Large-Scale implementation

The procedure is that the administrator installs the software through kitting or Active Directory, etc. on each PC, and registers the necessary information for use in a batch on the YubiOn Portal site. Large-Scale implementations are expected to scale from one to a hundred or more PC. Please be sure to read the notes and proceed with the implementation.

Table of Contents


1. Note

  • Be sure to check the system requirements before proceeding with the implementation.

  • Check here for available YubiKeys.

  • The setup of the PC requires Windows administrative privileges.

  • Do not change the configuration of YubiKey to Slot1.
    YubiKey has two configurable Slots with features such as One Time Password (OTP) and Challenge Response (used in offline authentication).

    • Slot1: The initial state is configured to Yubico OTP.
      If you change your Slot1 information, you will not be able to use it on YubiOn Portal.

    • Slot2: The initial state is unconfigured.
      If the offline authentication is used, a challenge response setting is required in Slot2.

  • Prior preparation is required to enable offline authentication of the PC.
    Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.

2. Implementation flow

Portal registration
[Administrator Action] Register on YubiOn Portal. After registration, contact us to switch to the paid version.
Software distribution
[Administrator Action] Install the software on each PC via kitting or Active Directory and so on.
Batch registration
[Administrator Action] Batch registration of user information in CSV.
Service Settings
[Administrator Action] Configure the service settings for two-factor authentication.
PC auto setup
[User Action] The automatic setup is completed when the user logs on to the PC.
Start of use

3. YubiOn Portal registration

Skip this step if you have already registered.

3-1. New registration

Register your customer information at the YubiOn Portal registration page.

The first person to register on YubiOn Portal will be the representative of your organization.

You will receive a registration approval email upon new registration.
Click on the approval link.

Registration Approval Email


3-2. First login

From the login screen, login with your registered email address and password.

YubiOn Portal login screen

Password entry form

Enter the correct email address and password to login to YubiOn Portal.

About customer login
For the representatives of the organization who registered for the first time in YubiOn Portal to log in with a password only.
Once the representative is set up with YubiKey, you will be presented with a two-factor authentication login form.
Notes: Once you have unassigned all the YubiKeys to a representative, a customer login form will appear.

The first time you log in, an simple settings screen appears.

First time login screen (Simple settings screen)


4. Simple settings

Skip this step if you’ve already done the simple settings.

Simple settings screen


4-1. YubiKey registration

Set your YubiKey for login. Next time you log in to YubiOn Portal, you will need the YubiKey you set here.

4-2. Selection of settings

Click on “You do not configure your PC…” as this procedure does not configure the operator’s own PC.

Once you skip this setting, the simple setting will not appear from the next time you log in.


5. Switching to the paid version

Customers who are already using the paid version should skip this step.

The implementation procedure is based on the use of the paid version of the function.
If you would like to examine the paid version or switch to a paid version, please contact us here.

Note: When you contact us, please tell us the following
1. About Switching to the Paid Version
e.g. I’m considering a large scale implementation and would like to switch to a paid version. (Or, I want to examine).
2. YubiOn Portal uses SID or UUID as PC identification ID. Please tell us which ID you would like to use as a non-duplicate ID.
e.g. Use SID or UUID for the PC identification ID (please answer one of them)

If you have any other questions, please contact us.
We will propose the best settings for your operational situation.

The following description assumes a paid version.

6. Setup

The steps for an administrator to set up on each PC.
To set up two-factor authentication on a PC, you need to install a Windows Logon Service application (hereinafter Client Tools).

Before Use
Please be sure to check the system requirements before installing the software.
The installation requires Windows administrative privileges.


6-1. Software downloads

Click the “PC” icon from the menu on the left side of the screen and click “Download”.

Click the “Download” button.

Save the installer to any location.
If the PC you downloaded and the PC you want to configure are different, save the installer to any location on the target PC.

About downloading
Depending on your PC, a 32-bit or 64-bit download button will be displayed.

If you want to download the tools for a different architecture
Click on “Download tools for different architecture”. A download button for a different architecture will be displayed.
Download the tools for your architecture.


6-2. Software Installation

YubiOn Portal does not have the function of automatic software distribution. Distribute and install the “WlsInstaller_x64.msi” or “WlsInstaller_x86.msi” installer on each PC using one of the following methods

  • Distribution by PC kitting
  • Distribution by Active Directory Group Policy
  • Distribution by Other Services

Note on Kitting PC
YubiOn Portal uses the SID or UUID as the PC identification ID. Make sure that you do not have a duplicate SID or UUID when kitting.
You can choose which PC identification ID to use at the time of switching to the paid version by contacting us.


