Endpoint Protection for Windows

To ensure the overall security of the HYPR platform, the various HYPR components (Workforce Access Client, Mobile App, and Control Center) pass an encrypted token to the HYPR Server when making internal API calls.

When installing the Workforce Access Client on a user's machine, you need to include an rpApp-specific Install Token generated by the Control Center. The Workforce Access Client will verify the token's validity with the HYPR Server during the pairing process and automatically exchange it for a new device-unique security token which is then used to authenticate all HYPR communications between the workstation, the mobile device, and the HYPR Server.

🚧

Compatibility

This feature requires version 6.12.0 or higher across all HYPR components, including the Mobile App, Server, and Workforce Access Client.

If you're upgrading an earlier version, you need to slightly modify your installation process. Please see Upgrading Earlier Versions below.

📘

Beta Feature

This feature is not enabled by default. Please contact your HYPR Support team member to enable it for your organization.

Generating and Using the Install Token

Step 1: Generate the Install Token

To generate the Install Token, navigate to the Access Tokens menu under the Advanced Config section for your RP Application in the Control Center. Select Endpoint Security Token as the token type.

2126

Alternatively, you can generate the Install Token using the following call to the Control Center API:

POST {{cc_url}}/rp/api/token/endpoint

Include the following parameters as JSON in the request body:

{
  "scope": [ "WSINSTALL" ],
   "rpAppId": "{{your-rp-app-name}}",
   "expiresInSecs": 31536000
}

Please note that this is a protected endpoint so you'll need to supply an API access token in the header request to authenticate with the HYPR Server. See the HYPR API Documentation for more information.

Parameter Definitions

NameDescriptionType
scopeScope of the Install Token. This should always be WSINSTALL.Access Control
rpAppIdName of your RP App in the Control Center. This must match the RP App name you'll be using in the Workforce Access Client install configuration.Access Control
expiresInSecsThe Install Token validity period in seconds. You can set a shorter period for increased security, but the token will need to be updated in the workstation settings when it expires. The recommended validity period is one year to reduce maintenance work.TTL

Example Request:

curl --location -g --request POST 'https://highlandsbank.com/rp/api/token/endpoint' \
--header 'Authorization: Bearer 110f7826-d95e-12d2-42ce-8bd67fb20bb9' \
--header 'Content-Type: application/json' \
--data-raw '{
  "scope": [ "WSINSTALL" ],
  "rpAppId": "WorkstationAccess",
  "expiresInSecs": 31536000
}
'

Example Response:

{
    "tokenId": "f8b81e27-eaec-389f-9f53-7ee187f73b55",
    "scope": [
        "WSINSTALL"
    ],
    "rpAppId": "WorkstationAccess",
    "deviceId": null,
    "machineId": null,
    "token": "6a74ce20-2c1e-4c7d-ae9d-14be27e2c197",
    "expiryDate": 1653749967975
}

You'll use the token value when installing or upgrading the HYPR Workforce Access Client (see below).

"token": "6a74ce20-2c1e-4c7d-ae9d-14be27e2c197"

Step 2: Include the Install Token when installing the Workforce Access Client

Once you've generated an Install Token, include it when installing the HYPR Workforce Access Client on the workstation.

Option 1: Using the installer UI

If you're using the installer UI, set the Install Token value on the Environment Setting screen to the token you generated using the Control Center API above.

984

Option 2: Using msiexec with command line parameters

If you're setting the parameters directly on the command line, pass in the token via the HYPRINSTALLTOKEN parameter.

msiexec.exe /qn /i .\WorkforceAccess.msi HYPRAPPID="WorkstationAccess" HYPRRP="https://highlandsbank.com/rp" 
HYPRSUPPORT="[email protected]" HYPRHASH="LeM8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=" 
HYPRTEMPLATE="HYPRUser" HYPRINSTALLTOKEN="6a74ce20-2c1e-4c7d-ae9d-14be27e2c197"

Option 3: Using msiexec with the hypr.json file

If you're setting the parameters using the hypr.json configuration file, pass in the token via the installToken parameter.

{
 "version":"1.0",
 "rpUrl":"https://highlandsbank.com/rp",
 "appId":"WorkstationAccess",
 "pinningHash":"LeM8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=",
 "supportEmail":"[email protected]",
 "installToken":"6a74ce20-2c1e-4c7d-ae9d-14be27e2c197",
 "fullUI":"1"
}

📘

Feature Security

For security reasons, the Install Token parameter won't be displayed in the Registry Editor alongside the other HYPR keys.

Upgrading Earlier Versions

When you upgrade an earlier version of the Workforce Access Client to 6.12.0 or higher, you need to add the Install Token value as part of the update process. This is mandatory step.

The installation commands are the same as for a fresh install (see above). However, you only need to provide the new Install Token value. The installer will reuse the existing values for the rest of the parameters.

For example, to upgrade using msiexec with command line parameters, just specify the HYPRINSTALLTOKEN value:

msiexec.exe /q /i WorkforceAccess_x64.msi HYPRINSTALLTOKEN="6a74ce20-2c1e-4c7d-ae9d-14be27e2c197"