Large-Scale implementation
Through this procedure, the administrator installs the software through kitting or Active Directory, etc. on each PC and enters the required information for the batch of users on the YubiOn Portal’s website.
Large-scale implementation is recommended for the scale of one to over a hundred PCs.
Please read the notes before proceeding with the implementation.
Table of Contents
1. Notes
- Be sure to check the system requirements before proceeding with the implementation.
- Check here for available YubiKeys.
- Windows administrative privileges are required for setting up the PC.
-
Do not change the configuration of YubiKey to Slot1.
YubiKey has two configurable Slots with features such as One Time Password (OTP) and Challenge Response (used in offline authentication).-
Slot1: The initial state is configured to Yubico OTP.
If you change your Slot1 information, you will not be able to use it on YubiOn Portal. -
Slot2: The initial state is unconfigured.
If the offline authentication is used, a challenge response setting is required in Slot2.
-
Slot1: The initial state is configured to Yubico OTP.
-
Prior preparation is required to enable offline authentication of the PC.
Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey. -
About the PC identification ID
YubiOn Portal uses SID or UUID as a terminal identification ID.
The default identification ID in each OS is as follows
- Windows: SID
- macOS: UUID
2. Implementation flow
3. YubiOn Portal registration
Skip this step if you have already registered.
3-1. New registration
Note
The first person to register for the YubiOn Portal will be the representative of your organization.
Click on this link to confirm your registration.
3-2. First login
Enter the correct email address and password to login to YubiOn Portal.
About customer login
For the representatives of the organization (those who first registered for the YubiOn Portal), only the password will be required to log in if a YubiKey has not been assigned.
Once the YubiKey is set up, the user will be presented with a two-factor authentication login.
Notes: If all YubiKeys assigned to a user are removed, the customer login screen will appear.
4. Simple settings
4-1. YubiKey registration
4-2. Selection of settings
Info
Once you skip this step, the simple settings screen will no longer appear when you log in.
5. Switching to a paid plan
Purchase of paid plans
This function is for paid plans (Premium).
Please purchase a plan when using this service.
6. Setup
The following details the steps the administrator can follow to set up the PCs.
To set up two-factor authentication on a PC, one will need to install a Windows Logon Service application, henceforth referred to as Client Tools.
Before Use
Please be sure to check the System requirements before installing the software.
The installation requires Windows administrative privileges.
6-1. Software downloads
Download software to be installed on each PC.
-
From the menu on the left side of the screen, click the "PC" icon, then click "Download".
-
Click "Download" button.
The "WlsInstaller_x64.msi" or "WlsInstaller_x86.msi" will be downloaded.
Save it to any location.
Info
-
About downloading
The 32-bit or 64-bit download button will appear according to your device. -
When installing software for a different architecture
-
Click on "Download tools for different architecture".
-
Download software.
-
Click on "Download tools for different architecture".
6-2. Software installation
The YubiOn Portal currently does not support automatic software distribution. Instead, please distribute and install the “WlsInstaller_x64.msi” or “WlsInstaller_x86.msi” installer on each PC using one of the following methods.
- Distribution by PC kitting
- Distribution by Active Directory Group Policy
- Distribution by Other Services
How to obtain a PC identification ID
When registering PC information in YubiOn Portal, SID (Windows) or UUID (macOS) for PC identification is required. Refer to the following command and note the identification ID of the terminal.
-
Windows
Execute the following command at the command prompt
Change the name part ("administrator" in the example below) to any value and execute.Get-WmiObject -class win32_useraccount | select name, SID, LocalAccount | where { $_.name -match "administrator" } | where { $_.LocalAccount } name SID LocalAccount ---- --- ------------ Administrator S-0-0-00-000000000-000000000-000000001-1000 True -
macOS
Execute the following commands in a terminal.
system_profiler SPHardwareDataType Hardware: Hardware Overview: Model Name: XXXXXXX Model Identifier: XXXXXXX Chip: XXXXXXX Total XXXXXXX Memory: XXXXXXX System Firmware Version: XXXXXXX OS Loader Version: XXXXXXX Serial Number (system): XXXXXXX Hardware UUID: uuuuuuuu-uuuu-iiii-dddd-dddddddd Provisioning UDID: XXXXXXX Activation Lock Status: XXXXXXX
7. Batch registration
Register users and their information on the YubiOn Portal through a CSV.
