Duo Deployment
Purpose
This solution is designed to configure the automatic deployment of the Duo Auth application on Windows and Macintosh machines that are missing the agent, using the NinjaOne platform.
References:
- Windows - Duo Authentication for Windows Logon x64 - Silent Install
- Macintosh - Duo Authentication for macOS - Silent Install
Associated Content
Custom Field
| Content | Definition Scope | Required | Type | Available Options | Applicable OS | Function |
|---|---|---|---|---|---|---|
| cPVAL DUO Deployment | Organization | True | Drop-down | All, Windows, Windows Workstations, Windows Servers, Macintosh, Disabled | Windows, Macintosh | Enables Duo auto-deployment for the selected platform. |
| cPVAL DUO Deployment Exclude | Location, Device | False | Drop-down | Yes, No | Windows, Macintosh | Excludes the device or location from Duo deployment automation when set to 'Yes'. |
| cPVAL DUO IKEY | Organization | True | Text | Windows, Macintosh | Links authentication requests to the correct Duo account using the integration key from the Duo Admin Panel. | |
| cPVAL DUO SKEY | Organization | True | Text | Windows, Macintosh | Secures communication with Duo’s service using the secret key from the Duo Admin Panel. | |
| cPVAL DUO HKEY | Organization | True | Text | Windows, Macintosh | Specifies the API hostname for communication with Duo’s service, obtained from the Duo Admin Panel. | |
| cPVAL DUO AUTOPUSH | Organization | False | Drop-down | All, Windows, Windows Workstations, Windows Servers, Macintosh, Disabled | Windows, Macintosh | Automatically sends a push request to the user’s device during login when enabled. |
| cPVAL DUO FAILOPEN | Organization | False | Drop-down | All, Windows, Windows Workstations, Windows Servers, Macintosh, Disabled | Windows, Macintosh | Determines login behavior when Duo’s service is unreachable: allows login (fail open) or denies access (fail closed). |
| cPVAL DUO SMARTCARD | Organization | False | Drop-down | All, Windows, Windows Workstations, Windows Servers, Macintosh, Disabled | Windows, Macintosh | Enables smart card login as an alternative to Duo authentication when enabled. |
| cPVAL DUO ENABLEOFFLINE | Organization | False | Drop-down | Windows, Windows Workstations, Windows Servers, Disabled | Windows | Controls whether offline access is permitted, allowing authentication without a real-time connection to Duo. |
| cPVAL DUO RDPONLY | Organization | False | Drop-down | Windows, Windows Workstations, Windows Servers, Disabled | Windows | Requires Duo authentication only for remote logins via RDP when enabled. |
| cPVAL DUO WRAPSMARTCARD | Organization | False | Drop-down | Windows, Windows Workstations, Windows Servers, Disabled | Windows | Requires Duo authentication after smart card primary login when enabled. |
| cPVAL DUO USERNAMEFORMAT | Organization | False | Drop-down | 0,1,2 | Windows | Specifies the username format sent to Duo: sAMAccountName, NTLM domain\username, or userPrincipalName. |
| cPVAL DUO UAC_PROTECTMODE | Organization | False | Drop-down | 0,1,2 | Windows | Configures Duo authentication for logon and User Account Control (UAC) elevation. |
| cPVAL DUO UAC_OFFLINE | Organization | False | Drop-down | 0,1 | Windows | Enables or disables offline access for UAC elevation. |
| cPVAL DUO UAC_OFFLINE_ENROLL | Organization | False | Drop-down | 0,1 | Windows | Enables or disables offline enrollment during UAC elevation. |
Automation
| Content | Function |
|---|---|
| Duo Deployment - Windows | Installs Duo Authentication for Windows Logon x64 on Windows machines, retrieving required keys from custom fields if not provided at runtime. |
| Duo Deployment - Macintosh | Installs the Duo Authentication for macOS on Macintosh machines, retrieving required keys from custom fields. |
Compound Conditions
| Content | Function |
|---|---|
| Duo Deployment - Windows Workstations | Triggers the Duo Deployment - Windows automation on Windows workstations where deployment is enabled and Duo Authentication for Windows Logon x64 is not installed. |
| Duo Deployment - Windows Servers | Triggers the Duo Deployment - Windows automation on Windows servers where deployment is enabled and Duo Authentication for Windows Logon x64 is not installed. |
| Duo Deployment - Macintosh | Triggers the Duo Deployment - Macintosh automation on Macintosh machines where deployment is enabled and Duo Authentication for macOS is not installed. |
Implementation
Step 1
Create the following custom fields:
- cPVAL DUO Deployment
- cPVAL DUO Deployment - Exclude
- cPVAL DUO IKEY
- cPVAL DUO SKEY
- cPVAL DUO HKEY
- cPVAL DUO AUTOPUSH
- cPVAL DUO FAILOPEN
- cPVAL DUO SMARTCARD
- cPVAL DUO ENABLEOFFLINE
- cPVAL DUO RDPONLY
- cPVAL DUO WRAPSMARTCARD
- cPVAL DUO USERNAMEFORMAT
- cPVAL DUO UAC_PROTECTMODE
- cPVAL DUO UAC_OFFLINE
- cPVAL DUO UAC_OFFLINE_ENROLL
Step 2
Create the following automations:
Step 3
Create the Duo Deployment - Windows Workstations compound condition for default Windows Workstation [Default] agent policy.
Step 4
Create the Duo Deployment - Windows Servers compound condition for default Windows Server [Default] agent policy.
Step 5
Create the Duo Deployment - Macintosh compound condition for both default agent policies: Mac Server [Default] and Mac [Default]. The example in the document illustrates the deployment process for the Mac [Default] agent policy. It is also recommended to apply this compound condition to the Mac Server [Default] agent policy, following the same process.
FAQ
1. Can the automations be executed manually without relying on the auto-deployment custom fields (cPVAL DUO Deployment, cPVAL DUO Deployment - Exclude) ?
Yes, the automations can be executed manually, independent of the auto-deployment custom fields. Even if deployment is not enabled or the machine is excluded, the scripts can still be run manually to perform the required actions.
2. Are the [cPVAL DUO IKEY], [cPVAL DUO SKEY], and [cPVAL DUO HKEY] custom fields mandatory for deployment?
Yes, these custom fields are mandatory for the deployment to function correctly. They are used to link the Duo authentication requests to the appropriate Duo account and ensure secure communication with Duo’s service.
3. What should I do if the auto-deployment is not working for certain machines?
If auto-deployment is not working, check if the machines are excluded using the cPVAL DUO Deployment Exclude custom field or if they are using a different agent policy. Ensure the compound conditions are applied to the correct agent policies for deployment to work.
4. Can the deployment process be customized for specific platforms?
Yes, the deployment process can be customized by selecting the appropriate options in the cPVAL DUO Deployment custom field. This allows you to enable deployment for specific platforms such as Windows workstations, Windows servers, or Macintosh machines.
5. What happens if Duo’s service is unreachable during login?
The cPVAL DUO FAILOPEN custom field determines the login behavior when Duo’s service is unavailable. If it is enabled, login is permitted; otherwise, access is denied.