6-3. Distribute YubiKey to users

After the software installation on each PC is complete, distribute the YubiKey to the users.

Check before YubiKey distribution
Prior preparation is required to enable offline authentication of the PC.
Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.


7. Batch registration

Register user information of YubiOn Portal in CSV format.

7-1. Download the CSV

From the menu on the left side of the screen, click the “Users” icon.

Click the “Register Kitting CSV” button on the right side of the member management screen.

Click the “Download CSV Sample” button.

Save to any location.

7-2. CSV input

Open the downloaded “member_machine_registration_sample.csv”.
Here’s an explanation when opened in Excel.

View in ExcelView in Excel

Input the registration information with reference to the CSV file format below.
When the registration is complete, please save the file.

About the CSV file format
If opened in a text editor, it will be separated by a comma.
1st (column A) to 5th (column E) is member (user) information, 6th (column F) is YubiKey information, 7th (column G) to 10th (column J) is PC information. You can use YubiOn Portal’s two-factor authentication service by relating member (user), YubiKey, and PC information.

1st (column A): Input ID
You can manage it by employee ID and so on. (Alphanumeric and hyphen “-”, underscore “_“, Optional)

Second (column B): Input of member names [Required]
Input the user’s name. (Japanese, alphanumeric symbols)

Third (column C): Input your email address [Required]
Input the member’s email address. (email address format)

Fourth (column D): Input group name
Input the name of the group to which you want to belong. (Japanese, alphanumeric symbols, optional)
A group is a function that assigns users (members) to a group. It is used to divide and filter users into groups such as sales and development.

Fifth (column E): Insert the following numbers to specify the administrator [Required]
「0」: General (will only be granted access to the management site)
「1」: Administrators (gives you the necessary permissions to access, register, delete, edit, etc., on the administration site)

Sixth (column F): Input YubiKey’s serial number [Required]
Input the “Serial Number” on the back of the YubiKey. (a half-width number)

Seventh (column G): Input the OS type of the PC [Required]
Input “Windows” or “macOS*”.
(*) macOS is an option for the paid version. Please contact us for availability.

Eighth (column H): Input PC identification ID [Required]
Input the SID or UUID of the PC.
Please input the PC identification ID you selected during the inquiry for switching to the paid version.

How to check the PC Identification ID
Windows
SID: Run “whoami /user” at the command prompt
e.g. “S-1-5-21-000000000-000000000-000000001-100” case
PC SID is “S-1-5-21-000000000-000000000-000000001”

UUID: Run “wmic csproduct get uuid” at the command prompt

macOS
UUID: Run “system_profiler SPHardwareDataType” in a PC
e.g. Hardware UUID: “uuuuuuuu-uuuu-iiii-dddd-dddddddd”

Ninth (column I): Input a PC name [Required]
Input a Windows or macOS device name. (alphanumeric characters)

Tenth (column J): Input an account name [Required]
Input your Windows or macOS account name. (alphanumeric characters)
In the case of registering an AD account
Input the “Short-domain name\account name”.
e.g. “demo.example.com” case
demo\accountName

If you have the same email address registered
If the same email address is input in the CSV, or if you input an already registered email address, the PC, account and YubiKey will be assigned to the same member.

7-3. CSV batch registration

Login to the YubiOn Portal site.

Click the “Users” icon from the menu on the left side of the screen.

Click the “Register kitting CSV” button on the right side of the member management screen.

Click on “Select File”.

Click on the “member_machine_registration_sample.csv” file and click the “Open” button.

If the values displayed in the registration list do not have the following problems, click the “Register” button.

  • Do not input a full-width string in half-width alphanumeric notation
  • Do not input unnecessary spaces, strings, etc.
  • Is the email address format correct
  • Do administrators* have numerical input
    (*) If you are registered as an administrator, the administrator column will display a “check mark”. If you register in general, the administrator column will be marked with a “-”.

Click the “OK” button on the registration completion message.
When the member listed in the CSV file is displayed in the member list, the batch registration is complete.

In case of a registration error
If there is a mistake in the CSV, a warning icon will appear on the confirmation screen. Hover over the warning icon to see the error content.
Please correct and re-register the CSV file as instructed.

