Overview
This article addresses various options/flags with Windows installers and the differences between different installer packages of Beyond Identity. The installation configuration may vary depending on your organization's size and other variables.
Contents
Planning the deployment
The various aspects that should be considered for a successful deployment are how you want to manage your deployment and does it need to be managed. Most organizations utilize MDM to manage their fleet. Some organizations may want to go a completely unmanaged route, especially if their users have more control over their computers.
The best practice is to have a smaller group of "power users" or "trusted users" that you can use for testing and managing these users separately from the entire population.
Managed environment
In a managed environment, the desire is to:
- Deploy automatically without user interaction
- Control the application version
- Test the updates internally
- Control the update rollout
Unmanaged environment
In an unmanaged environment, the desire is to:
- Allow users to install the software on their own
- Let the user decide when to update
- Require a minimum version of specific software
Beyond Identity Windows installers
This section describes different types of installer options.
Beyond Identity platform authenticator
The user authenticator application is available in three different formats.
Installer Type | Description | Primary use case |
EXE | The EXE installer is a wrapper around the User MSI package. | User self-service. Users can download and install on their own. |
User MSI | The MSI installer installs to %LocalAppData% and is run in the user's context. | Managed deployment for single-user computers. |
System MSI | The MSI installer installs to %ProgramFiles% and is run in the system's context. | Intended for multi-user computers, terminal servers, etc. Only managed updates via MDM. |
Downloads are located at: https://app.byndid.com/downloads.
Note: The system MSI installer cannot update automatically, as the user interface is executed in the user's context, and the application is installed in the system context where the updating would need to be executed. For more information about updates, see Manage Authenticator updates.
Installer Parameters
The MSI installer has several parameters that can be used. The following table has the details:
Parameter | Options | Description |
VERSIONCONTROLID | String value | Sets the version control policy ID. |
VERSIONCONTROLURL | String value | Not in use. |
DISABLEUPDATES | 0 = Enables the Check for Updates menu (default) 1 = Disables the Check for Updates menu |
Determines whether users can download and install newer versions of the platform authenticator.
|
NOLAUNCH | 0 = Launches the authenticator (default) 1 = Doesn't launch the authenticator |
Defines whether the platform authenticator is launched after installation is complete. |
Note: The installer must be run from an elevated command prompt with administrator privileges to set the version control policy registry values.
The registry key for the version control policy is:HKEY_LOCAL_MACHINE\Software\Policies\BeyondIdentity\Authenticator
For more information, see Manage Authenticator Updates.
Silent install
To execute a silent install, use MSIEXEC (msiexec | Microsoft Learn) standard options /qn to do silent install without user interaction.
For example:msiexec BeyondIdentityUser.msi /qn
-
This installs the authenticator in the background.
-
The app will not launch after installation on its own.
Example of a managed installation
An administrator has defined a company-wide Beyond Identity Version Control Policy. They want to deploy the updates silently and not prompt users for the new updates. They configure an MDM push install to do the initial load, and they maintain that by updating the installer every quarter. The Beyond Identity Platform Authenticator is kept up to date by push installing via MDM or by updating the version control policy to have a minimum version greater than what is installed.
Installer parameters
To achieve the desired deployment, the install command is:msiexec.exe /i BeyondIdentity.msi DisableUpdates=1 VERSIONCONTROLID=6090000d-c256-47c5-9d70-5e9e10000f1f /qn
- This will install in the background.
- The app will not launch after installation on its own.
- Check updates is disabled from the menu options.
- Version control policy ID is set to 6090000d-c256-47c5-9d70-5e9e10000f1f
- Updating installation can be done via MDM
- Updating can be done by changing version control policy
Beyond Identity Windows Desktop Login
The Windows Desktop Login (WDL) package is a separate installer that contains services to enable passwordless desktop login using Beyond Identity on Windows. In addition to the desktop login components and services, the WDL installer contains the Platform Authenticator as well.
The WDL installer is available in two formats.
Installer Type | Description | Primary use case |
EXE | The EXE installer is a wrapper around the MSI package. | User self-service. Users can download and install on their own. |
MSI | The MSI installer installs to %ProgramFiles% and is run in the system's context. | Managed deployment. |
Note: For information about managing updates, see Manage authenticator updates. |
WDL downloads are located at: https://app.byndid.com/desktop-login/downloads.
Important: Due to a Microsoft limitation, you can enroll a maximum of 10 user accounts on a machine.
Configure Windows Desktop Login pin complexity
Windows Desktop Login version 2.90.0 and greater provides support for pin complexity and validation.
Pins support any UTF-16 characters.
Important notes:
-
If Windows Hello is enabled and you are using the Windows Pin for login, if you install Beyond Identity’s Windows Desktop Login and configure a pin, the Windows Desktop Login pin will be used for login rather than the Windows Hello pin.
-
Windows Desktop Login will not use the Microsoft Group Policy Object (GPO) settings if configured.
Registry values
The characters and rules for a PIN are stored in the policy registry key at: HKEY_LOCAL_MACHINE\Software\Policies\BeyondIdentity\Authenticator\PIN
The following values are available for configuration. Omitting a value will use the default.
Value Name |
Type |
Default |
Description |
---|---|---|---|
AllowSpecialCharacters |
DWORD |
1 |
If the value is 0, special characters are not allowed. Any non-zero value will allow special characters. |
AllowNumeric |
DWORD |
1 |
If the value is 0, numeric characters are not allowed. Any non-zero value will allow numeric characters. |
AllowLowerCase |
DWORD |
1 |
If the value is 0, lowercase characters are not allowed. Any non-zero value will allow lowercase characters. |
AllowUpperCase |
DWORD |
1 |
If the value is 0, uppercase characters are not allowed. Any non-zero value will allow uppercase characters. |
DisableUpdates |
DWORD |
1 |
If the value is 1, the Check for Updates menu option is not available to users to install a newer version of the installer. By default, users will see the menu option and can download newer versions of Windows Desktop Login. |
MinLength |
DWORD |
8 |
The minimum length of characters required for a PIN to be valid. This value must be between 8 and 127. |
MaxLength |
DWORD |
8 |
The maximum length of characters required for a PIN to be valid. This value must be between 8 and 127. |
MinNumeric |
DWORD |
0 |
The minimum number of numeric characters required for a PIN to be valid. If the value is 0, there is no minimum. The PIN Is not required to contain numeric characters if 0 is specified. Any non-zero value means a PIN must contain at least the specified number of numeric characters. |
MinSpecialCharacters |
DWORD |
0 |
The minimum number of special characters required for a PIN to be valid. If the value is 0 there is no minimum. The PIN Is not required to contain special characters if 0 is specified. Any non-zero value means a PIN must contain at least the specified number of special characters. |
MinLowerCase |
DWORD |
0 |
The minimum number of lowercase characters required for a PIN to be valid. If the value is 0, there is no minimum. The PIN Is not required to contain lowercase characters if 0 is specified. Any non-zero value means a PIN must contain at least the specified number of lowercase characters. |
MinUpperCase |
DWORD |
0 |
The minimum number of uppercase characters required for a PIN to be valid. If the value is 0, there is no minimum. The PIN Is not required to contain uppercase characters if 0 is specified. Any non-zero value means a PIN must contain at least the specified number of uppercase characters. |
Notes:
|
Comments
0 comments
Please sign in to leave a comment.