Duo Deployment
Purpose
This solution is designed to configure the automatic deployment of the Duo Auth application on Windows and Macintosh machines that are missing the agent, using the NinjaOne platform.
References:
- Windows - Duo Authentication for Windows Logon x64 - Silent Install
- Macintosh - Duo Authentication for macOS - Silent Install
Associated Content
Custom Field
| Content | Definition Scope | Required | Type | Available Options | Applicable OS | Function |
|---|---|---|---|---|---|---|
| cPVAL DUO Deployment | Organization,Location,Computer | True | Drop-down | All, Windows, Windows Workstations, Windows Servers, Macintosh, Disabled | Windows, Macintosh | Enables Duo auto-deployment for the selected platform. |
| cPVAL DUO IKEY | Organization | True | Text | Windows, Macintosh | Links authentication requests to the correct Duo account using the integration key from the Duo Admin Panel. | |
| cPVAL DUO SKEY | Organization | True | Text | Windows, Macintosh | Secures communication with Duo’s service using the secret key from the Duo Admin Panel. | |
| cPVAL DUO HKEY | Organization | True | Text | Windows, Macintosh | Specifies the API hostname for communication with Duo’s service, obtained from the Duo Admin Panel. | |
| cPVAL DUO AUTOPUSH | Organization | False | Drop-down | All, Windows, Windows Workstations, Windows Servers, Macintosh, Disabled | Windows, Macintosh | Automatically sends a push request to the user’s device during login when enabled. |
| cPVAL DUO FAILOPEN | Organization | False | Drop-down | All, Windows, Windows Workstations, Windows Servers, Macintosh, Disabled | Windows, Macintosh | Determines login behavior when Duo’s service is unreachable: allows login (fail open) or denies access (fail closed). |
| cPVAL DUO SMARTCARD | Organization | False | Drop-down | All, Windows, Windows Workstations, Windows Servers, Macintosh, Disabled | Windows, Macintosh | Enables smart card login as an alternative to Duo authentication when enabled. |
| cPVAL DUO ENABLEOFFLINE | Organization | False | Drop-down | Windows, Windows Workstations, Windows Servers, Disabled | Windows | Controls whether offline access is permitted, allowing authentication without a real-time connection to Duo. |
| cPVAL DUO RDPONLY | Organization | False | Drop-down | Windows, Windows Workstations, Windows Servers, Disabled | Windows | Requires Duo authentication only for remote logins via RDP when enabled. |
| cPVAL DUO WRAPSMARTCARD | Organization | False | Drop-down | Windows, Windows Workstations, Windows Servers, Disabled | Windows | Requires Duo authentication after smart card primary login when enabled. |
| cPVAL DUO USERNAMEFORMAT | Organization | False | Drop-down | 0,1,2 | Windows | Specifies the username format sent to Duo: sAMAccountName, NTLM domain\username, or userPrincipalName. |
| cPVAL DUO UAC_PROTECTMODE | Organization | False | Drop-down | 0,1,2 | Windows | Configures Duo authentication for logon and User Account Control (UAC) elevation. |
| cPVAL DUO UAC_OFFLINE | Organization | False | Drop-down | 0,1 | Windows | Enables or disables offline access for UAC elevation. |
| cPVAL DUO UAC_OFFLINE_ENROLL | Organization | False | Drop-down | 0,1 | Windows | Enables or disables offline enrollment during UAC elevation. |
Automation
| Content | Function |
|---|---|
| Duo Deployment - Windows | Installs Duo Authentication for Windows Logon x64 on Windows machines, retrieving required keys from custom fields if not provided at runtime. |
| Duo Deployment - Macintosh | Installs the Duo Authentication for macOS on Macintosh machines, retrieving required keys from custom fields. |
| Duo Uninstall - Windows | Silently uninstalls Duo Authentication for Windows Logon from windows machines. |
| Duo Uninstall - Macintosh | Silently removes Duo Authentication components from macOS. |
Compound Conditions
