I am currently setting up DUO for windows logon/RDP for all critical servers of a customer. Everything is working fine so far.
However, there is one "user-experience" issue that we are unsure about. The customer wants to use the Offline Access feature (https://duo.com/docs/rdp#offline-access) and we were able to successfully test this for one of the servers.
However, we just realized (while setting this up for a second server) that you have to create a new Offline Access User/Account within the DUO mobile app for every additional server/endpoint (you are being prompted to scan a QR code and in turn create a new Offline Access account within the DUO mobile app for every new server you want to use this on). Since we are setting this up for access to critical servers, it would mostly be the same few people needing access to multiple different servers (10+). That would obviously lead to a huge amount of Offline Access Accounts within those people's DUO mobile app. The more servers they add the more confusing it gets within the DUO mobile app, having to search for the correct Offline Access account for the correct passcode.
Hence the question, if there is any way to only use a single offline access account within the user's DUO mobile app for ALL the different servers that have DUO for windows logon/RDP deployed? (Is it possible to consolidate multiple DUO mobile offline accounts into one within the same DUO mobile app?)
I would really appreciate some input on this, thanks a lot for your help in advance!
The offline access feature wasn't designed as an admin fail-safe for multiple server access. It's primary use case is to ensure users have access to their Windows systems during temporary offline periods. Read more about the use case in the Duo Blog: