Through this procedure, the administrator installs the software through kitting or Active Directory, etc. on each PC and enters the required information for the batch of users on the YubiOn Portal’s website.
Large-scale implementation is recommended for the scale of one to over a hundred PCs.
Please read the notes before proceeding with the implementation.
Table of Contents
1. Notes
Be sure to check the system requirements before proceeding with the implementation.
Windows administrative privileges are required for setting up the PC.
Do not change the configuration of YubiKey to Slot1.
YubiKey has two configurable Slots with features such as One Time Password (OTP) and Challenge Response (used in offline authentication).
Slot1: The initial state is configured to Yubico OTP. If you change your Slot1 information, you will not be able to use it on YubiOn Portal.
Slot2: The initial state is unconfigured.
If the offline authentication is used, a challenge response setting is required in Slot2.
Prior preparation is required to enable offline authentication of the PC.
Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.
About the PC identification ID
YubiOn Portal uses SID or UUID as a terminal identification ID.
The default identification ID in each OS is as follows
Windows: SID
macOS: UUID
*If you have a duplicate Windows SID due to PC kitting or other reasons, you will not be able to use YubiOn Portal.
If your SID is duplicated and unavailable, please contact us.
2. Implementation flow
Portal registration
[Administrator Action] Register for the YubiOn Portal. After registration, purchase a paid plan (Standard or higher).
Software distribution
[Administrator Action] Software is installed on each terminal through kitting, Active Directory, etc.
Batch registration
[Administrator Action] Batch registration of user information in CSV.
Service settings
[Administrator Action] Configure the service settings for two-factor authentication.
PC auto setup
[User Action] The automatic setup is completed when the user logs on to the PC.
The first person to register for the YubiOn Portal will be the representative of your organization.
You will receive a confirmation email upon newly registering.
Click on this link to confirm your registration.
3-2. First login
From the login screen, login with your registered email address and password.
Enter the correct email address and password to login to YubiOn Portal.
About customer login
For the representatives of the organization (those who first registered for the YubiOn Portal), only the password will be required to log in if a YubiKey has not been assigned.
Once the YubiKey is set up, the user will be presented with a two-factor authentication login.
Notes: If all YubiKeys assigned to a user are removed, the customer login screen will appear.
The first time you log in, the simple settings screen appears.
4. Simple settings
Skip this step if you've already done the simple settings.
4-1. YubiKey registration
Set your YubiKey up for login. Next time you log into the YubiOn Portal, you will require the YubiKey which you set up here.
4-2. Selection of settings
Click on "You do not configure your PC..." as this procedure does not configure the operator's own PC.
Info
Once you skip this step, the simple settings screen will no longer appear when you log in.
5. Switching to a paid plan
If you are already a paid plan customer, please skip this step.
Purchase of paid plans
This function is for paid plans (Premium).
Please purchase a plan when using this service.
The following explanation assumes the use of a paid plan.
6. Setup
The following details the steps the administrator can follow to set up the PCs.
To set up two-factor authentication on a PC, one will need to install a Windows Logon Service application, henceforth referred to as Client Tools.
Before Use
Please be sure to check the System requirements before installing the software.
The installation requires Windows administrative privileges.
6-1. Software downloads
Download software to be installed on each PC.
From the menu on the left side of the screen, click the "PC" icon, then click "Download".
Click "Download" button.
The "WlsInstaller_x64.msi" or "WlsInstaller_x86.msi" will be downloaded.
Save it to any location.
Info
About downloading
The 32-bit or 64-bit download button will appear according to your device.
When installing software for a different architecture
Click on "Download tools for different architecture".
Download software.
6-2. Software installation
The YubiOn Portal currently does not support automatic software distribution.
Instead, please distribute and install the “WlsInstaller_x64.msi” or “WlsInstaller_x86.msi” installer on each PC using one of the following methods.
Distribution by PC kitting
Distribution by Active Directory Group Policy
Distribution by Other Services
How to obtain a PC identification ID
When registering PC information in YubiOn Portal, SID (Windows) or UUID (macOS) for PC identification is required.
Refer to the following command and note the identification ID of the terminal.
Windows
Execute the following command at the command prompt
Change the name part ("administrator" in the example below) to any value and execute.
Get-WmiObject -class win32_useraccount | select name, SID, LocalAccount | where { $_.name -match "administrator" } | where { $_.LocalAccount }
name SID LocalAccount
---- --- ------------
Administrator S-0-0-00-000000000-000000000-000000001-1000 True
The terminal SID is up to "S-0-0-00-00000000000-00000000000-00000000001".
macOS
Execute the following commands in a terminal.
system_profiler SPHardwareDataType
Hardware:
Hardware Overview:
Model Name: XXXXXXX
Model Identifier: XXXXXXX
Chip: XXXXXXX
Total XXXXXXX
Memory: XXXXXXX
System Firmware Version: XXXXXXX
OS Loader Version: XXXXXXX
Serial Number (system): XXXXXXX
Hardware UUID: uuuuuuuu-uuuu-iiii-dddd-dddddddd
Provisioning UDID: XXXXXXX
Activation Lock Status: XXXXXXX
The Hardware UUID field is the terminal UUID.
