Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

SafeNet Agent for Windows Logon

Deploying the agent via Group Policy Object

search

Deploying the agent via Group Policy Object

Deploying the agent via Group Policy Object

The use of Microsoft Group Policy or Group Policy Objects (GPO) enables the SafeNet administrator to centrally manage the agent configuration for users and computers in an Active Directory environment. It allows to configure many important policy settings to provide flexibility and support extensive configuration information.

For more details about the Group Policy and Group Policy Objects, see Group Policy Overview.

Configuring the ADMX and ADML Settings

The SafeNet Agent for Windows Logon policy settings are stored in a Windows Administrative Template (ADMX) file. The settings can be edited using Windows tools. The settings can be propagated to the entire domain, or be applied to the local computer and domain controllers only.

Open the administrative template and perform the following steps to configure the settings:

  1. Add ADMX and ADML file to Group Policy Object (GPO) Editor

  2. Configure ADMX and ADML Settings

Add ADMX and ADML File to Group Policy Object Editor

To add the SafeNet Agent for Windows Logon ADMX file to the GPO Editor, perform the following steps:

  1. Copy the Local Group Policy definition (C:\Windows\PolicyDefinitions) to Domain Group Policy (C:\Windows\SYSVOL\sysvol\domain_name>\Policies).

  2. Copy the downloaded ADMX file (<Application_name>_AgentConfig_<Date>.admx) from own Cloud to the following location on your domain controller/server:
    C:\Windows\SYSVOL\sysvol\<domain_name>\Policies\PolicyDefinitions

  3. Copy the appropriate ADML language file (<Application_name>_AgentConfig_<Date>.adml) to a language folder under the \PolicyDefinitionsfolders.

    For example,

    • In Windows Server 2016, the English language file provided should be written to:
      C:\Windows\SYSVOL\sysvol\<domain_name>\Policies\PolicyDefinitions\en-US

Configure ADMX and ADML Settings

Open the administrative template and perform the following steps to configure the settings:

  1. From the Windows taskbar, select Start > All Programs > Accessories > Run.

  2. Enter gpmc.msc and click OK. The Group Policy Management window is displayed.

    alt_text

  3. Perform one of the following actions:

  4. To propagate the settings to all clients in the domain, right-click Default Domain Policy or newly created GPO under the domain node.

  5. To apply the settings to the local machine and any other domain controllers in this domain, under the Domain Controllers node, right-click Default Domain Controllers Policy option.

  6. From the drop-down menu, select Edit. The Group Policy Management Editor window is displayed.

  7. In the left pane, navigate to Computer Configuration > Administrative Templates > WLA Policies > AuthGINA. The settings are displayed in the right pane.

    alt_text

  8. Enable all the setting (except PrimaryServiceURL and OptionalSecondaryServiceURL), if not already enabled, with default value or user-defined value.

    The PrimaryServiceURL and OptionalSecondaryServiceURL should be set to [Not Configured]. The value of both the settings gets configured via the .agent file.

    Click here to see the description of the registry settings available with the agent.

Deploying the agent

Deploying SafeNet Agent for Windows Logon via GPO requires:

  1. Creating a Distribution Point

  2. Creating a Group Policy Object

  3. Deploying the MSI

  4. Creating the MST file

    alt_text

Creating a Distribution Point

To deploy an MSI through GPO, perform the following steps to create a distribution point on the Publishing Server:

  1. Log in to the server as an administrator.

  2. Create a shared network folder.

    The shared network folder will contain the MSI package and Agent file.

  3. Set permissions on this folder to allow access to the distribution package.

  4. Copy and paste the MSI file (SafeNet Authentication Service Agent for Win 8-10-2012-2016 x64.msi) and Agent file in the previously created shared network folder.

Creating a Group Policy Object

An MSI package is deployed/distributed through GPO. To create an object, perform the following steps:

  1. From the Windows taskbar, select Start > All Programs > Accessories > Run.

  2. Enter gpmc.msc and click OK. The Group Policy Management window is displayed.

  3. Expand Forest (your forest) > Domains (your domain).

  4. Right-click the Group Policy Objects and select New.

  5. Enter a name for your policy and leave Source Starter GPO as none.

  6. Right-click the domain name and select Link an Existing GPO.

  7. In Select GPO pop-up window, select newly created GPO and click OK.

  8. Click the newly created GPO. In the right pane, right-click the linked domain name and select enforce. The GPO will be linked with the domain.

