Requirements

HYPR Passwordless

When you download HYPR Passwordless from the Control Center, you can choose either a Quick install or an Advanced install. The HYPR features you can access and the requirements for running the HYPR Passwordless client vary depending on which option you choose.

Requirements for a Quick Install

To perform an Quick Install, you’ll need the following:

  • A workstation with a supported version of Windows or macOS (see Supported Platforms)
  • Your local workstation account must have admin privileges so you can install the HYPR Passwordless client
  • Your workstation must not be joined to an Active Directory domain. If you’re using AD, please request an Advanced install instead.

Available Features

If you choose the Quick install, you’ll have access to the following HYPR features:

Lock and Unlock
Basic and remote workstation unlocking and locking functionality.

Offline Mode
Unlock when the workstation has no internet connection.

Recovery Mode
Admin-supplied emergency use PINs for unlocking the workstation when the user’s mobile device is unavailable. Windows only

Requirements for an Advanced Install

πŸ“˜

Certifiable

For an Advanced install, the workstation must be joined to a domain with Active Directory Certificate Services (AD CS) deployed on Windows Server 2008 R2 or above. For information about installing and configuring AD CS, please see the Microsoft Windows Server documentation.

If you choose Advanced during the onboarding, HYPR Support will contact you and assist with the steps required to correctly configure Active Directory.

To perform an Advanced install, you’ll need the following:

  • A workstation with a supported version of Windows or macOS (see Supported Platforms)
  • Your local workstation account must have admin privileges so you can install the HYPR Passwordless client
  • Your workstation must be joined to a domain with Active Directory Certificate Services (AD CS) deployed (see note above)
  • You’ll need an account with access to the Windows server performing the Certificate Authority role so you can create the necessary custom HYPR custom certificate template

Additional configuration:

  • Make sure there are no credential provider filters active on the workstation
  • Whitelist HYPR with any endpoint security applications installed on the workstation
  • Whitelist the HYPR Tenant URL on any outbound proxy or firewall rules (web socket over TCP 443)

Available Features

If you choose the Advanced install, you’ll have access to the following HYPR features:

Lock and Unlock
Basic and remote workstation unlocking and locking functionality.

Offline Mode
Unlock when the workstation has no internet connection.

Recovery Mode
Admin-supplied emergency use PINs for unlocking the workstation when the user’s mobile device is unavailable. Windows only

RDP Login
Passwordless access to remote desktop machines. Windows only

Roaming Users
Access any workstation in the domain by scanning a QR code on the login screen. Windows only

Passwordless Run-As
Passwordless escalation of admin privileges for a domain user account. Windows only

Security Key Support
Unlock the workstation using a security key instead of the HYPR Mobile App.

Security Key Requirements

Security keys must be equipped with PIV functionality to function fully with the HYPR Passwordless client.

We have only verified the following form factors:

  • Yubikey 5 Plus and its offshoots
  • Feitian K9 Plus and K40 Plus and its offshoots

🚧

Not Always a Plus

The Plus designation for these vendors indicates a key is PIV-capable. Some keys may be PIV-capable and not have the Plus designation. Please exercise caution when deciding which keys to purchase.

Non-exportable Private Keys (Windows Only)

By default, The HYPR Passwordless client currently requires the user’s login certificate to have an exportable private key. An exportable key is a hard technical requirement for mobile devices, but security keys do not share that dependence. HYPR allows an additional certificate template for non-exportable private keys for use cases involving security keys. When this feature is in use, the private key is generated on the security key and never leaves.

Using non-exportable private keys requires an additional parameter during install, either in the hypr.json file or as a configurable .msi parameter. The value for that parameter is a security key certificate template that must be predefined on the Active Directory server.

🚧

No PIN Cushion

If the administrator has configured non-exportable private keys, the user won’t be able to use Security Key Recovery Mode.

Considerations

Planning

Review the Active Directory (AD) domain environment. Determine if your workstations are domain-joined.

If workstations are domain joined, review the above Requirements. Otherwise, continue with Execution, below.

Execution

  1. Configure a custom certificate template.
  2. Install the HYPR Mobile App:

HYPR Passwordless for Windows

  1. Download the .MSI file: Windows Desktop Client.
  2. Install and Configure: Installing with the UI.
  3. Verify the Smart Card Authentication service is enabled on affected workstations.
  4. Test the following:
    • HYPR Mobile App enrollment
    • HYPR Mobile App unlock
    • HYPR Mobile App lock
  5. Additional testing:
    • Yubikey/smart card enrollment
    • Yubikey/smart card unlock
    • Offline PIN unlock
    • Recovery PIN unlock
  6. Configure MDM for HYPR Passwordless distribution.
  7. Once installation is verified, set up your MDM to distribute the HYPR Passwordless client to your employees' workstations.
    See Command Line Installation for Windows.

HYPR Passwordless for Mac

  1. Download the .pkg file: Desktop Client Installer.
  2. Install and Configure: Installing with the UI.
  3. Test the following:
    • HYPR Mobile App enrollment
    • HYPR Mobile App unlock
    • HYPR Mobile App lock
  4. Additional testing:
    • Offline PIN unlock
    • Recovery PIN unlock
  5. Configure MDM for HYPR Passwordless distribution.
  6. Once installation is verified, set up your MDM to distribute the HYPR Passwordless client to your employees' workstations.
    See Terminal Installation for macOS.

You are ready for the HYPR Passwordless experience!