General Information
Beyond Identity supports passwordless login experience into Windows desktops for all the different Join types
- On premise AD Joined
- Hybrid Azure Joined
- Azure AD Joined
Based on the join types, the pre-requisites will slightly vary.
Beyond Identity Pre-requisites:
- The Beyond Identity Web SSO must be already configured and working.
- You must have super admin privileges to the Beyond Identity Admin Console.
Client-Side Pre-requisites:
- Physical access or a console session to the machine to enroll and use WDL enrollment.
- Device must be running Windows 10 (Build 1703 or later) or Windows 11 (Must be a Pro or Enterprise License).
- Trusted Platform Module (TPM) version 2.0 installed and running.
- Device may have a built-in or pluggable fingerprint reader (Optional).
- Device must have Beyond Identity Authenticator application installed.
- Device must be AD domain joined. (For On-prem AD Joined only)
- Device must be Hybrid Azure AD joined. (For Hybrid Joined only)
- Device must have Root & Intermediate certificates for Domain Controller deployed. (For Hybrid Joined or On-prem AD Joined)
- Device must be Azure AD joined. (For Azure AD Joined only)
Note:
- WDL setup over an RDP session is not supported.
- TPM 1.2 is not supported.
Active Directory Pre-requisites for Hybrid and On-premise AD setup
Note: Customers leveraging Azure AD joined devices only can skip the Active Directory Requirements check and the BI AD connector requirements.
- Enterprise Admin privileges on your AD Domain Controller(s)
- AD Domain Controller(s) must be running on Windows Server 2016 or later. Schema Version: Windows Server 2016 or later schema.
- Domain functional and forest functional levels for deployment is Windows Server 2008 R2
- AD Domain Controller must have following components installed:
- Active Directory Domain Services
- Active Directory Certificate Services
- Kerberos Domain Controller (KDC) certificate must be deployed on the AD Domain Controller(s)
- DNS Services must be running.
- BI AD Connector should be installed.
Beyond Identity AD connector
Note: Customer leveraging OKTA AD Agent / SSO Agent to sync users into OKTA do not have to install the Beyond Identity AD connector. Please note that the service account running the OKTA SSO agent should be part of the following groups.
- Domain Users
- Key Admin
- Enterprise Key Admin
- Administrators
Beyond Identity AD connector Pre-requisites
- Beyond Identity AD connector installation requires domain joined Windows 2016 server or later. (Alternately Can be installed on the domain controller)
- Service account running the Beyond Identity service should be part of the following groups.
- Domain Users
- Key Admin
- Enterprise Key Admin
- Administrators
Appendix
- Beyond Identity (byndid.com)
- https://downloads.byndid.com/msi/DesktopLogin-latest.msi
- https://downloads.byndid.com/msi/DomainConnector-latest.msi
Comments
0 comments
Please sign in to leave a comment.