In the case where you want to modify the content immediately after the completion of batch registration
Refer to “Batch deletion method” to perform batch deletion of the incorrected data and register only the corrected data as a CSV file.

In the case you want to modify the data individually
Click here to correct the member information.
Click here for YubiKey assignments.
Click here to unassign YubiKey.
Click here to add an account.
Click here to delete your account.
Click here for account and YubiKey assignment.
Click here to unassign your account and YubiKey.
Note: The device name and device ID cannot be modified later. Refer to “Batch deletion method” to delete them in batch and register them again in CSV.


8. Service settings

In the service configuration screen, configure the settings for the two-factor authentication service.

8-1. General service settings

Click the “PC” icon from the menu on the left side of the screen.
Click on “Service Settings”.

Default service settings screen (paid version)


Configure the following settings to match your security policy

Configuration items Configuration Contents Default
1. Cache logon expiration date The number of days available for offline authentication. Disabled
2. Screen lock Lock the screen when unplugging the YubiKey. Disabled
3. Forced YubiKey logon Force logon with YubiKey at PC logon. Disabled
4. Authentication failure lock Locks the PC when it fails a certain number of times to log on.
It is also available to unlock the PC after a certain amount of time has passed.
Disabled
5. Automatic email notification Email notifications when there is a change in PC status or service settings. Enabled
Representative


In the initial view of the service settings, “Default Policy” is selected.
This step is based on the “Default Policy”.

The “Default Policy” will be applied during PC registration.
About the Group policy
Group policy is the function of dividing service settings into multiple groups.
For more information, see Group Policy Settings.
About the Master Key
Master Key is the function that allows you to log on to all PC and any account with one YubiKey.
For more information, see Master Key Settings.

Reflecting the group policy on the PC
Group policy settings will be reflected when you log on while the target PC is connected to the network.


8-2. Cache logon settings

Setting an expiration date for offline authentication allows you to log on offline for a specified number of days from the date of the last successful PC logon. If disabled, you will not be able to log on in environments without a network connection.

YubiKey offline settings are required to use the cache logon function.

Click the radio button of “Enable” and input the expiration date.

Click the “Update” button.

About offline authentication
- To enable offline authentication, the PC must be successfully authenticated online once.
- Each time the PC is successfully logged in, the offline authentication period is updated.
 e.g. If the offline expiration date is set to 3 days.
   If the PC is successfully logged on on April 1st, offline authentication will be enabled from April 1st to April 3rd.
   If the PC is successfully logged on during the above period, it is effective for an additional 3 days from the date of successful authentication.
- Please contact your administrator for the offline expiration date.

If you want to make the cache logon deadline indefinite
The paid option “Cache Logon Indefinitely” allows you to set the number of days of validity of cache information indefinitely.

To purchase the “Cache Logon Indefinitely” option, please contact us here.


8-3. Screen lock settings

With screen lock enabled, you can lock the screen automatically when you unplug the YubiKey from the PC’s USB port.

Check the”Lock screen when unplugging YubiKey.” checkbox.

It is set to disabled by default

Click the “Update” button.

8-4. Forced YubiKey logon settings

Set to force logon using YubiKey at PC logon.

Check the “Force a logon using YubiKey.” checkbox.

It is set to disabled by default

Click the “Update” button.

8-5. Authentication failure lock settings

When you enable the authentication failure lock setting, you can prevent the PC from logging on after a certain number of failed logon attempts.

Check the “Lock the PC…” checkbox.

It is set to disabled by default

Input the number of attempts to lock the PC.
Click the “Update” button.

About the PC lock
The inability to log on to a PC is called a “PC lock”.
PC lock image See how to unlock the PC lock state.


8-6. Unlock settings after an authentication failure lock

Check the “Unlock in a certain amount of time after authentication failure lock” checkbox.

It is set to disabled by default

Input the time (in minutes) to unlock the PC.
Click the “Update” button.

About the timing of the PC unlock
After a specified time has passed since the PC lock occurred, reboot the PC connected to the network to unlock the PC.


8-7. Automatic email notification settings

When there is a change in the status of the PC or service settings, it will automatically notify the members registered in the notification settings. By default, the representative is set as the recipient of the notification.

Click the settings icon in the top right corner of the service settings screen, and then click “Email notification settings”.

Toggles the enable/disable of the notification settings.

