Possible to disable users from using phones for Duo Push?

I know the subject sounds strange, but we are wanting to setup some users that strictly use hard tokens and we don’t want them to have the capability to enroll their personal phone if the opportunity got presented to them by someone.

If not, we thought about running a script if users aren’t certain groups then delete the phone out of Duo and have it check API via scheduled tasks.

Hey @Gigawatt ! If you’re looking to restrict authentication methods available to certain groups of users, this is actually something you can do using the Authentication Methods policy in the Duo Admin Panel. You would need to create Group that contains these users and then a Group-level policy that targets the folks you only want to use hardware tokens.

The article Can I disable an authentication method? has a screenshot and some additional information about this as well.

Hope that helps!

1 Like

If we have GroupA as users of mobile devices and GroupB as users of Yubikeys, and we set the group policy for GroupB to restrict authentication methods, how does that affect GroupA if at all?

This is great, nice articles. The only thing I don’t see…maybe I missed it, but it wouldn’t prevent them from enrolling though. I guess it wouldn’t really matter if we just only allow just hard tokens. Just trying to look at this from a least priv perspective.

@cedstrom A group policy applied to GroupB has no effect on GroupA members (who are not also members of GroupB).

Example where any user can use Push for an application unless they are in GroupB, in which case they must use YubiKeys:

  • Application or Global policy authentication methods allow Duo Push
  • Group policy applied to GroupB on the application only allows hardware tokens

Example where most users can use any authentication method, but GroupA can only use Duo Push and only members of GroupB can only use Yubikeys:

  • Application or Global policy authentication methods allow all authentication methods
  • Group policy applied to GroupA on the application only allows Duo Push
  • Group policy applied to GroupB on the application only allows hardware tokens

Removing an authentication method via policy also prevents enrollment of that method during inline enrollment (as in, enrollment while authenticating to that particular application). Since group policies can only be applied to users who exist in Duo, an application or global policy that restricts Duo Push would also prevent new users (unknown to Duo) from enrolling a Push device during inline enrollment.

But, since users can’t self-enroll hardware tokens during Duo enrollment anyway, you would have had to create those users in Duo somehow to then assign them the hardware token. Since the users already exist, they would not see first-time enrollment (so no way to enroll a different method via that path).

If you allow self-service device management on that application and have applied a group policy that restricts GroupB members to hardware tokens, then those users aren’t able to enroll other methods not allowed by their effective policy in device management,

1 Like

Thanks for this and sorry for the super late reply.

We are applying a policy within the selected application (ADFS) then applying the group policy for TokenOnly and PhoneOnly(deskphone) for certain departments and having them point to a certain group in AD.

Thanks again for this clarity!