Requirements
HYPR Workforce Access Client
When you download the HYPR Workforce Access Client from the Control Center, you can choose either a Quick install or an Advanced install. The HYPR features you can access and the requirements for running the Workforce Access Client vary depending on which option you choose.
Requirements for a Quick Install
To perform an Quick Install, you’ll need the following:
- A workstation with a supported version of Windows or macOS (see Supported Platforms)
- Your local workstation account must have admin privileges so you can install the HYPR Workforce Access Client
- Your workstation must not be joined to an Active Directory domain. If you’re using AD, please request an Advanced install instead.
Available Features
If you choose the Quick install, you’ll have access to the following HYPR features:
Lock and Unlock
Basic and remote workstation unlocking and locking functionality.
Offline Mode
Unlock when the workstation has no internet connection.
Recovery Mode
Admin-supplied emergency use PINs for unlocking the workstation when the user’s mobile device is unavailable. Windows only
Requirements for an Advanced Install
Certifiable
For an Advanced install, the workstation must be joined to a domain with Active Directory Certificate Services (AD CS) deployed on Windows Server 2008 R2 or above. For information about installing and configuring AD CS, please see the Microsoft Windows Server documentation.
If you choose Advanced during the onboarding, HYPR Support will contact you and assist with the steps required to correctly configure Active Directory.
To perform an Advanced install, you’ll need the following:
- A workstation with a supported version of Windows or macOS (see Supported Platforms)
- Your local workstation account must have admin privileges so you can install the HYPR Workforce Access client
- Your workstation must be joined to a domain with Active Directory Certificate Services (AD CS) deployed (see note above)
- You’ll need an account with access to the Windows server performing the Certificate Authority role so you can create the necessary custom HYPR custom certificate template
Additional configuration:
- Make sure there are no credential provider filters active on the workstation
- Whitelist HYPR with any endpoint security applications installed on the workstation
- Whitelist the HYPR Tenant URL on any outbound proxy or firewall rules (web socket over TCP 443)
Available Features
If you choose the Advanced install, you’ll have access to the following HYPR features:
Lock and Unlock
Basic and remote workstation unlocking and locking functionality.
Offline Mode
Unlock when the workstation has no internet connection.
Recovery Mode
Admin-supplied emergency use PINs for unlocking the workstation when the user’s mobile device is unavailable. Windows only
RDP Login
Passwordless access to remote desktop machines. Windows only
Roaming Users
Access any workstation in the domain by scanning a QR code on the login screen. Windows only
Passwordless Run-As
Passwordless escalation of admin privileges for a domain user account. Windows only
Security Key Support
Unlock the workstation using a security key instead of the HYPR Mobile App.
Security Key Requirements
Security keys must be equipped with PIV functionality to function fully with the HYPR Workforce Access Client.
We have only verified the following form factors:
- Yubikey 5 Plus and its offshoots
- Feitian K9 Plus and K40 Plus and its offshoots
Not Always a Plus
The Plus designation for these vendors indicates a key is PIV-capable. Some keys may be PIV-capable and not have the Plus designation. Please exercise caution when deciding which keys to purchase.
Non-exportable Private Keys (Windows Only)
By default, The Workforce Access Client currently requires the user’s login certificate to have an exportable private key. An exportable key is a hard technical requirement for mobile devices, but security keys do not share that dependence. HYPR allows an additional certificate template for non-exportable private keys for use cases involving security keys. When this feature is in use, the private key is generated on the security key and never leaves.
Using non-exportable private keys requires an additional parameter during install, either in the hypr.json file or as a configurable .msi parameter. The value for that parameter is a security key certificate template that must be predefined on the Active Directory server.
- See Creating a Custom Certificate Template for instructions on making the security key template
- See Installing Manually for parameter definitions and how to deploy with them
No PIN Cushion
If the administrator has configured non-exportable private keys, the user won’t be able to use Security Key Recovery Mode.
Considerations
Planning
Review the Active Directory (AD) domain environment. Determine if your workstations are domain-joined.
If workstations are domain joined, review the above Requirements. Otherwise, continue with Execution, below.
Execution
- Configure a custom certificate template.
- Install the HYPR Mobile App:
- HYPR Mobile App for iOS
- HYPR Mobile App for Android
- Consider any Mobile Device Management (MDM) requirements
HYPR Workforce Access Client for Windows
- Download the
.MSIfile: Windows Desktop Client. - Install and Configure: Installing with the UI.
- Verify the Smart Card Authentication service is enabled on affected workstations.
- Test the following:
- HYPR Mobile App enrollment
- HYPR Mobile App unlock
- HYPR Mobile App lock
- Additional testing:
- Yubikey/smart card enrollment
- Yubikey/smart card unlock
- Offline PIN unlock
- Recovery PIN unlock
- Configure MDM for WFA distribution.
- Once installation is verified, set up your MDM to distribute the WFA to your employees' workstations.
See Command Line Installation for Windows.
HYPR Workforce Access Client for Mac
- Download the
.pkgfile: Desktop Client Installer. - Install and Configure: Installing with the UI.
- Test the following:
- HYPR Mobile App enrollment
- HYPR Mobile App unlock
- HYPR Mobile App lock
- Additional testing:
- Offline PIN unlock
- Recovery PIN unlock
- Configure MDM for WFA distribution.
- Once installation is verified, set up your MDM to distribute the WFA to your employees' workstations.
See Terminal Installation for macOS.
You are ready for the HYPR Passwordless experience!
Updated about 2 months ago