How to configure Keyless Workforce Access after installation.
Keyless Workforce Access can be configured at install time via the command line at install time, or manually via the Keyless Login Manager.
Administrator privileges are required to configure Keyless Workforce Access.
Keyless Login Manager is installed as part of the product installation flow and can be accessed with administrator privileges by searching for "Keyless Login Manager" application in Windows.
By default Keyless Login Manager is installed in the C:\Program Files\Keyless Technologies\Bin\ directory.
After MSI installation, unless you supplied command line configuration parameters, the following configuration is applied:
- Activate Keyless authentication: (Disabled by default) To enable Keyless Workforce Access, make sure this option is checked. If at any time you wish to disable Keyless Workforce Access on this workstation you may simply uncheck this option. Note: that activation will have no effect unless the following three fields are defined.
- Service Host: (Undefined by default) The URL to the service host, provided to you by Keyless.
- Tenant Name: (Undefined by default) Your organization's tenant name, provided to you by Keyless.
- API Key: (Undefined by default) This is specific to your Keyless tenancy and will be provided to you by Keyless.
- Log File: the location in which you would like to save the logs produced by Keyless Workforce Access. By default this option will save logs to a sub-folder of the installation path.
- Log Level: (Default 4) The level of log detail that will be saved (1-least detailed, 5-most detailed).
- Enable Passwordless Login: (Enabled by default) Check this option to allow Windows authentication via Keyless only (no password input required) on this workstation. If the option is not checked, Windows authentication will require user's password and Keyless as an additional factor.
Click "Apply" to save your changes.
Example completed configuration
The Group Assignment tab allows optional assignment of specific groups to Keyless authentication.
By default all local user and all Active Directory users who are not administrators are assigned to Keyless authentication.
Keyless Workforce Access is applied to all users except for Administrators by default.
To include admins for Keyless authentication, uncheck the "Exclude Admins from Keyless Authentication" checkbox. Note: excluding administrators is highly recommended as part of the initial deployment.
To apply Keyless Workforce Access only on specific Active Directory groups on this workstation, select "Assign Keyless authentication on following group(s)" option in the dropdown under "Keyless Policy".
Next, click the "+" or "-" buttons on the right to add or remove Active Directory or local groups:
Select which AD groups you would like to enable Keyless on.
Use the dropdown labeled "From this location" to select between Active Directory and local groups.
Click the "Show All" button to display a list of all groups. From here the groups required can be selected.
Click "OK" to complete the group selection.
The Keyless Login Manager will display the groups that Keyless Workforce Access will be enabled on.
Group Assignment with a single local group chosen for Keyless authentication
After you've configured Keyless Workforce Access and defined the set of users that will require Keyless authentication on this machine, you can test Keyless for specific users from the Test Authentication tab.
Testing your configuration on an enrolled user.
To validate your configuration, enter the User Principal Name of a user who has previously enrolled a trusted device for Keyless authentication and click "Test".
This should trigger an authentication request on the trusted device. Presenting the user's face and completing authentication will result in the message shown above.
Failure to authenticate will time out the test after 60 seconds.
Make sure that the user you are testing on has already enrolled with Keyless. The test will send a push notification to the user's Keyless app on his mobile device.