UserLock Documentation
UserLock Documentation
You are here: Use cases > Multi-Factor Authentication > How to enroll remote users

How to enroll remote users with MFA

There are several possible ways depending on the situation:

1. UserLock Anywhere

If UserLock Anywhere is activated the desktop agent is able to contact the service through the Internet without the need to connect to a VPN connection.

Follow the steps in the link below to configure UserLock Anywhere:

2. UserLock IIS MFA*

If MFA for IIS is activated, the user will receive a prompt for MFA enrollment once he/she attempts to connect to their session via a web browser application.

Follow the steps in the link below to configure UserLock IIS MFA:

3. Terminal sessions from outside*

When the user connects to an RDP session via Remote Desktop Gateway this can prompt for MFA enrollment.

Please ensure the following procedure is already in place:

4. Unlock session to provoke MFA enrollment through VPN

Assuming that the Desktop agent is installed on a work laptop, MFA can be enrolled during a lock/unlock process during a VPN connection:

  • User takes work laptop offsite
  • VPN connection established to corporate network
  • User locks session/Asks UserLock Admin to activate MFA
  • User unlocks session which will provoke MFA enrollment

5. UserLock VPN Connect

The user will receive an invitation to enroll in MFA when they attempt to connect to their VPN session via UserLock VPN Connect which will redirect them to a web browser application.

Learn more about UserLock VPN Connect.


* Yubikey and Token2 HOTP not compatible for this method