IDSecurity Agent installation via GPO

Here are the step-by-step instructions for deploying Identity360's IDSecurity Agent for Windows using Group Policy Object (GPO).

• IDSecurity Agent
• System requirements
• Prerequisites
• Steps for installing the IDSecurity Agent using GPO
  • Step 1: Prepare the installer files
  • Step 2: Create a network share
    • Essential security permissions
  • Step 3: Create and link the GPO
  • Step 4: Configure software installation settings
• Testing the agent installation
• Customizing the IDSecurity Agent
• Updating the Installation Key

Note: The document is written for an IT admin with a basic understanding of the Windows operating system, Active Directory (AD), and enterprise software deployment.

IDSecurity Agent

The IDSecurity Agent is an extension of the standard credential provider from Microsoft. When installed, it can enable MFA for local Windows logins, RDP logins, and UAC actions to protect machines from credential-based attacks.

System requirements

The platforms supported by the IDSecurity Agent are listed below.

Prerequisites

1. The MFA and SSO license for Identity360 is required to enable MFA for Windows logins. Visit our pricing page for more details.
2. Currently, IDSecurity Agent is supported only for Windows devices that are joined to Azure AD or part of a hybrid Azure AD setup.
3. Before installing the IDSecurity Agent, configure MFA settings in the Identity360 admin portal (Applications > Multi-factor Authentication > MFA for Endpoints > MFA for Windows machines).
4. Create a custom computer group in your Active Directory environment with the necessary computers in which you wish to deploy the IDSecurity Agent.

Steps for installing the IDSecurity Agent using GPO

Step 1: Prepare the installer files

1. Download the Identity360CloudIDSecurityAgent.msi file through Identity360's admin portal by navigating to Applications > Multi-factor Authentication > MFA for Endpoints > Install IDSecurity Agent > Step 1 > Download.
2. Copy the Installation Key from the product UI. Locate the key in the Identity360 admin portal under Applications > Multi-factor Authentication > MFA for Endpoints > Install IDSecurity Agent > Step 2.
3. Generate a transform file (MST) for the installer file using a table editor tool such as Orca (distributed as part of the Windows SDK) to deploy the IDSecurity Agent.
   1. Open the Identity360CloudIDSecurityAgent.msi file in Orca and navigate to Transform > New Transform.
   2. Select Property in the table and click Add Row.
   
   3. Paste the property name and value mentioned in the table below and click OK.

   Property	Value
   INSTALLATION_KEY	Replace with the actual Installation Key copied from step 2.

   
   
   4. Navigate to Transform > Generate Transform... to create an MST file with the new Installation Key.
   5. After generating the transform file (MST), exit the Orca window without saving the changes made to the original MSI file.

Step 2: Create a network share

1. Create a network-shared folder on your server and place the Identity360CloudIDSecurityAgent.msi file in the folder.
2. Paste the newly created transform file during the step 3 of Prepare the installer files into the network share where the IDSecurity Agent MSI is located.

Essential security permissions

Important note: Ensure that no unauthorized user accounts have access to the network-shared folder, and transform file (MST). Refer to the steps mentioned below to provide appropriate access permissions.

1. Right-click the network-shared folder and select Properties > Advanced Sharing...

2. Select Permissions and add only the Authenticated Users group. Ensure that only the Read permission is enabled by checking the box in the Allow column, and click OK.

3. Navigate to the Security tab and click Edit...

4. Click Add... and select the custom computer group created (Refer to the Prerequisites section). Click OK.

Step 3: Create and link the GPO

1. Open the Group Policy Management console.
2. On the left pane, right-click the Group Policy Objects container and select New.

3. Give a descriptive name to the GPO and click OK.

4. To link the newly created GPO, right-click the preferred OU or domain and select Link an Existing GPO...

5. In the Select GPO window, choose the GPO that needs to be linked and click OK.

6. Open the Group Policy Management console and select the GPO you created. In the Security Filtering tab, click Add...

7. Add the newly created custom computer group. Refer to the Prerequisites section.

8. After adding the custom computer group in the Security Filtering tab, ensure that the group has Read and Apply group policy permissions enabled in the Delegation tab.

Step 4: Configure software installation settings

1. Right-click the GPO you just created and click Edit... to open the Group Policy Object Editor.

2. Right-click Computer Configuration > Policies > Software Settings > Software installation > New > Package...

3. Select the Identity360CloudIDSecurityAgent.msi placed in your network share and click Open.

4. In the Deploy Software window, select Advanced and click OK.

5. In the IDSecurity Agent Properties window, select the Modifications tab and click Add...

6. Select the transform file (MST) placed in your network share during step 2 of Create a network share and click Open.

7. Click OK to complete the software installation process.

Testing the agent installation

Verify whether all the computers in the custom computer group have the software installed. The software installation will take effect only after rebooting the client machines. To test whether the installation was successful:

1. In the Command Prompt of your client machines, type gpresult /v.
2. Ensure that the GPO you configured appears under the subheading Applied Group Policy Objects.

Customizing the IDSecurity Agent

The customizations.json file is used to customize the IDSecurity Agent's default parameters. Before proceeding with the installation, ensure you prepare a customizations.json file similar to the provided sample below. This file should contain the necessary parameters that require modification. Place this file in the same network path created in Step 2: Create a network share.

Note: If customization is not required, the MSI will automatically utilize the default parameters.

If you have not customized the file as mentioned in the previous step, you can still make adjustments later by editing the file located at C:\Program Files\ManageEngine\Identity360 Cloud IDSecurity Agent\conf\customizations.json

Note: Please refrain from making any modifications to any files aside from customizations.json found in the installation folder, as these files are integral to the functioning of the IDSecurity Agent. Any changes to these files may disrupt functionality of both the agent and the system.

Sample customizations.json file:

{
"LogPath": "C:\\Program Files\\ManageEngine\\Identity360 Cloud IDSecurity Agent\\logs",
"LogLevel": "NORMAL",
"LogRotationMaxSize": "50",
"LogArchivePath": "C:\\Program Files\\ManageEngine\\Identity360 Cloud IDSecurity Agent\\logs\\archive",
"Title": "IDSecurity Agent",
"WebclientFaviconPath": "C:\\Program Files\\ManageEngine\\Identity360 Cloud IDSecurity Agent\\resources\\favicon.ico"
}
		

The table below contains the list of default values and descriptions for all parameters.

Updating the Installation Key

In case the current installation of the IDSecurity Agent is compromised, regenerate a new Installation Key from the Identity360 admin portal by navigating to Applications > Multi-factor Authentication > Install IDSecurity Agent > Step 2 > Regenerate. Copy the command along with the newly generated key and follow these steps to update the Installation Key.

1. Create a new transform file (MST) as shown in step 3 of Prepare the installer files.
2. Replace the old MST file with the newly created one in the network share.

Previous Topic Next Topic