Enroll Remote Users in MFA
This page explains how multi-factor authentication (MFA) registration is triggered for remote users, depending on the type of session they open.
Remote users can enroll in MFA through different UserLock components. The appropriate method depends on how users connect to your environment (via VPN, IIS web apps, Remote Desktop Gateway, or UserLock Anywhere).
Session type | Enrollment trigger |
|---|---|
Workstation from outside (UserLock Anywhere) | At Windows logon outside the corporate network |
IIS | When accessing an IIS web app for the first time |
Terminal from outside (RD Gateway) | When starting an RDP session through RD Gateway |
Workstation with VPN connection | When unlocking the session during an active VPN connection |
UserLock VPN Connect | When opening a VPN session via the UserLock VPN Connect |
When the user logs on to Windows outside the corporate network, the Desktop agent can reach the UserLock service directly via the public Anywhere URL.
The MFA enrollment dialog appears if the account is not yet enrolled.
Administrator enables MFA for the account.
User signs in to Windows from outside the network.
The MFA enrollment dialog appears and completes automatically.
Desktop Agent installed on the workstation.
UserLock Anywhere configured with a public URL.
Internet connection available.
When the user accesses a web application protected by IIS MFA, the enrollment prompt appears during the first connection if the account is not yet enrolled.
Administrator enables MFA for the account
User opens the web application
MFA enrollment is displayed and completed in the browser
IIS integration with UserLock
Browser access to the web application
When the user connects to a Remote Desktop session through RD Gateway, the enrollment prompt appears if MFA enrollment is pending.
Administrator enables MFA for the account
User connects via RD Gateway
MFA enrollment is displayed during session logon
UserLock integration with RD Gateway
RDP access through the gateway
On a corporate laptop with the Desktop Agent installed, if MFA is not yet enrolled, the prompt appears when the user unlocks the workstation during an active VPN connection.
The user takes the work laptop offsite.
User connects the VPN.
Administrator enables MFA for the account.
The user locks and unlocks the session, the unlock triggers MFA enrollment.
Desktop Agent installed
VPN tunnel connected to the corporate network
Local desktop session (not RDP)
When users connect via UserLock VPN Connect, the system redirects them to a browser window to complete MFA enrollment if required.
Administrator enables MFA for the account.
User initiates the VPN connection via the UserLock VPN Connect.
A browser window opens and guides MFA enrollment.
UserLock VPN Connect properly configured.
Browser available during VPN connection setup.