7. Batch registration
Register users and their information on the YubiOn Portal through a CSV.
7-1. Download the CSV
From the menu on the left side of the screen, click the “Users” icon.
Click the “Kitting CSV registration” button on the right side of the Member management screen.
Click the “Download CSV sample file” button.
Save the file in any location.
7-2. CSV input
Open the downloaded “member_machine_registration_sample.csv”.
Below is a preview of the Excel file.
Enter registration information referring to the CSV file format below.
When the registration is complete, please save the file.
About the CSV file format
If opened in a text editor, it will be separated by a comma.
1st (column A) to 5th (column E) is member (user) information, 6th (column F) is YubiKey information, 7th (column G) to 10th (column J) is PC information.
You can use YubiOn Portal’s two-factor authentication service by associating the member (user) with the required YubiKey and PC information.
1st (column A): Enter ID
The “ID” is an item to facilitate sorting and filtering. Please use this field by setting an employee number, etc. (Half-width alphanumeric characters and hyphen “-”, underscore “_“, optional)
2nd (column B): Enter member names[Required]
Enter the user’s name in Japanese or alphanumeric characters.
3rd (column C): Enter your email address[Required]
Enter the user’s email address is standard email address format.
4th (column D): Enter group name.
Enter the name of the group of which you want to be a member. (Japanese, alphanumeric symbols, optional)
The group function assigns users (members) to groups. It is used to divide and filter users into groups such as sales and development.
5th (column E): Enter numbers to specify the user’s role[Required]
0: General (will only be granted access to the management site)
1: Administrators (can access, register, delete, edit, etc., on the administration site)
6th (column F): Enter the YubiKey’s serial number[Required]
Enter the “Serial Number” on the back of the YubiKey. (a half-width number)
7th (column G): Enter the OS type of the PC[Required]
Enter “Windows” or “macOS”*.
*macOS is only available for the paid version. Please contact us for availability.
8th (column H): Enter PC identification ID[Required]
Enter the SID or UUID of the PC.
How to obtain a PC identification ID
Windows
Execute the following command at the command prompt
Change the name part ("administrator" in the example below) to any value and execute.
Get-WmiObject -class win32_useraccount | select name, SID, LocalAccount | where { $_.name -match "administrator" } | where { $_.LocalAccount }
name SID LocalAccount
---- --- ------------
Administrator S-0-0-00-000000000-000000000-000000001-1000 True
The terminal SID is up to "S-0-0-00-00000000000-00000000000-00000000001".
macOS
Execute the following commands in a terminal.
system_profiler SPHardwareDataType
Hardware:
Hardware Overview:
Model Name: XXXXXXX
Model Identifier: XXXXXXX
Chip: XXXXXXX
Total XXXXXXX
Memory: XXXXXXX
System Firmware Version: XXXXXXX
OS Loader Version: XXXXXXX
Serial Number (system): XXXXXXX
Hardware UUID: uuuuuuuu-uuuu-iiii-dddd-dddddddd
Provisioning UDID: XXXXXXX
Activation Lock Status: XXXXXXX
The Hardware UUID field is the terminal UUID.
9th (column I): Enter a PC name[Required]
Enter a Windows or macOS PC name. (alphanumeric characters)
10th (column J): Enter an account name[Required]
Enter your Windows or macOS account name. (alphanumeric characters) Regarding registering an AD account Enter the “Short-domain name\account name”. e.g. “demo.example.com” case demo\accountName
If you have the same email address registered
If the same email address is input in the CSV more than once, or if you input a previously registered email address, the PC, account and YubiKey will be assigned to the same member.
7-3. CSV batch registration
Login to the YubiOn Portal site.
Click the “Users” icon from the menu on the left side of the screen.
Click the “kitting CSV registration” button on the right side of the member management screen.
Click on “Choose File”.
Click on the “member_machine_registration_sample.csv” file and click the “Open” button.
Confirm that the values displayed in the registration list are correct and click the “Register” button.
Full-width character strings are not entered in half-width alphanumeric notation.
No unnecessary spaces, character strings, etc. are entered.
Email address format is correct.
Admin column* is populated with numbers.
(*) If you are registered as an administrator, the administrator column will display a “check mark”.
If you are registered as a general, the administrator column will be marked with a “-”.
