07-15-2022 01:22 PM
I know the subject sounds strange, but we are wanting to setup some users that strictly use hard tokens and we don’t want them to have the capability to enroll their personal phone if the opportunity got presented to them by someone.
If not, we thought about running a script if users aren’t certain groups then delete the phone out of Duo and have it check API via scheduled tasks.
Solved! Go to Solution.
07-20-2022 07:38 AM
@cedstrom A group policy applied to GroupB has no effect on GroupA members (who are not also members of GroupB).
Example where any user can use Push for an application unless they are in GroupB, in which case they must use YubiKeys:
Example where most users can use any authentication method, but GroupA can only use Duo Push and only members of GroupB can only use Yubikeys:
@Gigawatt
Removing an authentication method via policy also prevents enrollment of that method during inline enrollment (as in, enrollment while authenticating to that particular application). Since group policies can only be applied to users who exist in Duo, an application or global policy that restricts Duo Push would also prevent new users (unknown to Duo) from enrolling a Push device during inline enrollment.
But, since users can’t self-enroll hardware tokens during Duo enrollment anyway, you would have had to create those users in Duo somehow to then assign them the hardware token. Since the users already exist, they would not see first-time enrollment (so no way to enroll a different method via that path).
If you allow self-service device management on that application and have applied a group policy that restricts GroupB members to hardware tokens, then those users aren’t able to enroll other methods not allowed by their effective policy in device management,
07-19-2022 05:45 AM
Hey @Gigawatt ! If you’re looking to restrict authentication methods available to certain groups of users, this is actually something you can do using the Authentication Methods policy in the Duo Admin Panel. You would need to create Group that contains these users and then a Group-level policy that targets the folks you only want to use hardware tokens.
The article Can I disable an authentication method? has a screenshot and some additional information about this as well.
Hope that helps!
Tab
07-19-2022 06:24 AM
If we have GroupA as users of mobile devices and GroupB as users of Yubikeys, and we set the group policy for GroupB to restrict authentication methods, how does that affect GroupA if at all?
07-19-2022 06:28 AM
This is great, nice articles. The only thing I don’t see…maybe I missed it, but it wouldn’t prevent them from enrolling though. I guess it wouldn’t really matter if we just only allow just hard tokens. Just trying to look at this from a least priv perspective.
07-20-2022 07:38 AM
@cedstrom A group policy applied to GroupB has no effect on GroupA members (who are not also members of GroupB).
Example where any user can use Push for an application unless they are in GroupB, in which case they must use YubiKeys:
Example where most users can use any authentication method, but GroupA can only use Duo Push and only members of GroupB can only use Yubikeys:
@Gigawatt
Removing an authentication method via policy also prevents enrollment of that method during inline enrollment (as in, enrollment while authenticating to that particular application). Since group policies can only be applied to users who exist in Duo, an application or global policy that restricts Duo Push would also prevent new users (unknown to Duo) from enrolling a Push device during inline enrollment.
But, since users can’t self-enroll hardware tokens during Duo enrollment anyway, you would have had to create those users in Duo somehow to then assign them the hardware token. Since the users already exist, they would not see first-time enrollment (so no way to enroll a different method via that path).
If you allow self-service device management on that application and have applied a group policy that restricts GroupB members to hardware tokens, then those users aren’t able to enroll other methods not allowed by their effective policy in device management,
09-30-2022 12:00 PM
Thanks for this and sorry for the super late reply.
We are applying a policy within the selected application (ADFS) then applying the group policy for TokenOnly and PhoneOnly(deskphone) for certain departments and having them point to a certain group in AD.
Thanks again for this clarity!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide