This document walks you through the nuances of the Duo rollout as you prepare to roll this out to your organization, feel free to share this with your team, as they start seeing MFA right away on their Atomus Aegis applications.
Duo's local device MFA feature is deeply integrated and included with your Atomus subscription and can be used on both macOS and Windows devices. There are a few nuances of behavior and change in user workflows, hence this document outlines the changes:
Windows OS devices
Enabling Duo on Windows will disable the use of a PIN to unlock the computer.
This means users will use their Microsoft 365 login email and password exclusively to sign in and will need to use the Duo app on their phones to either Approve or Deny the request each time they unlock/sign in/restart the computer. The implementation/setup/workflow can be found in our Windows Aegis MFA Setup and Troubleshooting Helpdesk guide talking about the expected setup flows.
MacOS devices
Offline Duo setup should be done right away.
MacOS must be logged in while online (connected to Internet) at least once per 10 logins.
However, Mac does not allow you to connect to new Wi-Fi without unlocking the device, so if users are not near a familiar Wi-Fi, or if the Wi-Fi is one of the types that opens an approval window to connect, (similar to how Starbucks or a public Wi-Fi authenticates a wireless connection when you connect), then the machine would be considered 'offline' for that login. If the user is not able to authenticate via Online Duo after 10 logins, they will have to wait until they are near a connection that automatically connects.
Alternatively, they can use an ethernet cable connected to an ethernet-to-USB dongle that has been pre-approved in the past while the machine was unlocked (this is due to MacOS not being able to accept new incoming USB connections without having the USB dongle be pre-approved by the user - MacOS limitation)