7-1. Download the CSV
From the menu on the left side of the screen, click the “Users” icon.
Click the “Kitting CSV registration” button on the right side of the Member management screen.
Click the “Download CSV sample file” button.
Save the file in any location.
7-2. CSV input
Open the downloaded “member_machine_registration_sample.csv”.
Below is a preview of the Excel file.
View in Excel
Enter registration information referring to the CSV file format below.
When the registration is complete, please save the file.
About the CSV file format
If opened in a text editor, it will be separated by a comma.
1st (column A) to 5th (column E) is member (user) information, 6th (column F) is YubiKey information, 7th (column G) to 10th (column J) is PC information.
You can use YubiOn Portal’s two-factor authentication service by associating the member (user) with the required YubiKey and PC information.
1st (column A): Enter ID
The “ID” is an item to facilitate sorting and filtering. Please use this field by setting an employee number, etc. (Half-width alphanumeric characters and hyphen “-”, underscore “_“, optional)
2nd (column B): Enter member names [Required]
Enter the user’s name in Japanese or alphanumeric characters.
3rd (column C): Enter your email address [Required]
Enter the user’s email address is standard email address format.
4th (column D): Enter group name.
Enter the name of the group of which you want to be a member. (Japanese, alphanumeric symbols, optional)
The group function assigns users (members) to groups. It is used to divide and filter users into groups such as sales and development.
5th (column E): Enter numbers to specify the user’s role [Required]
0: General (will only be granted access to the management site)
1: Administrators (can access, register, delete, edit, etc., on the administration site)
6th (column F): Enter the YubiKey’s serial number [Required]
Enter the “Serial Number” on the back of the YubiKey. (a half-width number)
7th (column G): Enter the OS type of the PC [Required]
Enter “Windows” or “macOS”*.
*macOS is only available for the paid version. Please contact us for availability.
8th (column H): Enter PC identification ID [Required]
Enter the SID or UUID of the PC.
How to obtain a PC identification ID
-
Windows
Execute the following command at the command prompt
Change the name part ("administrator" in the example below) to any value and execute.Get-WmiObject -class win32_useraccount | select name, SID, LocalAccount | where { $_.name -match "administrator" } | where { $_.LocalAccount } name SID LocalAccount ---- --- ------------ Administrator S-0-0-00-000000000-000000000-000000001-1000 True -
macOS
Execute the following commands in a terminal.
system_profiler SPHardwareDataType Hardware: Hardware Overview: Model Name: XXXXXXX Model Identifier: XXXXXXX Chip: XXXXXXX Total XXXXXXX Memory: XXXXXXX System Firmware Version: XXXXXXX OS Loader Version: XXXXXXX Serial Number (system): XXXXXXX Hardware UUID: uuuuuuuu-uuuu-iiii-dddd-dddddddd Provisioning UDID: XXXXXXX Activation Lock Status: XXXXXXX
9th (column I): Enter a PC name [Required]
Enter a Windows or macOS PC name. (alphanumeric characters)
10th (column J): Enter an account name [Required]
Enter your Windows or macOS account name. (alphanumeric characters)
Regarding registering an AD account
Enter the “Short-domain name\account name”.
e.g. “demo.example.com” case
demo\accountName
If you have the same email address registered
If the same email address is input in the CSV more than once, or if you input a previously registered email address, the PC, account and YubiKey will be assigned to the same member.
7-3. CSV batch registration
Login to the YubiOn Portal site.
Click the “Users” icon from the menu on the left side of the screen.
Click the “kitting CSV registration” button on the right side of the member management screen.
Click on “Choose File”.
Click on the “member_machine_registration_sample.csv” file and click the “Open” button.
Confirm that the values displayed in the registration list are correct and click the “Register” button.
- Full-width character strings are not entered in half-width alphanumeric notation.
- No unnecessary spaces, character strings, etc. are entered.
- Email address format is correct.
- Admin column* is populated with numbers.
(*) If you are registered as an administrator, the administrator column will display a “check mark”.
If you are registered as a general, the administrator column will be marked with a “-”.
Click the “OK” button on the registration completion message.
When the members listed in the CSV file are displayed in the member list, the batch registration is complete.
In case of a registration error
If there is a mistake in the CSV, a warning icon will appear on the confirmation screen.
