General Information
Beyond Identity supports Windows desktop passwordless login for these different join types. Prerequisites vary depending on join types. For more information on the integrations, see the Next steps section.
- On premise AD Joined
- Hybrid Azure Joined
- Azure AD Joined
Beyond Identity prerequisites
- Beyond Identity Web SSO configured
- Super admin privileges in Beyond Identity Admin Console
Client-side prerequisites
- Physical access or a console session to the machine to enroll
- Device running Windows 10 (Build 1703 or later) or Windows 11
- Must be Pro or Enterprise License
- Beyond Identity Platform Authenticator application installed on a single AD instance of device
- Device configured to respective domain
- On-prem AD → AD domain
- Hybrid → Hybrid Azure AD
- Hybrid or On-prem AD → Root & Intermediate certificates for Domain Controller deployed
- Azure AD → Azure AD
NOTE: Devices may have an built-in or pluggable fingerprint reader as optional.
Limitations
The following items are restrictions for the integration.
- WDL setup over RDP session not supported
- RDP is supported during feature authentication, and is not supported for enrollment
- TPM 1.2 not supported
Active Directory prerequisites for Hybrid and On-premise AD setup
NOTE: Customers leveraging Azure AD joined devices only can skip the Active Directory Requirements check and the Beyond Identity Domain connector requirements.
- Enterprise Admin privileges on your AD Domain Controller(s)
- AD Domain Controller(s) running on Windows Server 2016 or later
- Schema Version: Windows Server 2016 or later schema
- Domain functional and forest functional levels for deployment is Windows Server 2008 R2
- AD Domain Controller with following components installed
- Active Directory Domain Services
- Active Directory Certificate Services
- Kerberos Domain Controller (KDC) certificate deployed on AD Domain Controller(s)
- DNS Services running
- Beyond Identity Domain Connector installed
Beyond Identity Domain connector prerequisites
- Beyond Identity Domain connector installation requires domain joined Windows 2016 server or later
- Alternately can be installed on domain controller
- Service account running Beyond Identity service is part of following groups
- Domain Users
- Key Admin
- Enterprise Key Admin
- Administrators
Note: Customer leveraging OKTA AD Agent / SSO Agent to sync users into OKTA do not have to install the Beyond Identity Domain connector. The service account running the OKTA SSO agent must be included in the groups above.
Next steps
View the following guides for more information on the integrations available.
- Integration Guide for Windows Desktop Login (On-prem Ad)
- Integration Guide for Windows Desktop Login (Hybrid Join)
- Integration Guide for Windows Desktop Login (Azure AD Only Join)
Appendix
- Beyond Identity (byndid.com)
- https://downloads.byndid.com/msi/DesktopLogin-latest.msi
- https://downloads.byndid.com/msi/DomainConnector-latest.msi
Comments
0 comments
Please sign in to leave a comment.