McAfee Cloud Single Sign On

Setup Guide Revision B McAfee Cloud Single Sign On

COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee CleanBoot, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Cloud Single Sign On Setup Guide

Contents Introduction 5 What is McAfee Cloud Single Sign On?.......................... 5 Identity Bridge for authorization with internal network credentials.............. 6 Control Console for Cloud Single Sign On........................ 6 Application connectors................................ 7 User access to Cloud Single Sign On.......................... 7 User access to applications.............................. 7 Options to consider before you set up Cloud Sign Sign On 9 Decide how you want users to access Cloud Single Sign On................. 9 Decide how you want to add user accounts to the Control Console.............. 10 Checklist for required Account Management setup 11 Checklist for configuring application connectors 13 Checklist for configuring Identity Bridge for internal network SSO 15 User Access to Cloud Single Sign On and cloud applications 17 Accessing the Control Console............................ 17 The My Apps page................................. 17 Accessing applications from Cloud Single Sign On..................... 18 Accessing applications that do not require one-time passwords............ 18 One-time passwords and Pledge client software.................. 18 Accessing applications that require a one-time password............... 18 Reset an application-specific password...................... 20 Reset a user's Pledge enrollment for use with another device................ 20 McAfee Cloud Single Sign On Setup Guide 3

Contents 4 McAfee Cloud Single Sign On Setup Guide

Introduction McAfee Cloud Single Sign On, is an identity and access management solution for enterprise organizations seeking to manage user access to applications in the cloud. McAfee Cloud Single Sign On includes the following features: Single sign on (SSO) and single log off (SLO) Strong authentication using one time passwords (OTP) Automatic user provisioning for some applications Authentication using corporate credentials Reporting Contents What is McAfee Cloud Single Sign On? Identity Bridge for authorization with internal network credentials Control Console for Cloud Single Sign On Application connectors User access to Cloud Single Sign On User access to applications What is McAfee Cloud Single Sign On? McAfee Cloud Single Sign On allows pre authenticated users at your company to access other cloud applications without having to re enter their credentials. This capability benefits your company in several significant ways: McAfee Cloud Single Sign On Setup Guide 5

Introduction Identity Bridge for authorization with internal network credentials One user ID and password to access lots of applications Because authentication requirements are centralized, users do not have to create and remember credentials for every application in the cloud. They can therefore save time when they sign on to applications and operate with better security across the cloud by using a single strong password to access the applications they use over the cloud. Finally, users who sign onto multiple applications can sign off of those applications at one time with a single click of a button. Better password security Cloud Single Sign On allows administrators to enforce strong password authentication by allowing them to set password requirements in a central server (LDAP, IMAP, POP3, or Active Directory), which Cloud Single Sign On uses when users sign on for applications. In addition, for added security, administrators can set Cloud Single Sign On to require multi factor authentication for each application, where a uniquely generated one time password must be used each time the user accesses the application. Easy user provisioning with applications Cloud SSO also helps administrators who create user accounts on enterprise managed applications. If the application allows, the user is created on the application after being created in Cloud Single Sign On. When the user leaves the organization and is removed from Cloud Single Sign On, the user's accounts are removed from the "self provisioning" applications. Identity Bridge for authorization with internal network credentials Identity Bridge is an add on package of McAfee Directory Services Connector that works with Cloud Single Sign On. Identity Bridge enables users to log on to the customer's internal network and be able to access both Cloud Single Sign On and multiple applications without re entering credentials. In addition, the Identity Bridge allows users to sign on to the Control Console with internal network credentials even when outside of the internal network. Users must be added using Directory Services Connector to be supported by Identity Bridge. Control Console for Cloud Single Sign On The Control Console is a web based administration tool that serves as your primary tool to configure, monitor, and access the applications available through Cloud Single Sign On. The Control Console is also used for the following products if your company is enabled for them: McAfee SaaS Email Protection McAfee SaaS Web Protection McAfee SaaS Email Archiving The Control Console also serves as your primary tool to manage users, groups, and domains. You manage these entities under a tab labeled Account Management in the user interface. For more information, see the Account Management Administrator Guide. You manage Cloud Single Sign On applications under a tab labeled Cloud SSO. Users access applications through Cloud Single Sign On under a tab labeled My Apps. See the online Help available under these tabs for detailed information on configuration and usage. 6 McAfee Cloud Single Sign On Setup Guide