Click the “OK” button on the registration completion message.
When the members listed in the CSV file are displayed in the member list, the batch registration is complete.
In case of a registration error
If there is a mistake in the CSV, a warning icon will appear on the confirmation screen.
Hover over the warning icon to see the error content.
Please correct and re-register the CSV file as instructed.
Modifying content immediately after the completion of batch registration
Refer to the “Bulk deletion method” to perform batch deletion of incorrect data while registering only the correct data from the CSV file.
In the case you want to modify the data individually
Click here to correct the member information.
Click here for YubiKey assignments.
Click here to unassign a YubiKey.
Click here to add an account.
Click here to delete an account.
Click here for account and YubiKey assignment.
Click here to unassign an account and YubiKey.
Note: The PC name and PC ID cannot be modified later. Refer to “Bulk deletion method” to delete and register again via the CSV.
8. Distribute YubiKey to users
After the CSV registration is completed, YubiKey will be distributed to users.
Things to check before distributing YubiKey
Preparation is required to enable offline authentication of the device.
Before distributing YubiKey to users, please set up YubiKey with reference to YubiKey Offline Settings.
9. Service settings
In the service configuration screen, configure the settings for the two-factor authentication service.
9-1. General service settings
Click the "PC" icon from the menu on the left side of the screen.
Click on "Service setting".
Configure the following settings to match your security policy
Configuration items
Configuration Contents
Default
1. Cache logon expiration date
The number of days available for offline authentication.
Disabled
2. Screen lock
Lock the screen when the YubiKey is unplugged.
Disabled
3. Forced YubiKey logon
Make logging onto the PC with YubiKey mandatory.
Disabled
4. Authentication failure lock
Locks the PC after a certain number of failed log on attempts.
It can also be used to unlock the PC only after a certain amount of time has elapsed.
Disabled
5. Automatic email notification
Email notifications when there is a change in PC status or service settings.
Enabled
Representative
In the initial view of the service settings, "Default Policy" is selected.
This step is based on the "Default Policy".
Info
About the Group policy
Group policy allows dividing of service settings for various groups.
For more information, see Group Policy Settings.
About the Master Key
Master Key enables users to set up a master YubiKey that can log on to all PCs and accounts.
For more information, see Master Key Settings.
9-2. Cache logon settings
Setting an expiration date for offline authentication allows you to log on offline for a specified number of days from the date of the last successful PC logon.
If disabled, you will not be able to log on in environments without a network connection.
Click the "Enable" radio button.
Enter the expiration date.
For free use, only one day can be set up.
To enable offline authentication, the PC must be successfully authenticated online once.
Each time the PC is successfully logged in, the offline authentication period is updated.
e.g. Consider an offline expiration of 3 days. If the PC is successfully logged on on April 1st, offline authentication will be enabled from April 1st to April 3rd. If the PC is successfully logged on during the above period, it is effective for an additional 3 days from the date of successful authentication.
Reflection of settings on the terminal
The settings are reflected when the user starts the terminal while it is connected to the network.
How it works on the Mac version
The cache logon feature is always enabled in the Mac version.
If you want the cash logon period to be indefinite
With the paid option "Cache logon indefinite setting", the number of days cache information is valid can be set indefinitely.
Please contact us to inquire about purchasing the "Cash Logon Indefinitely" option.
9-3. Screen lock settings
With screen lock enabled, you can lock the screen automatically when you unplug the YubiKey from the PC's USB port.
Check the"Lock screen when unplugging YubiKey" checkbox.
Click the "Update" button.
Info
Reflection of settings on PC
The settings are reflected when the user starts the PC while it is connected to the network.
9-4. Forced YubiKey logon settings
Set the PC to enforce logon using YubiKey when logging on.
Check the "Force a logon using YubiKey" checkbox.
Click the "Update" button.
Info
Reflection of settings on the PC
The settings are reflected when the user starts the PC while it is connected to the network.
Forcing YubiKey on the Mac version
When changing system preferences, the YubiKey is required as well as the password.
9-5. Authentication failure lock settings
Set up your PC to enforce logon using YubiKey when logging on.
If the Authentication failure lock setting is enabled, it is possible to prohibit a terminal from logging on after a certain number of failed logon attempts.
Click the "Update" button.
Info
Reflection of settings on PC
The settings are reflected when the user starts the PC while it is connected to the network.
About PC lock
The inability to log on to a terminal is called "PC lock".
Click here to find out how to unlock the PC lock status.
For Mac version
To enable this feature, "Forced YubiKey Logon" must be enabled.
9-6. Unlock settings after an authentication failure lock
Check the "After authentication failure lock, unlock at a certain time"
Enter the time (in minutes) after which the PC can be unlocked.
