Keyless Workforce Access can be configured at install time via the command line at install time, or manually via the Keyless Login Manager.

Keyless Login Manager

Keyless Login Manager is installed as part of the product installation flow and can be accessed with administrator privileges by searching for "Keyless Login Manager" application in Windows.

Initial Configuration

After MSI installation, unless you supplied command line configuration parameters, the following configuration is applied:

• Activate Keyless authentication: (Disabled by default) To enable Keyless Workforce Access, make sure this option is checked. If at any time you wish to disable Keyless Workforce Access on this workstation you may simply uncheck this option. Note: that activation will have no effect unless the following three fields are defined.

• Service Host: (Undefined by default) The URL to the service host, provided to you by Keyless.

• Tenant Name: (Undefined by default) Your organization's tenant name, provided to you by Keyless.

• API Key: (Undefined by default) This is specific to your Keyless tenancy and will be provided to you by Keyless.

• Log File: the location in which you would like to save the logs produced by Keyless Workforce Access. By default this option will save logs to a sub-folder of the installation path.

• Log Level: (Default 4) The level of log detail that will be saved (1-least detailed, 5-most detailed).

• Enable Passwordless Login: (Enabled by default) Check this option to allow Windows authentication via Keyless only (no password input required) on this workstation. If the option is not checked, Windows authentication will require user's password and Keyless as an additional factor.

Click "Apply" to save your changes.

Group Assignment to Keyless authentication

The Group Assignment tab allows optional assignment of specific groups to Keyless authentication.

By default all local user and all Active Directory users who are not administrators are assigned to Keyless authentication.

To include admins for Keyless authentication, uncheck the "Exclude Admins from Keyless Authentication" checkbox. Note: excluding administrators is highly recommended as part of the initial deployment.

To apply Keyless Workforce Access only on specific Active Directory groups on this workstation, select "Assign Keyless authentication on following group(s)" option in the dropdown under "Keyless Policy".

Next, click the "+" or "-" buttons on the right to add or remove Active Directory or local groups:

Use the dropdown labeled "From this location" to select between Active Directory and local groups.

Click the "Show All" button to display a list of all groups. From here the groups required can be selected.

Click "OK" to complete the group selection.

The Keyless Login Manager will display the groups that Keyless Workforce Access will be enabled on.

Testing Your Configuration

After you've configured Keyless Workforce Access and defined the set of users that will require Keyless authentication on this machine, you can test Keyless for specific users from the Test Authentication tab.

To validate your configuration, enter the User Principal Name of a user who has previously enrolled a trusted device for Keyless authentication and click "Test".

This should trigger an authentication request on the trusted device. Presenting the user's face and completing authentication will result in the message shown above.

Failure to authenticate will time out the test after 60 seconds.

That's it, Keyless Workforce Access is deployed and configured for this workstation.