Secure Your WorkforceSecure Your CustomersAPI ReferenceEnd User GuideSupport

Roaming Users

Windows

Overview
Configuring Roaming Users
Logging In As a Roaming User
Configuring Stateless VDI Logins

Overview

With HYPR’s Roaming User feature, users can pair their mobile device once then log into any Windows computer in the domain by scanning a QR code displayed on the login screen. This type of access extends True Passwordless MFA to the following use cases:

  • Users who frequently need to log into more than one machine within the same domain
  • Users whose organization offers a hotdesk environment where shared workstations are accessible to any employee without assigned seating
  • Helpdesk admins who need quick access to their end users’ machines
  • Users who need to access “stateless” virtual desktop machines where workstations are wiped to a clean slate (requires additional configuration: see Configuring Stateless VDI Logins below)

Support for Windows 10 virtual desktops is available immediately, with implementation of other third-party VDI vendors such as VMWare and Citrix to follow later

Pairing

745

Authentication

745

RDP Access & RunAs Support

You can scan the QR Code to authenticate with a Windows Security Sign-In prompt for use cases such as RDP Login and Permission escalation.

When the Windows Security Dialog is displayed, you need to scan the QR Code with the HYPR Mobile App to complete the authentication process.

3300

Configuring Roaming Users

To make the Roaming User functionality available, an Administrator must first enable the feature on the Workstation Settings screen in the HYPR Control Center. Roaming Users is disabled by default.

745

📘

PAIR AGAIN TO USE THIS FEATURE!

After the Roaming Users feature is activated in the Control Center, users will need to re-register their mobile device with the HYPR Workforce Access application

Logging In As a Roaming User

First, the user must pair a mobile device with any computer in the domain by scanning the QR code presented by the HYPR Workforce Access Client app:

600

📘

DEFAULT COMPUTER

The first paired computer is the user's default computer and won’t have the option to scan a QR code to unlock. The user will need to tap on the computer button in the HYPR Mobile App as usual.

The user can subsequently select the Scan QR Code to Login option on the login screen of any other domain-joined computer which has the HYPR Workforce Access app installed, then simply scan the code with the HYPR Mobile App to access the machine.

600

Configuring Stateless VDI Logins

Enabling stateless Virtual Desktop Infrastructure (VDI) logins requires some additional configuration of the HYPR Workforce Access client application. There are three ways to achieve this:

Option 1
Manually add the Non Persistent Vdi registry key and set the value to 1:

586

Please refer to the Installation and Configuration page for instructions on how to update the registry as part of a silent installation.

Option 2
Check the Non persistent VDI box during the installation process:

450

Option 3
Add the HYPRNONPERSISTENTVDI=1 parameter to the installation script command:

msiexec.exe /qn /i .\EmployeeAccess.msi HYPRAPPID="WindowsUnlock" 
HYPRRP="https://my.host.com/rp" HYPRSUPPORT="[email protected]" 
HYPRHASH="abcdef...fedcba" HYPRTEMPLATE="HYPRUser" HYPRNONPERSISTENTVDI=1

Updated about 1 year ago