HOWTO: Enforce Multi-Factor Authentication when starting the Ivanti Workspace Control Console

Version 11

    Question

    Is it possible to add an extra security measure to the Ivanti Workspace Control Console by triggering a Windows authentication pop-up for Smart Card Authentication when starting the Ivanti Workspace Control Console?

     

    Answer

    With the introduction of Ivanti Workspace Control 10.2.900.0, this behavior can be configured, the following prerequisites should already be in place.

     

    • Windows Smart Card Policies are configured and working already.
    • Users are required to sign in to a machine by using a Smart Card. This can be enforced using the Interactive logon: Require smart card GPO located in Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
      • The GPO mentioned above will set the ScForceOption located in [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\System] to 1. If this is set to 0 or not available, then the feature will not work.
    • No other third-party software is needed to use the available Smart Card Solution.

     

     

    With the above prerequisites in place, the Ivanti Workspace Control Console can enforce an Authentication pop-up by configuring an Administrative Role.

    • Open the Ivanti Workspace Control Console
    • Go to Administration > Administrative Roles > Open or create an Administrative Role
    • On the bottom of the Access Control tab, the feature can be enabled

     

    Capture123.PNG

    Ivanti recommends to first create a test Administrative Role for your test Administrator, this way a locked out situation can be prevented.