What users see for Authenticator Only

Authenticator Only is a feature available with the UEM client. If Authenticator Only is configured, users can register their unmanaged device in Authenticator Only mode. The device can now serve as the user's identity and authentication factor, allowing users to authenticate and access enterprise cloud services from an unmanaged device without having to use their user name and password.

The following provide information about the user experience with Authenticator Only:

Registration workflow for Authenticator Only devices

To register their devices with UEM in Authenticator Only mode, users can download the UEM client (Go or [email protected]) from the Apple App Store or from Google Play Store.

Only in-app registration is supported.

Authenticator Only registration workflow on Android devices

To register their unmanaged device in Authenticator Only mode, users download the UEM client from the Google Play Store. The following picture illustrates the Authenticator Only registration workflow using Go on Android devices.

Users are prompted to grant permission for Go to access the camera. Ivanti Access to the camera is needed to scan the QR code for passwordless authentication. If biometrics is configured on the UEM, device users are prompted to set up biometrics after they have registered.

Authenticator Only registration workflow on iOS devices

To register their unmanaged device in Authenticator Only mode, users download the UEM client from the Apple App Store. The following picture illustrates the Authenticator Only registration workflow using Go on iOS devices.

If biometrics is configured on the UEM, device users are prompted to set up biometrics after they have registered.

Log in to cloud services

When users attempt to access an enterprise cloud service on an unmanaged device, such as their desktop, they are presented with an interaction page.

Figure 1. QR code presented on an unmanged device

The interaction page contains a QR code and the following options, which are provided for additional security and ease of use:

  • Yes, this is my personal computer

    By selecting this option, users indicate that the device is trusted.

  • No, this is a shared computer

    By selecting this option, users indicate that the device is publicly available.

Users scan the QR code with the UEM client, Go or [email protected], on their mobile device to sign on to the enterprise cloud service. To scan the QR code, device users,

  1. Tap the UEM client on their mobile device.
  2. Tap Authenticate.
  3. Authenticate with pass code or biometrics.
    The authentication method depends on the setup of the device and the UEM client.

The Authenticator Only device used to scan the QR code automatically becomes the primary device for passwordless authentication. Push notifications are sent to the primary device.

Subsequent login attempts

If users select the Yes, this is my personal computer option on the interaction page when scanning the QR code, the user ID is remembered on the browser for 30 days. For subsequent login attempts to the enterprise cloud services set up on Ivanti Access:

  • Login is seamless. Users are not prompted to sign in for the session timeout duration set by the administrator in Profile > SaaS Sign on.
  • For login attempts after the session timeout duration, a push notification is automatically sent to their managed device. Users have the option to either enter an OTP or scan a QR code.
  • At the end of 30 days, the user ID is no longer remembered in the browser, and users are once again prompted to scan a QR code.

If users select No, this is a shared computer the session management settings in the cloud service are applied.

Zero Sign-on with QR code - Android Authenticator Only devices

The following figure provides an example of the workflow on an Android Authenticator Only device when using passwordless authentication.

Figure 2. Scanning the QR code - workflow on Anddroid Authenticator Only device

Zero Sign-on with QR code - iOS Authenticator Only devices

The following figure provides an example of the workflow on an iOS Authenticator Only device when using passwordless authentication.

Figure 3. Scanning the QR code - workflow on iOS Authenticator Only device

Zero Sign-on with push notifications or OTP

Push notifications are sent to the Authenticator Only device that was used to scan the QR code. . Accepting the push notification on the Authenticator Only device completes the sign-on to the enterprise cloud service.

Users also have the option to generate and use a one-time passcode (OTP) instead of using a push notification. Generate the OTP on the Authenticator Only device, then click the OTP option on the unmanaged device to enter the passcode.

Figure 4. Login message if a push notification is sent

The following illustrates an example of the OTP workflow on an Android device using Go.

Figure 5. OTP option on an Android Authenticator Only device

The following illustrates an example of the OTP workflow on an iOS device using Go.

Figure 6. OTP option on an iOSauth-only device

Device out of compliance

In a Authenticator Only deployment, if users scan the QR code with a Authenticator Only device that is out of compliance, an out of compliance message is presented. Ivanti Access to the enterprise cloud service is not granted. A new QR code is presented to the user. Users can switch to a compliant Authenticator Only device to authenticate.

Users see the non-compliance message in the following cases:

  • Initial login by user, however the Authenticator Only device is not in compliance.
  • Subsequent login by user, however the push notification sent to the Authenticator Only device is not in compliance.

Figure 7. Out of compliance message for devices

Deactivate Authenticator Only on the device

Users can deactivate Authenticator Only on their device. Users may want to deactivate Authenticator Only on a device if they want to use another Authenticator Only device to scan the QR code and receive push notifications on the new device. The device used to scan the QR code automatically becomes the primary device for Authenticator Only and receives push notifications if the user enabled the feature when scanning the QR code. Deactivating Authenticator Only on the device stops the device from receiving push notifications.

To deactivate Authenticator Only in the UEM client for Android,open the menu and tap Settings > Sign Out.

Figure 8. Deactivate Authenticator Only on Android devices

When users sign out, the device is unregistered from the UEM. However, the UEM client app remains on the device. To register once again, launch the UEM client app on the device and enter the username and password.

On iOS devices, users deactivate Authenticator Only by removing the UEM client from the device. To use the device as user's identity and authentication factor, device users can install and register the UEM client for iOS in Authenticator Only mode.