Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
2
Helpful
5
Replies

Possible to disable users from using phones for Duo Push?

Go to solution
Gigawatt
Level 1
Level 1

‎07-15-2022 01:22 PM

I know the subject sounds strange, but we are wanting to setup some users that strictly use hard tokens and we don’t want them to have the capability to enroll their personal phone if the opportunity got presented to them by someone.

If not, we thought about running a script if users aren’t certain groups then delete the phone out of Duo and have it check API via scheduled tasks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎07-20-2022 07:38 AM

@cedstrom A group policy applied to GroupB has no effect on GroupA members (who are not also members of GroupB).

Example where any user can use Push for an application unless they are in GroupB, in which case they must use YubiKeys:

  • Application or Global policy authentication methods allow Duo Push
  • Group policy applied to GroupB on the application only allows hardware tokens

Example where most users can use any authentication method, but GroupA can only use Duo Push and only members of GroupB can only use Yubikeys:

  • Application or Global policy authentication methods allow all authentication methods
  • Group policy applied to GroupA on the application only allows Duo Push
  • Group policy applied to GroupB on the application only allows hardware tokens

@Gigawatt
Removing an authentication method via policy also prevents enrollment of that method during inline enrollment (as in, enrollment while authenticating to that particular application). Since group policies can only be applied to users who exist in Duo, an application or global policy that restricts Duo Push would also prevent new users (unknown to Duo) from enrolling a Push device during inline enrollment.

But, since users can’t self-enroll hardware tokens during Duo enrollment anyway, you would have had to create those users in Duo somehow to then assign them the hardware token. Since the users already exist, they would not see first-time enrollment (so no way to enroll a different method via that path).

If you allow self-service device management on that application and have applied a group policy that restricts GroupB members to hardware tokens, then those users aren’t able to enroll other methods not allowed by their effective policy in device management,

Duo, not DUO.

View solution in original post

5 Replies 5

Go to solution
TabBerger
Cisco Employee
Cisco Employee

‎07-19-2022 05:45 AM

Hey @Gigawatt ! If you’re looking to restrict authentication methods available to certain groups of users, this is actually something you can do using the Authentication Methods policy in the Duo Admin Panel. You would need to create Group that contains these users and then a Group-level policy that targets the folks you only want to use hardware tokens.

The article Can I disable an authentication method? has a screenshot and some additional information about this as well.

Hope that helps!
Tab

Go to solution
charlesedstrom
Level 1
Level 1
In response to TabBerger

‎07-19-2022 06:24 AM

If we have GroupA as users of mobile devices and GroupB as users of Yubikeys, and we set the group policy for GroupB to restrict authentication methods, how does that affect GroupA if at all?

0 Helpful

Go to solution
Gigawatt
Level 1
Level 1
In response to TabBerger

‎07-19-2022 06:28 AM

This is great, nice articles. The only thing I don’t see…maybe I missed it, but it wouldn’t prevent them from enrolling though. I guess it wouldn’t really matter if we just only allow just hard tokens. Just trying to look at this from a least priv perspective.

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎07-20-2022 07:38 AM

@cedstrom A group policy applied to GroupB has no effect on GroupA members (who are not also members of GroupB).

Example where any user can use Push for an application unless they are in GroupB, in which case they must use YubiKeys:

  • Application or Global policy authentication methods allow Duo Push
  • Group policy applied to GroupB on the application only allows hardware tokens

Example where most users can use any authentication method, but GroupA can only use Duo Push and only members of GroupB can only use Yubikeys:

  • Application or Global policy authentication methods allow all authentication methods
  • Group policy applied to GroupA on the application only allows Duo Push
  • Group policy applied to GroupB on the application only allows hardware tokens

@Gigawatt
Removing an authentication method via policy also prevents enrollment of that method during inline enrollment (as in, enrollment while authenticating to that particular application). Since group policies can only be applied to users who exist in Duo, an application or global policy that restricts Duo Push would also prevent new users (unknown to Duo) from enrolling a Push device during inline enrollment.

But, since users can’t self-enroll hardware tokens during Duo enrollment anyway, you would have had to create those users in Duo somehow to then assign them the hardware token. Since the users already exist, they would not see first-time enrollment (so no way to enroll a different method via that path).

If you allow self-service device management on that application and have applied a group policy that restricts GroupB members to hardware tokens, then those users aren’t able to enroll other methods not allowed by their effective policy in device management,

Duo, not DUO.

Go to solution
Gigawatt
Level 1
Level 1
In response to DuoKristina

‎09-30-2022 12:00 PM

Thanks for this and sorry for the super late reply.

We are applying a policy within the selected application (ADFS) then applying the group policy for TokenOnly and PhoneOnly(deskphone) for certain departments and having them point to a certain group in AD.

Thanks again for this clarity!

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents