How to enforce 2FA for RDM users

Hello,

It's not possible to force your users to enable a 2FA on their cloud account. There's no setting for that.
Each user can enable or disable a 2FA on their cloud account.

However, using Password Server as your backend data source, it's possible to force your users to use a 2FA to authenticate on the database, since this is manage directly from the server.
https://server.devolutions.net/

Best regards,

Ok, I'll go around a beat them all with a stick if I catch them not using 2FA.

You know... a cynic may say that you've compromised security on one product so that you can sell a solution to the compromise. :(

Hello,
This would not be the first time that we get the comment but unfortunately if you don't have a server to enforce the policy, it will just not be secure.

Regards

Is there still no way to enforce 2FA without the Password Server?

Hello,

While it's still not possible to force the configuration of a 2fa at the user level without the Devolutions Server, a few options have been added that could suit your needs. Please note that these are only available to Advanced Data Sources.

1- Under Administration -> System Settings -> Applications -> Force application security with Windows Credentials
2- Under Administration -> System Settings -> Applications -> Force application security with TOTP (Authenticator)
3- Under Administration -> System Settings -> Security Settings -> Force data source 2-factor configuration

We also have GPOs that could help you achieve your goal https://kb.devolutions.net/rdm_group_policies.html

An example of such GPO is the "Force multiple-factor authentication on the application login"

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceApplicationMFA

Let us know if that helps!

Best regards,

Hello,

While it's still not possible to force the configuration of a 2fa at the user level without the Devolutions Server, a few options have been added that could suit your needs. Please note that these are only available to Advanced Data Sources.

1- Under Administration -> System Settings -> Applications -> Force application security with Windows Credentials
2- Under Administration -> System Settings -> Applications -> Force application security with TOTP (Authenticator)
3- Under Administration -> System Settings -> Security Settings -> Force data source 2-factor configuration

We also have GPOs that could help you achieve your goal https://kb.devolutions.net/rdm_group_policies.html

An example of such GPO is the "Force multiple-factor authentication on the application login"
%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceApplicationMFA
Let us know if that helps!

Best regards,

Thanks for getting back so quickly. Seemingly, the option under System Settings -> Security Settings should be sufficient. But when we enabled it, what do the users of RDM (those who not yet have enabled MFA) experience, exactly?

You are more than welcome!

Your users who have not configured their 2fa yet will receive this message upon trying to connect to the data source:


To configure their 2fa, they will need to go under File -> Data Sources -> Select the Data Source -> Edit -> Use the link next to the "Two-factor" section -> Click on "Change" and choose the 2fa they wish to configure:

Thanks. There is something I don't quite understand though. If potential unwelcome guests get as far as to start RDM, as one of our users, but are refused to log in because they do not have the OTP key; what's keeping them from creating a new datasource and copying the host and authentication method (in our case active directory, i.e.the user the intruder would be logged in as) and then just configuring a new OTP on this newly created datasource?

Hello,

You can enable the Disable the menu File - Data Sources GPO to prevent any users to access the data source configuration dialog.

Let us know if this is a viable solution.

Best regards,