Hover over the warning icon to see the error content.
Please correct and re-register the CSV file as instructed.
Modifying content immediately after the completion of batch registration
Refer to the “Bulk deletion method” to perform batch deletion of incorrect data while registering only the correct data from the CSV file.
In the case you want to modify the data individually
Click here to correct the member information.
Click here for YubiKey assignments.
Click here to unassign a YubiKey.
Click here to add an account.
Click here to delete an account.
Click here for account and YubiKey assignment.
Click here to unassign an account and YubiKey.
Note: The PC name and PC ID cannot be modified later. Refer to “Bulk deletion method” to delete and register again via the CSV.
8. Distribute YubiKey to users
After the CSV registration is completed, YubiKey will be distributed to users.
Things to check before distributing YubiKey
Preparation is required to enable offline authentication of the device.
Before distributing YubiKey to users, please set up YubiKey with reference to YubiKey Offline Settings.
9. Service settings
9-1. General service settings
Click on "Service setting".
Configure the following settings to match your security policy
| Configuration items | Configuration Contents | Default |
|---|---|---|
| 1. Cache logon expiration date | The number of days available for offline authentication. | Disabled |
| 2. Screen lock | Lock the screen when the YubiKey is unplugged. | Disabled |
| 3. Forced YubiKey logon | Make logging onto the PC with YubiKey mandatory. | Disabled |
| 4. Authentication failure lock |
Locks the PC after a certain number of failed log on attempts. It can also be used to unlock the PC only after a certain amount of time has elapsed. |
Disabled |
| 5. Automatic email notification | Email notifications when there is a change in PC status or service settings. |
Enabled Representative |
In the initial view of the service settings, "Default Policy" is selected.
This step is based on the "Default Policy".
Info
-
About the Group policy
Group policy allows dividing of service settings for various groups. For more information, see Group Policy Settings. -
About the Master Key
Master Key enables users to set up a master YubiKey that can log on to all PCs and accounts. For more information, see Master Key Settings.
9-2. Cache logon settings
- Click the "Enable" radio button.
-
Enter the expiration date.
For free use, only one day can be set up.
- Click the "Update" button.
Info
-
About offline authentication
- To enable offline authentication, the PC must be successfully authenticated online once.
-
Each time the PC is successfully logged in, the offline authentication period is updated.
e.g. Consider an offline expiration of 3 days.
If the PC is successfully logged on on April 1st, offline authentication will be enabled from April 1st to April 3rd.
If the PC is successfully logged on during the above period, it is effective for an additional 3 days from the date of successful authentication.
-
Reflection of settings on the terminal
The settings are reflected when the user starts the terminal while it is connected to the network. -
How it works on the Mac version
The cache logon feature is always enabled in the Mac version. -
If you want the cash logon period to be indefinite
With the paid option "Cache logon indefinite setting", the number of days cache information is valid can be set indefinitely. Please contact us to inquire about purchasing the "Cash Logon Indefinitely" option.
9-3. Screen lock settings
-
Check the"Lock screen when unplugging YubiKey" checkbox.
- Click the "Update" button.
Info
-
Reflection of settings on PC
The settings are reflected when the user starts the PC while it is connected to the network.
9-4. Forced YubiKey logon settings
-
Check the "Force a logon using YubiKey" checkbox.
- Click the "Update" button.
Info
-
Reflection of settings on the PC
The settings are reflected when the user starts the PC while it is connected to the network. -
Forcing YubiKey on the Mac version
When changing system preferences, the YubiKey is required as well as the password.
9-5. Authentication failure lock settings
-
If the Authentication failure lock setting is enabled, it is possible to prohibit a terminal from logging on after a certain number of failed logon attempts.
- Click the "Update" button.
Info
-
Reflection of settings on PC
The settings are reflected when the user starts the PC while it is connected to the network. -
About PC lock
The inability to log on to a terminal is called "PC lock".
Click here to find out how to unlock the PC lock status.
-
For Mac version
To enable this feature, "Forced YubiKey Logon" must be enabled.
9-6. Unlock settings after an authentication failure lock
-
Check the "After authentication failure lock, unlock at a certain time"
- Enter the time (in minutes) after which the PC can be unlocked.
- Click the "Update" button.
