How to enroll remote users with MFA
There are several possible ways depending on the situation:
1. UserLock Anywhere
If UserLock Anywhere is activated the desktop agent is able to contact the service through the Internet without the need to connect to a VPN connection.
Follow the steps in the link below to configure UserLock Anywhere: https://www.isdecisions.com/products/userlock/help/use-cases/advanced/userlock-anywhere.htm
2. UserLock IIS MFA*
If MFA for IIS is activated, the user will receive a prompt for MFA enrollment once he/she attempts to connect to their session via a web browser application.
Follow the steps in the link below to configure UserLock IIS MFA: https://www.isdecisions.com/products/userlock/help/use-cases/mfa-for-iis.htm
3. Terminal sessions from outside*
When the user connects to an RDP session via Remote Desktop Gateway this can prompt for MFA enrollment.
Please ensure the following procedure is already in place: https://www.isdecisions.com/products/userlock/help/use-cases/how-to-apply-mfa-to-remote-desktop-gateway-sessions.htm
4. Unlock session to provoke MFA enrollment through VPN
Assuming that the Desktop agent is installed on a work laptop, MFA can be enrolled during a lock/unlock process during a VPN connection:
- User takes work laptop offsite
- VPN connection established to corporate network
- User locks session/Asks UserLock Admin to activate MFA
- User unlocks session which will provoke MFA enrollment
* Yubikey and Token2 HOTP not compatible for this method