UserLock Documentation
UserLock Documentation

What’s New for UserLock 11

UserLock SSO and MFA for Microsoft 365 and Cloud Applications

UserLock Single Sign-on (SSO) provides secure access to Microsoft 365 and cloud applications, using on premise Active Directory credentials. It allows a user to log in only once with their existing AD identity to access both the on premise network and multiple cloud services.

Combined with UserLock’s Multi-Factor Authentication (MFA) organizations can now retain Windows Server AD as their identity management solution - while extending it to work with the cloud.

Supporting Security Assertion Markup Language 2.0 (SAML) protocol to enable federated authentication of Microsoft 365 and other cloud applications, administrators can easily configure each cloud application directly from the UserLock console.

By combining SSO and MFA, UserLock 11 offers seamless access and secure connections to Windows logons, RDP access, VPN sessions, IIS sessions and cloud applications for all users.

Read more

Access Management for Microsoft 365 and Cloud Applications

Restrictions based on login context and real-time session management further help verify the identity of an AD user and protects all attempts to access cloud resources.

  • Control access to cloud applications with geolocation and workstation restrictions.
  • Track and report on who logged in to which cloud application, from which IP address and when.
  • Alert on login events that may warrant further investigation, such as a denied login.

MFA for Microsoft IIS applications

Multi-factor authentication (MFA) can now be set up to protect user access to Internet Information Services (IIS) for Windows Server.

The UserLock “Agent Distribution” engine automatically detects servers on which “Internet Information Services” are installed and run. Using “Http module technology” and designed to work on IIS7 and higher, MFA can be used to protect a single web application such as Outlook Web Access, or a whole intranet site.

Read more

MFA recovery codes

Unique MFA recovery (backup) codes serve as one-time passwords that allow a user to validate MFA and regain access.

Administrators can choose a certain number of single-use recovery codes that are displayed immediately after a user has enabled MFA.

Note that they can only be used when the user is connected to the network.

Enforce MFA for logins from any machine without a network connection

UserLock offers a new option to ‘enforce MFA’ on machines without a network connection, i.e. without contact to the UserLock server.

“Force MFA”

This new option will deny logins for users who have not yet enrolled in MFA and authenticated while connected to the network.

The existing option “Ask for MFA – if not configured, allow connection” continues to allow login for users who have not yet enrolled in MFA and authenticated while connected to the network.

Note: MFA enrollment is not possible outside the network

MFA | Alternative methods for multi-factor authentication

With UserLock 11, users can now configure an alternative form of authentication to prevent them from being locked out of the account if a primary method is lost or forgotten.

Administrators can choose to force - or disable - a second method needed. For example, a smartphone authenticator application such as Google Authenticator can be set up alongside a YubiKey hardware token.

MFA | HOTP for machines without network connection

Users can now authenticate with HOTP (HMAC-based one-time password) tokens such as YubiKey without a network connection. Previously only TOTP (Time-based one-time password) tokens were possible without a network connection.

Note: The user must have previously logged on to the machine, while connected to the network

MFA | Using Token2 ALU, AZ, NFC and Bio for multi-factor authentication

UserLock now supports the use of Token2 (second-generation: ALU, AZ, NFC and Bio) as a second factor authentication.  These Token2 T2F2 Security keys are physical tokens using HOTP (HMAC-based one-time password).

Read more

MFA | Using VPN with RADIUS Challenge for multi-factor authentication

UserLock’s multi-factor authentication for VPN sessions now supports the Remote Authentication Dial-In User Service (RADIUS) Challenge.

The RADIUS Challenge can prompt for the one time password in a separate second step, after the user has successfully entered their login credentials. VPN solutions that support “RADIUS Challenge” include Open VPN, Palo Alto, Fortinet, Pulse Secure Connect SSL…

UserLock continues to also support MSCHAP-v2 and PAP authentication. Here users are required to add a comma to the end of the username or password field.

Read more

UserLock ANYWHERE | New web application to better protect remote connections

A new on premise web application for UserLock’s agent/service communication helps ensure UserLock can best protect remote machines.

With the increase in users working remotely, the VPN connection between users and the network is crucial. This new feature allows the UserLock Desktop Agent to communicate with the server through the internet via an IIS application. This will allow UserLock restrictions to continue to be enforced in the event the remote connection through VPN pipes fails.

Read more

UserLock ANYWHERE | Remotely logoff and lock user sessions over the Internet

When enabled this allows contextual restrictions such as logon hours or time quotas to be respected; even if a computer is not connected to the corporate network.