO2 is a feature available with the MobileIron UEM client. The MobileIron UEM clients are: MobileIron Go or Mobile@Work, and MobileIron Authenticate.
If FIDO2 solution is configured, users can authenticate and access enterprise cloud services from third party managed devices with MobileIron Authenticate installed.
When a user tries to log in, a push notification is sent to all active devices. When the user allows push notification on any appropriate device, access is granted for the session. However, on all other devices, the sessions become invalid and deactivating on this device does not deactivate on other devices.
The following provide information about the user experience with FIDO2:
Workflow for registered browsers
A browser that launches after a successful MobileIron Authenticate registration, is a registered browser.
For a registered browser, when user tries to open the service provider, Access automatically invokes MobileIron Authenticate and authenticates the user using FIDO2.
If step up authentication is configured, user is prompted to either present biometrics or approve a push notification sent to MobileIron registered mobile device.
The following provides an example of the authentication workflow with a registered browser:
>>>>>>
Workflow for non-registered browsers
Non-registered browser are browsers that are not default browsers and other browsers that are not registered with MobileIron Authenticate.
The non-registered browsers must authenticate using either MobileIron Authenticate, QR Code, or with Passwords.
The following provides an example to login using MobileIron Authenticate:
>>>>>>
The following provides an example to login using QR Code:
>>>>>>>>
The following provides an example to login using username and password credentials:
>>>>>>
Workflow on Android devices
This section provides information for the various end user interactions on Android devices.
Unlocking a desktop on Android devices
To unlock a FIDO2 windows or mac desktop, you must authenticate from your device.
Unlocking a Windows desktop
The following provides an example to authenticate on a device using MobileIron Go, when a user tries to unlock his FIDO2 enabled Windows desktop:
>>>>>>
Unlocking a Mac desktop
The following provides an example to authenticate on a device using MobileIron Go, when a user tries to unlock his FIDO2 enabled Mac desktop:
>>>>>>
Activating a password-less sign-in on Android device
To activate a FIDO2 Android device, (If it is not already done during enrollment) go to MobileIron Go > Menu > Settings > Authenticate and turn on the toggle button. Follow authentication as shown below:
>>
Deactivating a password-less sign-in on Android device
To deactivate an Android FIDO2 device, turn off the toggle button in MobileIron Go > Menu > Settings > Authenticate.
>>
Ending a browser session
You can end a browser session from MobileIron Go > Menu > Settings > Authenticate > End Browser Session. Ending a browser session automatically signs you out of the company websites on the browsers.
NOTE: | This option is available only if the user has active browser sessions running. |
>>>>
Workflow on iOS devices
This section provides information for the various end user interactions on iOS devices.
Unlocking a desktop on iOS devices
To unlock a desktop on an unlocked mobile , go to MobileIron Go > Menu> Settings > Authenticate.
>>>>>>
To unlock a desktop on a locked mobile, go to MobileIron Go > Menu > Settings > Authenticate.
>>>>>>
Activating password-less sign-in on iOS device
To activate a FIDO2 iOS device, go to MobileIron Go > Menu> Settings > Authenticate and turn on the toggle button. Follow authentication as shown below:
>>>>>>
Deactivating password-less sign-in on iOS device
To deactivate an iOS FIDO2 device, turn off the toggle button in MobileIron Go > Menu > Settings > Authenticate.
>>>>
Ending a browser session on an iOS device
You can end a browser session from MobileIron Go > Menu > Settings > Authenticate > End Browser Session. Ending a browser session automatically signs you out of the company websites on the browsers.
>>>>>>
Workflow for Desktop login
You must login to a desktop and approve the push notification on your mobile device.
>>>>>>