We’re using Duo MFA for protecting our RDS servers. Not deploying it on the gateway, but will have the Windows logon installed on all workstations and servers.
My desire is to have users listed in Duo admin, send them the enrollment email, and as they enroll then start requiring MFA. But because RDS doesn’t support the inline enrollment, I have to manually set everyone to “bypass” (or use a group) and then once they’ve enrolled (after x days) I have to toggle them manually to active.
Any guidance or recommendation on automating this process? I’d like to use AD sync to capture new users but they can’t log in without enrollment… in other words, there is no grace period. As soon as they sync, no access.
We’re about to roll this out so I’m going to A) bulk create the accounts and set them to bypass. Tell everyone they get 2 weeks to enroll. After 2 weeks, set everyone to active. That’s OK for the initial bunch but new users have just become a manual babysit process unless I get some better advise from you experts.
Thanks in advance.