Medium-Scale implementation

The procedure is that the administrator only sets up the settings on the YubiOn Portal site, and the PC is set up by the users themselves. Medium-Scale implementation is expected to be on the scale of one to a hundred PC units. Please be sure to read the notes and proceed with the implementation.

Table of Contents


1. Note

  • Be sure to check the system requirements before proceeding with the implementation.

  • Check here for available YubiKeys.

  • The setup of the PC requires Windows administrative privileges.

  • Do not change the configuration of YubiKey to Slot1.
    YubiKey has two configurable Slots with features such as One Time Password (OTP) and Challenge Response (used in offline authentication).

    • Slot1: The initial state is configured to Yubico OTP.
      If you change your Slot1 information, you will not be able to use it on YubiOn Portal.

    • Slot2: The initial state is unconfigured.
      If the offline authentication is used, a challenge response setting is required in Slot2.

  • Prior preparation is required to enable offline authentication of the PC.
    Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.

2. Implementation flow

Portal registration
[Administrator Action] Register on YubiOn Portal. After registration, contact us to switch to the paid version.
Member registration / Email notifications
[Administrator Action] Register the user to YubiOn Portal and email notifications for setup.
Setup
[User Action] Change the password, register YubiKey, and install the software on the PC.
Service settings
[Administrator Action] Configure the service settings for two-factor authentication.
Start of use

3. YubiOn Portal registration

Skip this step if you have already registered.

3-1. New registration

Register your customer information at the YubiOn Portal registration page.

The first person to register on YubiOn Portal will be the representative of your organization.

You will receive a registration approval email upon new registration.
Click on the approval link.

Registration Approval Email


3-2. First login

From the login screen, login with your registered email address and password.

YubiOn Portal login screen

Password entry form

Enter the correct email address and password to login to YubiOn Portal.

About customer login
For the representatives of the organization who registered for the first time in YubiOn Portal to log in with a password only.
Once the representative is set up with YubiKey, you will be presented with a two-factor authentication login form.
Notes: Once you have unassigned all the YubiKeys to a representative, a customer login form will appear.

The first time you log in, an simple settings screen appears.

First time login screen (Simple settings screen)


4. Simple settings

Skip this step if you’ve already done the simple settings.

Simple settings screen


4-1. YubiKey registration

Set your YubiKey for login. Next time you log in to YubiOn Portal, you will need the YubiKey you set here.

4-2. Selection of settings

Click on “You do not configure your PC…” as this procedure does not configure the operator’s own PC.

Once you skip this setting, the simple setting will not appear from the next time you log in.


5. Switching to the paid version

Customers who are already using the paid version should skip this step.

The implementation procedure is based on the use of the paid version of the function.
If you would like to examine the paid version or switch to a paid version, please contact us here.

The following description assumes a paid version.

6. Member registration

Batch CSV registration of members (users) in YubiOn Portal.

Click on “Member Management” from the menu on the left side of the screen.

Click on the “Register CSV” icon.

Download the CSV file for batch registration.
Click the “Download” icon and download the CSV file for batch registration.

Save the “member_registration_sample.csv” file to the desired location.
Open “member_registration_sample.csv” and input your member information according to the format below.

When opened in Excel

About the CSV file format
If opened in a text editor, it will be separated by a comma.

1st (column A): Input ID
You can manage it by employee ID and so on. (Alphanumeric and hyphen “-”, underscore “_“, Optional)

Second (column B): Input of member names [Required]
Input the user’s name. (Japanese, alphanumeric symbols)

Third (column C): Input your email address [Required]
Input the member’s email address. (email address format)

Fourth (column D): Input group name
Input the name of the group to which you want to belong. (Japanese, alphanumeric symbols, optional)
A group is a function that assigns users (members) to a group. It is used to divide and filter users into groups such as sales and development.

Fifth (column E): Insert the following numbers to specify the administrator [Required]
「0」: General (will only be granted access to the management site)
「1」: Administrators (gives you the necessary permissions to access, register, delete, edit, etc., on the administration site)

After completing the entry of the CSV file, the administration screen operates.
Select the CSV file and click the “Select File” button.

Click on the CSV file and click the Open button.

When you select a file, it will display the CSV file name and the member information to be registered.

Click the “Register” button.

If the CSV registration is successful
The member list is displayed.

If there is a problem with the contents of the CSV
If there is a problem with the content of the CSV, it cannot be registered.
Modify the CSV file with reference to the error message.
Hover over the item and a message will appear.
Modify the file and register again.


7. Setup

In this procedure each user (member) is responsible for the setup. The administrator sends a registration email for each member to set up. The registration email contains a link to the “Easy Setup” screen for setup and Each member can follow the on-screen instructions for self-setup.

7-1. Distribute YubiKey to users

Distribute a YubiKey to each member before sending the registration email for setup.

Check before YubiKey distribution
Prior preparation is required to enable offline authentication of the PC.
Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.


7-2. Leave the setup to each member

Instructions for sending a registration email for each member to set up.

About the setup procedure
See also “6-1. How to use Windows logon” for the setup procedure for each member.

Click on “Member Management” from the menu on the left side of the screen.

Click on “Registration email notifications”.

A list of IDs, member names, and email addresses is displayed in the member list.

Check the checkboxes of the members to be notified by email. (Multiple checks are allowed.)
Click the “Send” button.

If the email is successful
The status item in the member list will be “Sending mail” or “Sent mail”. If each user completes the setup from the link in the email
The status item in the member list will be “Use Windows Logon Service”.

If emailing fails
The status item in the member list will be “Failed to send email”.
Please make sure that your email address is correct and send the email again.

If you don’t want the user to uninstall it
The paid option “Uninstallation Control” can be used to hide the software from the list of installed applications and discourage uninstallation.

For purchasing the “Uninstall Control” option, please contact us here.


8. Service settings

In the service configuration screen, configure the settings for the two-factor authentication service.

8-1. General service settings

Click the “PC” icon from the menu on the left side of the screen.
Click on “Service Settings”.

Default service settings screen (paid version)


Configure the following settings to match your security policy

Configuration items Configuration Contents Default
1. Cache logon expiration date The number of days available for offline authentication. Disabled
2. Screen lock Lock the screen when unplugging the YubiKey. Disabled
3. Forced YubiKey logon Force logon with YubiKey at PC logon. Disabled
4. Authentication failure lock Locks the PC when it fails a certain number of times to log on.
It is also available to unlock the PC after a certain amount of time has passed.
Disabled
5. Automatic email notification Email notifications when there is a change in PC status or service settings. Enabled
Representative


In the initial view of the service settings, “Default Policy” is selected.
This step is based on the “Default Policy”.

The “Default Policy” will be applied during PC registration.
About the Group policy
Group policy is the function of dividing service settings into multiple groups.
For more information, see Group Policy Settings.
About the Master Key
Master Key is the function that allows you to log on to all PC and any account with one YubiKey.
For more information, see Master Key Settings.

Reflecting the group policy on the PC
Group policy settings will be reflected when you log on while the target PC is connected to the network.


8-2. Cache logon settings

Setting an expiration date for offline authentication allows you to log on offline for a specified number of days from the date of the last successful PC logon. If disabled, you will not be able to log on in environments without a network connection.

YubiKey offline settings are required to use the cache logon function.

Click the radio button of “Enable” and input the expiration date.

Click the “Update” button.

About offline authentication
- To enable offline authentication, the PC must be successfully authenticated online once.
- Each time the PC is successfully logged in, the offline authentication period is updated.
 e.g. If the offline expiration date is set to 3 days.
   If the PC is successfully logged on on April 1st, offline authentication will be enabled from April 1st to April 3rd.
   If the PC is successfully logged on during the above period, it is effective for an additional 3 days from the date of successful authentication.
- Please contact your administrator for the offline expiration date.

If you want to make the cache logon deadline indefinite
The paid option “Cache Logon Indefinitely” allows you to set the number of days of validity of cache information indefinitely.

To purchase the “Cache Logon Indefinitely” option, please contact us here.