Info
-
Reflection of settings on PC
The settings are reflected when the user starts the PC while it is connected to the network. -
Conditions for PC unlocking
PC lock status is released when a certain period of time elapses and when the user starts up the PC while it is connected to the network. If the setting to unlock after a certain period of time is disabled, the PC lock status will not be released after a certain period of time has elapsed.
9-7. Automatic email notification settings
-
Click the settings icon in the top right corner of the service settings screen, and then click "Email notification settings".
- Toggle the notification settings to enable/disable.
- Check the items to receive notifications for.
- Click the "Update" button.
About notification
-
When "When the PC locked or unlocked" is checked
Notify which terminals have been changed to which state. -
When "When changing service settings" is checked
Notification of changes made in service settings, such as cache logon settings. -
If you want to change the email recipient
Click here for instructions on how to change email recipients.
10. Automatic setup of each PC by the user
The end user completes the setup automatically by logging on to the PC while connected to the network.
Conditions for automatic setup
1. The software installation on the PC is already complete
2. CSV batch registration on YubiOn Portal site must be completed
3. Log on to the PC while it is connected to the network.
The first time you log on with your Windows password only, the automatic setup is complete.
If the automatic setup is done correctly, you can use two-factor authentication from the next logon.
For more information on user operations, see How to use Windows logon (for large scale implementation).
If you don’t want the user to uninstall it
The optional function “Uninstall Control” can be used to hide the software from the list of installed applications and prevent uninstallation.
Please contact us for more information on using the “Uninstall Control” option.
11. Operational confirmation
About Group policy
-
Group policy allows dividing of service settings for various groups.
For more information, see Group policy settings.
11-1. Group policy reflection confirmation
Group policy reflection status
- Reflected: The latest group policy is reflected on the PC.
- Unreflected: The group policy has not been reflected on the PC.
- Old policy is reflected: The old group policy is reflected on the PC.
-
Click on the group policy you wish to review.
-
Click on the "PC list" tab.
-
Click on the pull-down under "Status."
Next, click on "Unreflected.
-
A list of PCs to which the group policy has not yet been applied is displayed.
The "Unreflected" status is indicated by an "X" mark.
Info
-
To check "Old policy is reflected" status
Clicking "Old policy is reflected" in the "Status" pull-down displays a list of PCs that reflect the old group policy.
- If an old policy is reflected, it is indicated by a "warning mark".
- When a group policy is changed or another group policy is applied, the "old policy is reflected" status is set.
-
To check the "Reflected" status
Clicking "Reflected" in the "Status" pull-down displays a list of PCs with the latest group policy reflected.
- If the latest group policy is reflected, it is indicated by a "check" mark.
-
How to reflect the settings on your PC
The Group Policy setting is reflected when the target PC is connected to the network and logs on.
The installation procedure is described above.
12. Additional Information
12-1. Two-factor authentication method for YubiOn Portal site
Info
Only the representative (the first user to register for the YubiOn Portal) can be logged in with only a password if a YubiKey has not been assigned.
-
Access the login page.
Enter your email address in the email address field and click the Confirm button.
-
Enter the password in the password field.
-
Plug the YubiKey into the USB port.
-
Click the YubiKey input field and tap the YubiKey.
*The YubiKey's one-time password will be entered automatically and the user will be logged in.
-
After logging in, the "Dashboard" will be displayed.
12-2. Batch deletion method
Information registered in CSV format can be deleted from a member’s (user’s) e-mail address in a batch.
Scope of bulk member deletion
- Delete member information.
- Unassign members and groups.
- Unassign members and YubiKey. (YubiKey itself will not be deleted.)
- PC and account information will not be deleted.
-
Click on "Member management" from the menu on the left side of the screen.
-
Click on the "Batch delete members" icon.
-
Download the CSV file for batch deletion.
Click the "Download" icon to download the CSV file for bulk deletion.
Save the "member_deletion.csv" file to any location.
- Open the "member_deletion.csv" file and enter the e-mail address of the member you wish to delete.
-
Select a CSV file.
Click on the "Choose File" button.
-
Select the CSV file and click the "Open" button.
-
Selecting a file displays the CSV file name and the member information to be deleted.
If all is correct, click the "Delete" button.
If the member is successfully deleted
A list of members is displayed.
If there is a problem with the content of the CSV
If there is a problem with the content of the CSV, it cannot be deleted.
Correct the file and delete it again.