Deploying the MSI

Prerequisites

  • Ensure that the MST File is created.
    To create an MST file, please refer Creating the MST file section.

To deploy the WLA MSI, you need to set AGENTMODE and JSONFILEPATH. For this purpose, it is advisable to use parameterized MSI Installation with the help of a transform (.mst) file.

To deploy the MSI to the client machines, perform the following steps:

  1. Copy the Agent file to the client machines

  2. Deploy MST and MSI files

  3. Set the order of GPO

Copy the Agent file to the client machines

Perform the following steps to place the Agent file in client machines using GPO file distribution:

  1. Go to Computer Configuration > Preferences > Windows Settings > Files.

  2. Right-click the Files option and then click New > File.

  3. In the New File Properties, select Create from the Action drop-down.

  4. Enter the Source file(s) (UNC path of shared folder) and Destination File (a path on the client machine where you want to put the agent file).

    alt_text

    Keep the source file, that is, the Agent file in shared location.

Deploying MST and MSI files

Perform the following steps to deploy the MST and MSI files:

  1. Open Group Policy Management Editor and select Edit.

  2. Go to Computer Configuration > Policies > Software Settings > Software Installation.

  3. Right-click Software Installation and then click New > Package.

  4. Select the SafeNet Agent for Windows Logon MSI file (SafeNet Authentication Service Agent for Win 8-10-2012-2016 x64.msi) from the previously created shared folder.

  5. In the Deploy Software pop-up window, select Advanced and then click OK.

    alt_text

  6. Go to the Modifications tab and click Add.

    alt_text

  7. Select the MST file from the created shared folder and click OK.

    alt_text

    Put the MST and MSI files in shared folder.

  8. Under the Security tab, select the client machine and give permission, and then click OK.

    alt_text

Setting the order of GPO

If you have more than one GPO linked to an OU/Domain, then the processing order of the GPOs is determined by link order. The GPO with the lowest link order will be processed at the last. So, you need to set the GPOs in-order.

  1. Open the GPMC console.

  2. Select the Domain/OU to which GPOs are linked.

  3. In the right-pane, click Linked Group Policy Object tab.

  4. Ensure that the GPO for Deploy MST and MSI file have lower Link order than GPO for the Copy the agent file. Change the link order accordingly, if required.

    alt_text

Creating the MST file

To create an MST file, you need to install the ORCA tool. It is a free utility from Microsoft, available with the Windows SDK package (Developer Tool).

To install the ORCA tool, click here.

  1. After the successful installation of the tool, right-click the SafeNet Agent for Windows Logon MSI file (SafeNet Authentication Service Agent for Win 8-10-2012-2016 x64.msi) from the previously created shared folder.

  2. Click Edit with Orca.

  3. Click Transform > New Transform.

  4. In the Orca Editor, in the left pane, under Tables, click Property.

    alt_text

  5. Double-click the value of property AGENTMODE and set it as 1.

    alt_text

  6. Double-click the value of property JSONFILE and set the path of client machine, which contains the Agent file.

    alt_text

  7. Click Transform > Generate Transform.

  8. Save your Transform (.mst) file with a desired name in the previously created shared folder.

Upgrading the agent

Perform the following steps to upgrade the existing WLA package with a new package:

  1. Perform Step 1 to Step 5 in Deploying MST and MSI files section.

  2. Go to the Upgrades tab and click Add.

    alt_text

    The Add Upgrade Package window is displayed.

    1. Under Choose a package from, select Current Group Policy Object (GPO) or click Browse to select a specific GPO.

    2. Under Package to upgrade, select the desired package from the list, and then select Package can upgrade over the existing package.

    3. Click OK.

      alt_text

  3. Click OK.

Uninstalling the agent

Perform the following steps to uninstall the agent:

  1. Perform Step 1 to Step 3 in Creating a Group Policy Object section.

  2. Select Group Policy Objects, right-click the desired group policy, and then click Edit.

  3. In the left pane, go to Computer Configuration > Policies > Software Settings > Software installation.

  4. In the right pane, right-click the software package that you want to uninstall, hover on All Tasks, and then click Remove.

    alt_text

  5. On the Remove Software window, select Immediately uninstall the software from users and computer, and then click OK.

    alt_text