UserLock Documentation
UserLock Documentation
You are here: Use cases > Multi-Factor Authentication > How to enroll remote users

How to enroll remote users with MFA

There are several possible ways depending on the situation:

1. UserLock Anywhere

If UserLock Anywhere is activated the desktop agent is able to contact the service through the Internet without the need to connect to a VPN connection.

Follow the steps in the link below to configure UserLock Anywhere: https://www.isdecisions.com/products/userlock/help/use-cases/advanced/userlock-anywhere.htm

2. UserLock IIS MFA*

If MFA for IIS is activated, the user will receive a prompt for MFA enrollment once he/she attempts to connect to their session via a web browser application.

Follow the steps in the link below to configure UserLock IIS MFA: https://www.isdecisions.com/products/userlock/help/use-cases/mfa-for-iis.htm

3. Terminal sessions from outside*

When the user connects to an RDP session via Remote Desktop Gateway this can prompt for MFA enrollment.

Please ensure the following procedure is already in place: https://www.isdecisions.com/products/userlock/help/use-cases/how-to-apply-mfa-to-remote-desktop-gateway-sessions.htm

4. Unlock session to provoke MFA enrollment through VPN

Assuming that the Desktop agent is installed on a work laptop, MFA can be enrolled during a lock/unlock process during a VPN connection:

  • User takes work laptop offsite
  • VPN connection established to corporate network
  • User locks session/Asks UserLock Admin to activate MFA
  • User unlocks session which will provoke MFA enrollment

5. UserLock VPN Connect*

The user will receive an invitation to enroll in MFA when they attempt to connect to their VPN session via UserLock VPN Connect which will redirect them to a web browser application.

Learn more about UserLock VPN Connect.



NOTE:

* Yubikey and Token2 HOTP not compatible for this method