Check the notification items you want to receive.

The default is set to notify the representative

Click the “Update” button.

About notification
If “When the PC is locked or unlocked” is checked
Notifies which PC has changed to which state.

If “When changing service settings” is checked
Notifies you of any changes in service settings, such as cache logon settings.
If you want to change the mail recipient
Click here for instructions on how to change email recipients.


9. Automatic setup of each PC by the user

The end user completes the setup automatically by logging on to the PC while connected to the network.

Conditions for automatic setup
1. The software installation on the PC is already complete
2. CSV batch registration on YubiOn Portal site must be completed
3. Logging on to a PC in the state of being connected to the network

The first time you log on with your Windows password only, the automatic setup is complete.
If the automatic setup is done correctly, you can use two-factor authentication from the next logon.

For more information on user operations, see How to use Windows logon (for large scale implementation).

If you don’t want the user to uninstall it
The paid option “Uninstallation Control” can be used to hide the software from the list of installed applications and discourage uninstallation.

For purchasing the “Uninstall Control” option, please contact us here.


10. Operational confirmation

Check if the user PC reflects the settings of the group policy.

About Group Policy
Group policy is the function of dividing service settings into multiple groups.
For more information, see Group policy settings.

From the menu on the left side of the screen, click the “PC” icon and then click “Service Settings”.


10-1. About group policy status

There are three types of group policy reflection status: “ Reflected”, “ Unreflected”, and “Old policy is reflected”.

Group policy reflection state

  • Reflected: The latest group policies are reflected in the PC.
  • Unreflected: The group policy is not reflected in the PC.
  • Old policy is reflected: The old group policy is reflected in the PC.

10-2. Group policy reflection confirmation

Click on the group policy to confirm.

Click the “PC list” tab.

Click on the lower pull-down of the state.
Then click on “ Unreflected”.

The list of PC that do not reflect the group policy will be displayed.

A “Unreflected” is indicated by an “X” mark.

If you want to check the “Old Policy is Reflects” status
If you click on “Old policy is reflected” in the status pull-down, it will display a list of PC with old group policies reflected.
- If the old policy is reflected, it will be displayed with a “warning mark”.
- If you “Change Group Policy” or “Apply Another Group Policy”, it will be in the state of “Old policy is reflected”.

If you want to check the “reflected” status
If you click “ Reflected” in the status pull-down, it will display a list of PC with the latest group policy reflected.
- If the latest group policy is reflected, it will be indicated by a “check” mark.

How to reflect the settings on the PC
When you log on while the target PC is connected to the network, the group policy settings will be reflected.

That’s all for the implementation procedure.

11. Supplement


11-1. Two-factor authentication method for YubiOn Portal site

At the login of YubiOn Portal site, two-factor authentication by “email address”, “password” and “YubiKey” of the member (user) is required.

Only the representative (the one who first registered in YubiOn Portal) will be logged in with a password only, unless a YubiKey is assigned.

Access the login page.
Input your email address in the email address field and click the Confirm button.

Input the “password” in the password field.

Plug the YubiKey into the USB port.

Click the YubiKey input field and tap YubiKey.

After YubiKey’s one-time password output, it will automatically enter and log you in.

After logging in, the “Dashboard” will be displayed.


11-2. Batch removal method

Information registered in CSV can be deleted from the members’ (users’) e-mail addresses in Review the CSV content and perform the batch deletion again. .

About the scope of batch deletion of members
- Remove member information.
- Unassign members and groups.
- Unassign a member and YubiKey. (Never remove the YubiKey itself.)
- PC information and account information will not be deleted.

Click the “Users” icon from the menu on the left side of the screen.

Click on the “Batch delete member CSV” button.

Click the “Download CSV Sample File” button.

Save the “member_deletion.csv” file to the desired location.

Open the “member_deletion.csv” file.

Opened in Excel

If opened in a text editor, it will be separated by a comma.

Delete the sample data in the first (column A) and input the email addresses of the members (users) you want to delete in column A.

Save the file when you’re done.
Click the “Select File” button.

Click on “member_deletion.csv” and click the Open button.

Check the email address of the member you want to delete and click the “Delete” button.

Click the “OK” button when a confirmation message is displayed.
Click the “OK” button when the deletion completion message is displayed.

If you have an unregistered email address, it will be an error.
Review the CSV content and perform the batch deletion again.