Endpoint Protection for Windows

To ensure the overall security of the HYPR platform, the various HYPR components (Workforce Access Client, Mobile App, and Control Center) pass an encrypted token to the HYPR Server when making internal API calls.

When installing the Workforce Access client on a user's machine, you need to include an rpApp-specific Install Token generated by the Control Center. The Workforce Access client will verify the token's validity with the HYPR Server during the pairing process and automatically exchange it for a new device-unique security token which is then used to authenticate all HYPR communications between the workstation, the mobile device, and the HYPR Server.

🚧

Compatibility

This feature requires version 6.12.0 or higher across all HYPR components, including the Mobile App, Server, and Workforce Access Client.

If you're upgrading an earlier version, you need to slightly modify your installation process. Please see Upgrading Earlier Versions below.

πŸ“˜

Beta Feature

This feature is not enabled by default. Please contact your HYPR Support team member to enable it for your organization.

Generating and Using the Install Token

Step 1: Generate the Install Token

You can generate the InstallToken using the following call to the Control Center API:

POST {{cc_url}}/rp/api/token/endpoint

Include the following parameters as JSON in the request body:

{
  "scope": [ "WSINSTALL" ],
   "rpAppId": "{{your-rp-app-name}}",
   "expiresInSecs": 31536000
}

Please note that this is a protected endpoint so you'll need to supply an API access token in the header request to authenticate with the HYPR Server. See the HYPR API Documentation for more information.

Parameter Definitions

Name

Description

scope

Scope of the Install Token. This should always be WSINSTALL.

rpAppId

Name of your RP App in the Control Center. This must match the RP App name you'll be using in the Workforce Access Client install configuration.

expiresInSecs

The Install Token validity period in seconds. You can set a shorter period for increased security, but the token will need to be updated in the workstation settings when it expires. The recommended validity period is one year to reduce maintenance work.

Example Request:

curl --location -g --request POST 'https://highlandsbank.com/rp/api/token/endpoint' \
--header 'Authorization: Bearer 110f7826-d95e-12d2-42ce-8bd67fb20bb9' \
--header 'Content-Type: application/json' \
--data-raw '{
  "scope": [ "WSINSTALL" ],
  "rpAppId": "WorkstationAccess",
  "expiresInSecs": 31536000
}
'

Example Response:

{
    "tokenId": "f8b81e27-eaec-389f-9f53-7ee187f73b55",
    "scope": [
        "WSINSTALL"
    ],
    "rpAppId": "WorkstationAccess",
    "deviceId": null,
    "machineId": null,
    "token": "6a74ce20-2c1e-4c7d-ae9d-14be27e2c197",
    "expiryDate": 1653749967975
}

Use token field value as the InstallToken parameter when installing or upgrading HYPR App.

"token": "6a74ce20-2c1e-4c7d-ae9d-14be27e2c197"

Step 2: Include the Install Token when installing the Workforce Access Client

Once you've generated an Install Token, include it when installing the HYPR Workforce Access Client on the workstation.

Option 1: Using the installer UI

If you're using the installer UI, set the Install Token value on the Environment Setting screen to the token you generated using the Control Center API above.

Option 2: Using msiexec with command line parameters

If you're setting the parameters directly on the command line, pass in the token via the HYPRINSTALLTOKEN parameter.

msiexec.exe /qn /i .\WorkforceAccess.msi HYPRAPPID="WorkstationAccess" HYPRRP="https://highlandsbank.com/rp" 
HYPRSUPPORT="[email protected]" HYPRHASH="LeM8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=" 
HYPRTEMPLATE="HYPRUser" HYPRINSTALLTOKEN="6a74ce20-2c1e-4c7d-ae9d-14be27e2c197"

Option 3: Using msiexec with the hypr.json file

If you're setting the parameters using the hypr.json configuration file, pass in the token via the installToken parameter.

{
 "version":"1.0",
 "rpUrl":"https://highlandsbank.com/rp",
 "appId":"WorkstationAccess",
 "pinningHash":"LeM8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=",
 "supportEmail":"[email protected]",
 "installToken":"6a74ce20-2c1e-4c7d-ae9d-14be27e2c197",
 "fullUI":"1"
}

πŸ“˜

Feature Security

For security reasons, the Install Token parameter won't be displayed in the Registry Editor alongside the other HYPR keys.

Upgrading Earlier Versions

When you upgrade an earlier version of the Workforce Access Client to 6.12.0 or higher, you need to add the Install Token value as part of the update process. This is mandatory step.

The installation commands are the same as for a fresh install (see above). However, you only need to provide the new Install Token value. The installer will reuse the existing values for the rest of the parameters.

For example, to upgrade using msiexec with command line parameters, just specify the HYPRINSTALLTOKEN value:

msiexec.exe /q /i WorkforceAccess_x64.msi HYPRINSTALLTOKEN="6a74ce20-2c1e-4c7d-ae9d-14be27e2c197"

Updated 15 days ago

Endpoint Protection for Windows


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.