How Do I Set up a Mobile Device with an App for Multi-Factor Authentication?

Applies to: Nerdio for Azure (NFA) Professional and Enterprise RDS Accounts Only.

Refer to this KB article to determine if you are an NFA user.

How do I setup a Mobile Device with an App for Multi-Factor Authentications?

SMS PASSCODE is the multi-factor authentication service installed by default with Nerdio.  This application relays multi-factor authentication codes to a personal device via SMS text message and voice.
There may be situations where there is a more preferred method of providing multi-factor authentication.  Users do have the ability to install an app based token to login to their Nerdio desktop.  This guide will help detail the steps to get a device enrolled with an app to generate multi-factor tokens.

Enabling the Token Policy in the SMS Passcode Service
1. Login to your DC01 as an Administrator
2. Open the SMS Passcode service console by clicking the icon on the desktop or navigating to http://localhost:2000
3. Under the Settings Menu you'll find General settings.  Click on the Authentication Settings Tab.  Enable "Token" under General Authentication Settings.

4.  This will Enable Token policies as you can see below under policies.  The Mobile device policy settings can be added or edited here if desired.  Below is an example of a Mobile Device Policy we've added. 

5. Under User Group Policies, edit the 2FA License Assignment Policy, Setting the Token Policy to your new Token policy and setting Token Authentication to "Allow" as shown below.

6. Adjust the Self-Service Website Settings for your 2FA License Assignment Policy (This is the default policy name for 2FA Users).  Enable the Token assignment to enable Read/Write as shown below.2019-08-02_10_44_29-_1013__DC01_on_v2-demo-esx02.level2iaas.local.png
These steps have now prepped your environment's Self-Service password site to allow Tokens for users in the 2FA License Assignment Policy. 

Generating an Enrollment Token
Please follow these steps below to generate a token for device enrollment:
1.  Login to the Nerdio environment as the user intended to enroll
2. Navigate to http://dc01:3000  You'll be presented with a page that looks like this:
3.  Verify the information on this page looks correct and click the "Generate" button as highlighted above.  This should generate a QR code like the one shown here:
4. Keep this up on your screen as you follow the next steps.
Configuring Your Mobile Device
A mobile application will be needed to enroll your mobile device with a Multi-Factor Authentication token.  We recommend the Google Authenticator App and will be using this in these steps.  This app in the Google Play store an the Apple App store for iOS devices.  Other apps are available such as the Microsoft Authenticator as well if desired, but we'll stick with the Google Authenticator in this demonstration.

To Enroll the mobile device with a token follow these steps:
1. Download the Google Authenticator App from your platform's proper store (Google Play or Apple App Store)
2. After opening the app, you'll be presented with this screen, please tap "BEGIN"
2.  A Google sign in prompt will be the next screen, this can be skipped
3.  The next screen will prompt you to add an account.  The quickest way to add an account is choosing the "Scan a barcode" option.  Tapping this option may ask for permission to use your Camera, this is normal and will need to be allow to scan a barcode.
4.  After tapping the "Scan a barcode" option, your camera should now turn on and display on your device.  Point your camera at the barcode that you've created in the previous section in step 3.  You should now see a screen that looks like this:
5.  You can now click "Close" on the QR code screen on your computer and please ensure you've clicked SAVE on the SMS Passcode Self Service screen.
When signing into Nerdio, this user can now use their Google Authenticator app's authentication code to login to Nerdio as their Multi-Factor Authentication.  

Nerdio Tip

Depending on your scenario there maybe times when your Remote Desktop connection logon will close before you receive your authentication code.  You can extend the Remote Desktop login timeout to solve for this.

The login timeout is set in the registry, with the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Add a new DWORD value for LogonTimeout, containing the timeout value in seconds.

After that, restart the Terminal Services service. (If you are connected via Remote Desktop, your session will be terminated.)

If you have any questions, feel free to contact us. 

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.