Click the "Update" button.
Info
Reflection of settings on PC
The settings are reflected when the user starts the PC while it is connected to the network.
Conditions for PC unlocking
PC lock status is released when a certain period of time elapses and when the user starts up the PC while it is connected to the network.
If the setting to unlock after a certain period of time is disabled, the PC lock status will not be released after a certain period of time has elapsed.
9-7. Automatic email notification settings
When there is a change in the status of the PC or service settings, it will automatically notify the members registered in the notification settings.
By default, the representative is set as the recipient of the notification.
Click the settings icon in the top right corner of the service settings screen, and then click "Email notification settings".
Toggle the notification settings to enable/disable.
Check the items to receive notifications for.
Click the "Update" button.
About notification
When "When the PC locked or unlocked" is checked
Notify which terminals have been changed to which state.
When "When changing service settings" is checked
Notification of changes made in service settings, such as cache logon settings.
If you want to change the email recipient
Click here for instructions on how to change email recipients.
10. Automatic setup of each PC by the user
The end user completes the setup automatically by logging on to the PC while connected to the network.
Conditions for automatic setup
1. The software installation on the PC is already complete
2. CSV batch registration on YubiOn Portal site must be completed
3. Log on to the PC while it is connected to the network.
The first time you log on with your Windows password only, the automatic setup is complete.
If the automatic setup is done correctly, you can use two-factor authentication from the next logon.
If you don’t want the user to uninstall it
The optional function “Uninstall Control” can be used to hide the software from the list of installed applications and prevent uninstallation.
Please contact us for more information on using the “Uninstall Control” option.
11. Operational confirmation
Check whether the user's PC successfully reflects the settings of the group policy.
About Group policy
Group policy allows dividing of service settings for various groups.
For more information, see Group policy settings.
From the menu on the left side of the screen, click the "PC" icon and then click "Service setting".
11-1. Group policy reflection confirmation
There are three types of group policies: "Reflected", " Unreflected", and "Old policy is reflected".
Group policy reflection status
Reflected: The latest group policy is reflected on the PC.
Unreflected: The group policy has not been reflected on the PC.
Old policy is reflected: The old group policy is reflected on the PC.
The following is the procedure to confirm the group policy.
Click on the group policy you wish to review.
Click on the "PC list" tab.
Click on the pull-down under "Status."
Next, click on "Unreflected.
A list of PCs to which the group policy has not yet been applied is displayed.
The "Unreflected" status is indicated by an "X" mark.
Info
To check "Old policy is reflected" status
Clicking "Old policy is reflected" in the "Status" pull-down displays a list of PCs that reflect the old group policy.
If an old policy is reflected, it is indicated by a "warning mark".
When a group policy is changed or another group policy is applied, the "old policy is reflected" status is set.
To check the "Reflected" status
Clicking "Reflected" in the "Status" pull-down displays a list of PCs with the latest group policy reflected.
If the latest group policy is reflected, it is indicated by a "check" mark.
How to reflect the settings on your PC
The Group Policy setting is reflected when the target PC is connected to the network and logs on.
The installation procedure is described above.
12. Additional Information
12-1. Two-factor authentication method for YubiOn Portal site
During login to the YubiOn Portal using two-factor authentication, the member's email address, password, and YubiKey are required.
Info
Only the representative (the first user to register for the YubiOn Portal) can be logged in with only a password if a YubiKey has not been assigned.
Access the login page.
Enter your email address in the email address field and click the Confirm button.
Enter the password in the password field.
Plug the YubiKey into the USB port.
Click the YubiKey input field and tap the YubiKey.
*The YubiKey's one-time password will be entered automatically and the user will be logged in.
After logging in, the "Dashboard" will be displayed.
12-2. Batch deletion method
Information registered in CSV format can be deleted from a member’s (user’s) e-mail address in a batch.
Scope of bulk member deletion
Delete member information.
Unassign members and groups.
Unassign members and YubiKey. (YubiKey itself will not be deleted.)
PC and account information will not be deleted.
Click on "Member management" from the menu on the left side of the screen.
Click on the "Batch delete members" icon.
Download the CSV file for batch deletion.
Click the "Download" icon to download the CSV file for bulk deletion.
Save the "member_deletion.csv" file to any location.
Open the "member_deletion.csv" file and enter the e-mail address of the member you wish to delete.
Select a CSV file.
Click on the "Choose File" button.
Select the CSV file and click the "Open" button.
Selecting a file displays the CSV file name and the member information to be deleted.
If all is correct, click the "Delete" button.
If the member is successfully deleted
A list of members is displayed.
If there is a problem with the content of the CSV
If there is a problem with the content of the CSV, it cannot be deleted.
Correct the file and delete it again.