| Content | Function |
|---|---|
| Duo Deployment - Windows Workstations | Triggers the Duo Deployment - Windows automation on Windows workstations where deployment is enabled and Duo Authentication for Windows Logon x64 is not installed. |
| Duo Deployment - Windows Servers | Triggers the Duo Deployment - Windows automation on Windows servers where deployment is enabled and Duo Authentication for Windows Logon x64 is not installed. |
| Duo Deployment - Macintosh | Triggers the Duo Deployment - Macintosh automation on Macintosh machines where deployment is enabled and Duo Authentication for macOS is not installed. |
| Duo Uninstallation - Windows | Triggers the Duo Uninstall - Windows automation on Windows workstations where uninstallation is enabled. |
| Duo Uninstallation - Macintosh | Triggers the DUO Uninstall - Macintosh automation on Macintosh machines where uninstallation is enabled. |
Implementation
Step 1
Create the following custom fields:
- cPVAL DUO Deployment
- cPVAL DUO IKEY
- cPVAL DUO SKEY
- cPVAL DUO HKEY
- cPVAL DUO AUTOPUSH
- cPVAL DUO FAILOPEN
- cPVAL DUO SMARTCARD
- cPVAL DUO ENABLEOFFLINE
- cPVAL DUO RDPONLY
- cPVAL DUO WRAPSMARTCARD
- cPVAL DUO USERNAMEFORMAT
- cPVAL DUO UAC_PROTECTMODE
- cPVAL DUO UAC_OFFLINE
- cPVAL DUO UAC_OFFLINE_ENROLL
Step 2
Create the following automations:
- Duo Deployment - Windows
- Duo Deployment - Macintosh
- Duo Uninstall - Windows
- Duo Uninstall - Macintosh
Step 3
Create the following compound conditions:
- Duo Deployment - Windows Workstations
- Duo Deployment - Windows Servers
- Duo Deployment - Macintosh
- Duo Uninstallation - Windows
- Duo Uninstallation - Macintosh
FAQ
1. Can the automations be executed manually without relying on the auto-deployment custom fields (cPVAL DUO Deployment, cPVAL DUO Deployment - Exclude) ?
Yes, the automations can be executed manually, independent of the auto-deployment custom fields. Even if deployment is not enabled or the machine is excluded, the scripts can still be run manually to perform the required actions.
2. Are the [cPVAL DUO IKEY], [cPVAL DUO SKEY], and [cPVAL DUO HKEY] custom fields mandatory for deployment?
Yes, these custom fields are mandatory for the deployment to function correctly. They are used to link the Duo authentication requests to the appropriate Duo account and ensure secure communication with Duo’s service.
3. What should I do if the auto-deployment is not working for certain machines?
If auto-deployment is not working, check if the machines are excluded using the cPVAL DUO Deployment Exclude custom field or if they are using a different agent policy. Ensure the compound conditions are applied to the correct agent policies for deployment to work.
4. Can the deployment process be customized for specific platforms?
Yes, the deployment process can be customized by selecting the appropriate options in the cPVAL DUO Deployment custom field. This allows you to enable deployment for specific platforms such as Windows workstations, Windows servers, or Macintosh machines.
5. What happens if Duo’s service is unreachable during login?
The cPVAL DUO FAILOPEN custom field determines the login behavior when Duo’s service is unavailable. If it is enabled, login is permitted; otherwise, access is denied.
Changelog
2026-05-28
- Added an uninstall option to the custom field
cPVAL DUO Deployment, allowing the same field to be used for both installation and uninstallation actions. - Removed
cPVAL DUO Deployment Excludeas same has been handled bycPVAL DUO Deployment. ChangedcPVAL DUO Deploymentscope to location and computer. Also updated the compound conditions with these changes. - Created Duo Uninstallation scripts and their corresponding Compound conditions
- Updated the documentation to align with the new documentation format and standards.
2025-04-15
- Initial version of the document