Recommendation on RDS and enrollment

Corbett Enders · ‎05-31-2021

We’re using Duo MFA for protecting our RDS servers. Not deploying it on the gateway, but will have the Windows logon installed on all workstations and servers.

My desire is to have users listed in Duo admin, send them the enrollment email, and as they enroll then start requiring MFA. But because RDS doesn’t support the inline enrollment, I have to manually set everyone to “bypass” (or use a group) and then once they’ve enrolled (after x days) I have to toggle them manually to active.

Any guidance or recommendation on automating this process? I’d like to use AD sync to capture new users but they can’t log in without enrollment… in other words, there is no grace period. As soon as they sync, no access.

We’re about to roll this out so I’m going to A) bulk create the accounts and set them to bypass. Tell everyone they get 2 weeks to enroll. After 2 weeks, set everyone to active. That’s OK for the initial bunch but new users have just become a manual babysit process unless I get some better advise from you experts.

Thanks in advance.

Amy2 · ‎06-04-2021

Hi @cenders,
I don’t have any guidance to share with you yet at this time, but I wanted to reply to let you know I saw your post and will be looking into this further to see if I can help, though I’m by no means an expert
Also, welcome to the Community! It looks like this may be your first time posting, and you did a wonderful job of clearly explaining what you are trying to accomplish and providing details of your current situation and the parameters within which you’re working. I’ll hopefully follow up with some pointers for you soon.

Amy2 · ‎06-07-2021

Hi again,
Thanks for your patience! Following up on this, I spoke with our internal team and here is what they had to say on the subject:

There’s not really a single good solution here, as Duo for Windows Logon and RDP doesn’t allow for enrollment. Using Active Directory (AD) sync to sync phone numbers doesn’t activate Duo Mobile, so users would then be directed to authenticate via SMS or phone calls. As of right now, our best solution is still using group policy to set a grace period to allow time for users to enroll. In general, Winlogon/RDP is not an ideal app to use for rolling out Duo to an organization as it doesn’t provide a way for users to in-line enroll. Of course, sometimes this can’t be avoided…

An easy alternative is to force enrollment via any Web Application that supports the Duo Prompt. You can use whichever web apps you already protect today or are planning to protect. O365 tends to be a good choice as it is one that most organizations protect and every user in the org utilizes.

A more difficult and untested alternative is to use our AdminAPI to send an enrollment email, then use the AdminAPI to poll for the enrolled user and add them to an Active Directory group that is synced into a Duo Group. You could then use that group via a group policy on the Duo RDP integration to do what you want here.

Let us know if you have further questions. I hope that helps!

Corbett Enders · ‎06-07-2021

Amy, thanks for your effort.

It would be ideal if the system had a setting allowing for “partially enrolled” users to log in via RDS (or other apps that don’t allow inline enrollment). Otherwise, they are unable to login.

The solution currently was to set a bypass policy on the app but that means no one gets MFA even those who are fully enrolled until such time that I enable the app for everyone (and again denying those partially enrolled).