8-3. Screen lock settings

With screen lock enabled, you can lock the screen automatically when you unplug the YubiKey from the PC’s USB port.

Check the”Lock screen when unplugging YubiKey.” checkbox.

It is set to disabled by default

Click the “Update” button.

8-4. Forced YubiKey logon settings

Set to force logon using YubiKey at PC logon.

Check the “Force a logon using YubiKey.” checkbox.

It is set to disabled by default

Click the “Update” button.

8-5. Authentication failure lock settings

When you enable the authentication failure lock setting, you can prevent the PC from logging on after a certain number of failed logon attempts.

Check the “Lock the PC…” checkbox.

It is set to disabled by default

Input the number of attempts to lock the PC.
Click the “Update” button.

About the PC lock
The inability to log on to a PC is called a “PC lock”.
PC lock image See how to unlock the PC lock state.


8-6. Unlock settings after an authentication failure lock

Check the “Unlock in a certain amount of time after authentication failure lock” checkbox.

It is set to disabled by default

Input the time (in minutes) to unlock the PC.
Click the “Update” button.

About the timing of the PC unlock
After a specified time has passed since the PC lock occurred, reboot the PC connected to the network to unlock the PC.


8-7. Automatic email notification settings

When there is a change in the status of the PC or service settings, it will automatically notify the members registered in the notification settings. By default, the representative is set as the recipient of the notification.

Click the settings icon in the top right corner of the service settings screen, and then click “Email notification settings”.

Toggles the enable/disable of the notification settings.

Check the notification items you want to receive.

The default is set to notify the representative

Click the “Update” button.

About notification
If “When the PC is locked or unlocked” is checked
Notifies which PC has changed to which state.

If “When changing service settings” is checked
Notifies you of any changes in service settings, such as cache logon settings.
If you want to change the mail recipient
Click here for instructions on how to change email recipients.


9. Operational confirmation

Check if the user PC reflects the settings of the group policy.

About Group Policy
Group policy is the function of dividing service settings into multiple groups.
For more information, see Group policy settings.

From the menu on the left side of the screen, click the “PC” icon and then click “Service Settings”.


9-1. About group policy status

There are three types of group policy reflection status: “ Reflected”, “ Unreflected”, and “Old policy is reflected”.

Group policy reflection state

  • Reflected: The latest group policies are reflected in the PC.
  • Unreflected: The group policy is not reflected in the PC.
  • Old policy is reflected: The old group policy is reflected in the PC.

9-2. Group policy reflection confirmation

Click on the group policy to confirm.

Click the “PC list” tab.

Click on the lower pull-down of the state.
Then click on “ Unreflected”.

The list of PC that do not reflect the group policy will be displayed.

A “Unreflected” is indicated by an “X” mark.

If you want to check the “Old Policy is Reflects” status
If you click on “Old policy is reflected” in the status pull-down, it will display a list of PC with old group policies reflected.
- If the old policy is reflected, it will be displayed with a “warning mark”.
- If you “Change Group Policy” or “Apply Another Group Policy”, it will be in the state of “Old policy is reflected”.

If you want to check the “reflected” status
If you click “ Reflected” in the status pull-down, it will display a list of PC with the latest group policy reflected.
- If the latest group policy is reflected, it will be indicated by a “check” mark.

How to reflect the settings on the PC
When you log on while the target PC is connected to the network, the group policy settings will be reflected.

That’s all for the implementation procedure.

10. Supplement


10-1. Two-factor authentication method for YubiOn Portal site

At the login of YubiOn Portal site, two-factor authentication by “email address”, “password” and “YubiKey” of the member (user) is required.

Only the representative (the one who first registered in YubiOn Portal) will be logged in with a password only, unless a YubiKey is assigned.

Access the login page.
Input your email address in the email address field and click the Confirm button.

Input the “password” in the password field.

Plug the YubiKey into the USB port.

Click the YubiKey input field and tap YubiKey.

After YubiKey’s one-time password output, it will automatically enter and log you in.

After logging in, the “Dashboard” will be displayed.