This document walks you through the nuances of the Duo rollout as you prepare to roll this out to your organization, feel free to share this with your team, as they start seeing MFA right away on their Atomus Aegis applications.
Duo's local device MFA feature is deeply integrated and included with your Atomus subscription and can be used on both macOS and Windows devices. There are a few nuances of behavior and change in user workflows, hence this document outlines the changes:
Windows OS devices
Enabling Duo on Windows will disable the use of a PIN to unlock the computer. This means you will use your Microsoft email and password to sign into the computer (Other User > Sign in).
This means users will use their Microsoft 365 login email and password exclusively to sign in and will need to use the Duo app on their phones to either Approve or Deny the request each time they unlock/sign in/restart the computer. The implementation/setup/workflow can be found in our Windows Aegis MFA Setup and Troubleshooting Helpdesk guide talking about the expected setup flows.
MacOS devices
Offline Duo setup should be done right away.
MacOS must be logged in while online (connected to Internet) at least once per 10 logins.
However, Mac does not allow you to connect to new Wi-Fi without unlocking the device, so if users are not near a familiar Wi-Fi, or if the Wi-Fi is one of the types that opens an approval window to connect, (similar to how Starbucks or a public Wi-Fi authenticates a wireless connection when you connect), then the machine would be considered 'offline' for that login. If the user is not able to authenticate via Online Duo after 10 logins, they will have to wait until they are near a connection that automatically connects.
Alternatively, they can use an ethernet cable connected to an ethernet-to-USB dongle that has been pre-approved in the past while the machine was unlocked (this is due to MacOS not being able to accept new incoming USB connections without having the USB dongle be pre-approved by the user - MacOS limitation)
Using a hardware token like YubiKey
The Duo setup does allow for usage of YubiKey or a hardware token. Please work with the administrator to attach/associate a YubiKey to your account when setting up Duo. After the admin has set up the YubiKey to be associated with your account, you can proceed with the setup.
The user has to procure their own YubiKey and work with the admin to associate it to the appropriate account.
The user can choose to set up a phone along with this hardware token or choose not to setup a phone in this process. Review the below articles.
Duo Setup Scenarios with Hardware Tokens