UserLock Documentation
UserLock Documentation
You are here: Use cases > Multi-Factor Authentication > How to enroll remote users

How to enroll remote users with MFA

There are several possible ways depending on the situation:

1. UserLock AnyWhere

If UserLock AnyWhere is activated the desktop agent is able to contact the service through the Internet without the need to connect to a VPN connection.

Follow the steps in the link below to configure UserLock AnyWhere: https://www.isdecisions.com/products/userlock/help/use-cases/advanced/userlock-anywhere.htm

2. UserLock IIS MFA*

If MFA for IIS is activated, the user will receive a prompt for MFA enrollment once he/she attempts to connect to their session via a web browser application.

Follow the steps in the link below to configure UserLock IIS MFA: https://www.isdecisions.com/products/userlock/help/use-cases/mfa-for-iis.htm

3. Terminal sessions from outside*

When the user connects to an RDP session via Remote Desktop Gateway this can prompt for MFA enrollment.

Please ensure the following procedure is already in place: https://www.isdecisions.com/products/userlock/help/use-cases/how-to-apply-mfa-to-remote-desktop-gateway-sessions.htm

4. Unlock session to provoke MFA enrollment through VPN

Assuming that the Desktop agent is installed on a work laptop, MFA can be enrolled during a lock/unlock process during a VPN connection:

  • User takes work laptop offsite
  • VPN connection established to corporate network
  • User locks session/Asks UserLock Admin to activate MFA
  • User unlocks session which will provoke MFA enrollment


NOTE:

* Yubikey and Token2 HOTP not compatible for this method