Automated User Provisioning

Bomgar Verify Security Server has the ability to provision users. This can be completed with the Deployment wizard (recommended for first time user deployments) as it allows an extremely granular approach to how users are deployed. Or with the Automatic Group Deployment within the admin GUI. This caters for ongoing deployments of users.

The Automatic Group Deployment is a new feature that allows simple ongoing provisioning of users, a dedicated group of users (only one group per domain is supported) is monitored, any user added to this group is automatically deployed with the options set in the GUI. If a user is removed from the group, they are automatically unmanaged.

Mass deployment of users can be automated with the use of a tool called the Deployment Wizard.

The Deployment Wizard is an embedded tool that allows enterprises to deploy Passcodes to a high number of users easily. It is customisable so that passcodes can be sent via SMS to users in one seamless mechanism. The deployment wizard has the ability to allow users to Two Factor authenticate and enroll their mobile telephone number which is then stored encrypted within the Directory server (only Bomgar Verify Software or administrators will have access to these mobile numbers).

This tool can be used in one of two ways, via a graphical user interface for manually deployments or in command line mode for scripts or batch jobs to use.

Deployment Wizard GUI

Deployment Wizard GUI

To launch this tool go to Start > Programs > Bomgar > Deployment Wizard

The Deployment wizard has a simple flow chart operation of usage.

The user account that runs this wizard MUST be a member of Administrators group.

 

Start Here

Step 1

Set up the End User Deployment Defaults; select a One Time Code (default with Pre load) or Use Real Time delivery, a Day Code or an ICE user (In Case of Emergency).

 

Use Search Filter

Step 2

Select the Domain you wish to administer, then enter the LDAP search base or leave blank.

Common examples are:

DC=Bomgar, DC=com

CN=Users, DC=Bomgar, DC=com

OU=IT, OU=HQ, Bomgar, DC=com

Note: If the LDAP Search Base is blank, searching with include all objects (the top of the tree)

Enter the LDAP User Search Filter information, by default the search filter will only look for user accounts that have not already been activated with Bomgar Verify.

The filter uses the following guidelines:

Expressions can use the relational operators: <, <=, =, >=, and >

Example 1 cn=a* Locate all users with “a” at the start on their common name
Example 2 lastName>=Davis Locate all users with surnames between “Davis” and “zzzzz” Compound expressions are formed with the prefix operators & and !.
Example 3 (&(lastName=Davis)) Locate Users that have the surname Davis If both operators are required then & expressions must precede ! expressions.
Example 4 (&(lastname=a*)(!(building=42)(building=43))) Locate all users with lastname starting with “a” that are not in building 42 or 43.
Example 5 memberof=CN=RAS,CN=Users,DC=dev,DC=com Locate all users that are a member of group CN=RAS,CN=Users,DC=dev,DC=com

Nested Group Support

To support searching of Nested Groups an OID value is used in the filter statement. Searching for Nested Groups is only supported upon Microsoft Windows 2003 server with SP2 installed and Microsoft Windows 2008 server.

By adding the value: 1.2.840.113556.1.4.1941: to the filter statement all users who are members of selected group will be returned. Whether they are a direct member of the selected group or are members of a nested group.

Example memberof:1.2.840.113556.1.4.1941:=CN=RAS,CN=Users,DC=dev,DC=com

Locate all users that are a member of group CN=RAS,CN=Users,DC=dev,DC=com

Note: Computer accounts are ignored

Find Unmanaged Users

Click on the "Find Unmanaged Users" button. The following screen is displayed.

These users can then be listed to a file to allow additional checks before progressing. Click the "List selected users to a file" button shown in step 2.

 

Step 3

Qualify

The next operation is to select which medium is to be used for the deployment, either SMS or Email. If email is chosen the Bomgar Verify server must be configured appropriately (see Section “4 Configuration”). In addition, your company SMTP server must be setup to relay from the Bomgar Verify server.

 

Find Mobiles Email

Click either "Find mobiles" or "Find emails" button. The following "progress" screen is displayed.

There are numerous examples of different outcomes, the following are some examples:

 

Example 1

100 users are listed in step2, however only 60 users have a mobile from step3.

Therefore users with missing mobile numbers can be listed by clicking "List missing to file" and then checked and updated accordingly.

The deployment can continue with only 60 users or can be restarted to allow for all 100 users to be deployed.

Example 2

100 users are listed in step2, however only 0 users have a mobile from step3.

Therefore users with missing mobile numbers can be listed by clicking "List missing to file" and then checked and updated accordingly.

Or the users with missing mobile can be deployed via email if they have a valid email address. The user will receive an email with a URL and one time passcode.

Step 4

Select either "Deploy via SMS" or "Deploy via email"

Deploy

If deploying via email, you have the ability to change the default message that is emailed to selected users. Click upon the “Edit email message”

 

Failures Screen

The Deployment Wizard will now run. Any errors will be displayed within the "Failures" screen.

 

Deployment Wizard Other Tools

The “Other Tools” brings additional functionality to the “Deployment wizard”.

It is made up of four parts, these are:

Count uncompleted user enrollments Find and display the number of users who have part enrolled or who have not enrolled.
Resend email to uncompleted enrollments Resend the email enrollment request to the users who have not enrolled or have part enrolled.
Find managed users Find and display the number of users who are managed upon the system for 2FA
Unmanage selected users Unmanage selected user

Note: When un-managing users, if you do not specify a search base or search filter than all Bomgar Verify managed users will be unmanaged!

Note: Warning: Caution should be used with this tool as hundreds of users can be unmanaged within one minute!

Deployment Wizard command line options

The following command line options are available

/auto Must be set to use command line options

/default=one, realtime, day or ice Optional, step 1 settings, default is one time code

/day=(number of days) Required if /default=day, number of days between each code

/domain=(Domain name) Optional, defaults to primary domain

/base=(DN) Optional, location in tree to search, default top

/filter=(filter text) Optional, the search filter, default is no filter

/deploy=sms, email Optional, step 3&4 deployment method, default is sms

/unmanage Optional, if set will un-manage all selected users

/hidegui Optional, if set will hide the graphical interface

/listtofile=(file name) Optional, if set will list selected users to this file

/findmanaged Optional. finds managed users

/debug Optional, if set will enable debug

It is strongly recommended that you check the setting and filter are correct with the deployment gui before using the command line.

Example 1

Deploy to all users that are a member of the Windows group RAS in the domain dev.com

deploy.exe /auto /filter=memberof=CN=RAS,CN=Users,DC=dev,DC=com /deploy=email

Example 2

Remove all managed users that leave the Windows group RAS

deploy.exe /auto /filter=!memberof=CN=RAS,CN=Users,DC=dev,DC=com /unmanage

Note: “!” means not a member of the group

Nested Group Support

To support searching of Nested Groups an OID value is used in the filter statement. Searching for Nested Groups is only supported upon Microsoft Windows 2003 server with SP2 installed and Microsoft Windows 2008 server.

By adding the value: 1.2.840.113556.1.4.1941: to the filter statement all users who are members of selected group will be returned. Whether they are a direct member of the selected group or are members of a nested group.

It is strongly recommended that you check the setting and filter are correct with the deployment gui before using the command line.

Example 3

Deploy to all users that are a member of the Windows group RAS in the domain dev.com

deploy.exe /auto /filter=memberof:1.2.840.113556.1.4.1941:=CN=RAS,CN=Users,DC=dev,DC=com /deploy=email

Example 4

Remove all managed users that leave the Windows group RAS

deploy.exe /auto /filter=!memberof:1.2.840.113556.1.4.1941:=CN=RAS,CN=Users,DC=dev,DC=com /unmanage

Note: “!” means not a member of the group

Group Deployment Multi Domain Templates

Version 1.1 has the ability to customize the Group Deployment enrolment email template per domain. This allows for one custom message to be sent to new users of an internal customers and another to external customers or third party vendors.

If a new user in a secondary domain is deployed via Group Deploy, the mail or sms templates can be read from DATA\MAILTEMPLATE_name_of_domain or DATA\SMSTEMPLATE_name_of_domain.

  • Copy the directory DATA\MAILTEMPLATE and all files to DATA\MAILTEMPLATE_name_of_your_domain and customize templates as required.

  • Copy the directory DATA\SMSTEMPLATE and all files to DATA\SMSTEMPLATE_name_of_your_domain and customize templates as required. This is optional.

Automatic Group Deployment

The Automatic Group Deployment is an embedded feature that allows simple ongoing provisioning of users, a dedicated group of users (only one group per domain is supported) is monitored, any user added to this group is automatically deployed with the options set in the GUI. If a user is removed from the group, they are automatically unmanaged.

Automatic Group Deployment

The following options are able to be set:

Enable Automatic Deployment

Enables or disables the automatic deployment option, an additional setting allows a time in (n) minutes to be set. This is how often the Automatic Deployment should check for users being added or removed from a group.

Deployment Type

ICE (In Case of Emergency) for emergency users, business continuity, disaster recovery.

Send Passcodes to Mobile / Email

Example - User will stay explicit to the mode of deployment, if deployed with a passcode to mobile, they will always receive a passcode via SMS. As long as the mobile attribute is populated. If not the system will check and then deploy the user by email, the user will then follow the enrolment instructions in the email to update their own mobile number into Bomgar Verify. If user deployed via email, they will always stay in this mode.

One Time Code / Three Codes / Real time - Select users to have a Onetime passcode in "Pre-Load", “Three Codes” mode or use "Real time delivery".

Soft Token - Users are deployed with an enrolment message to setup their soft token.

VOICE Token - Users are deployed with an enrolment message to setup their VOICE token.

Day Code - Users are deployed with a Day Code, the code refresh in (n) days can be set, this is global setting for all deployed users

NOTE: Mobile or email attribute must be populated.

Note: If a group is declared in the Automatic Group deployment option, the user will be enabled and provisioned or unmanaged depending on whether they are a member of the declared group. If "Allow any group" is selected, all users in the domain will only be provisioned. Caution this could cause a high number of user to be provisioned.