Introduction Application connectors Application connectors The primary task for configuring Cloud Single Sign On is the configuration of application connectors. An application connector is a configuration that you define in the Control Console. The connector allows Cloud Single Sign On to connect users to the application without requiring users to log on to the application. You can add multiple application connectors for the same application if you want to place different restrictions to the application for different groups of users. However, each instance of an application connector must be given a unique name. For example, for the application GoogleApps, you might have a connector for regular users called MyGoogleApps and another connector for executives called MyGoogleAppsExec. On the Control Console, users see a list of applications only to which they have access. User access to Cloud Single Sign On Users benefit from Cloud Single Sign On because they can access many applications in the cloud with a single instance of entering their authentication credentials. However, the way in which users access Cloud Single Sign On, as well as applications, can vary. Depending on how you have configured user authentication to the Control Console, there are two basic cases in which users access the Control Console, from which they access Cloud Single Sign On applications: Without Identity Bridge Users put the Control Console URL in their browser. When they connect to the Control Console, they receive a Sign On page, into which they enter their credentials, an email address and password. They then land on their Preferences page. With Identity Bridge There are two scenarios for accessing the Control Console: While signed on to their internal company network. users put the Control Console URL in their browser. When they connect to the Control Console, they immediately land on their Preferences page in the Control Console. When not signed on to their internal company network, users put the Control Console URL in their browser. They receive a Sign On page, into which they enter their email address and password stored within the Control Console. If users have been originally added to the Control Console with Directory Services Connector, the users must enter their email address, but can still enter their internal network password. User access to applications Like accessing the Control Console, the way in which users access applications can vary, depending on how the applications are configured. From the Control Console, the user accesses applications from the My Apps page without the need for more credentials. Access an application's URL, where the customer has the Control Console configured as the Sign On URL in the application, and enter credentials for the Control Console. The application then opens. This capability is available for some connectors that use SAML2.0 authentication. Access an application's URL, where the customer does not have the Control Console configured as the Sign On URL in the application, and enter credentials specific to the application. The application then opens. In this scenario, Cloud Single Sign On is not involved in the authentication. McAfee Cloud Single Sign On Setup Guide 7

Introduction User access to applications Initial access to some applications requiring credentials Many applications require the Cloud Single Sign On user to sign on with application specific credentials the first time the user accesses the application. These applications, for example LinkedIn, require little configuration. Cloud Single Sign On simply saves the user's credentials for these applications in a secure way. Thereafter, subsequent access to these applications does not require the user to enter credentials. Other applications, for example GoogleApps, do not require the user to sign on at the initial access. Instead, because of the more complex configuration of the connector, the application recognizes the user as a trusted connection and opens immediately. 8 McAfee Cloud Single Sign On Setup Guide

Options to consider before you set up Cloud Sign Sign On You must make some decisions on how you want Cloud Single Sign On to work before you begin configuring it. Contents Decide how you want users to access Cloud Single Sign On Decide how you want to add user accounts to the Control Console Decide how you want users to access Cloud Single Sign On Prior to configuring Cloud Single Sign On, you need to decide how you want users to authenticate when accessing Cloud Single Sign On. If you are already using other SaaS services (Email Protection, Web Protection, or Email Archiving), user access to the Control Console has already been established. If you choose to change how users access the Control Console, the change applies to all services available through the Control Console. Sign onto Control Console with Control Console credentials, then access applications You can administer your users so that they use a password that is unique to the Control Console. For this option, you must also choose one of several available authentication options: Manual passwords users create their own password the first time they sign on. Remote authentication Your company has a server that manages user credentials and can connect with the Control Console. Any one of the following three protocols are available: LDAP IMAP POP3 Sign onto the internal network, then access the Control Console and applications You can set up user authentication to the Control Console using credentials from your company's Active Directory. In this way, users sign onto your internal network, and when they access Control Console on the Web, they are signed on automatically. This option requires the use of the Identity McAfee Cloud Single Sign On Setup Guide 9

Options to consider before you set up Cloud Sign Sign On Decide how you want to add user accounts to the Control Console Bridge add on package to Directory Services Connector and user synchronization of Active Directory domains with the Control Console. For more information, see Directory Services Connector Getting Started Guide. This option also allows users outside of the internal network to sign on directly to the Control Console with internal network credentials. Decide how you want to add user accounts to the Control Console You must create user accounts within the Control Console to allow users to access Cloud Single Sign On. There are several ways in which you can create user accounts: Manually You access the New User page and, one by one, configure each user. Batch file You can select Batch as your user creation mode and upload a list of users in the New User page. Directory Integration (email domains) You set up a connection in the Control Console to your Active Directory and upload users according the email domains established on your Microsoft Exchange servers. Directory Services Connector (AD domains) You set up a connection in Directory Services Connector to your Active Directory and upload users according to the Active Directory domains in which users reside. 10 McAfee Cloud Single Sign On Setup Guide

Checklist for required Account Management setup You must administer users and groups under the Account Management tab in the Control Console before you can configure Cloud Single Sign On access to applications. For detailed information for the tasks in the following list, see the Account Management Administrator Guide or the Account Management online help in the Control Console. For Directory Services Connector and Identity Bridge setup, see the Directory Services Connector Getting Started Guide. Table 1 Account Management tasks to support Cloud Single Sign On Task Description Where to go Sign in to the Control Console Confirm your primary email domains Define how users can sign on You need the URL from McAfee for the Control Console and the Customer Administrator email address. You might need to create your password yourself the first time you sign in. McAfee creates your primary email domains in the Control Console on your behalf. You have several options for authentication of users when they sign on: Passwords LDAP IMAP POP3 Active Directory authentication This option requires the use of Identity Bridge. In your browser, enter the Control Console URL. On the Control Console Sign On page, enter your user ID, which is an assigned email address, and your password In the Control Console, select Account Management Domains. In the Control Console, select Account Management Configuration User Authentication. If you choose to authenticate with Identity Bridge, the authentication settings in the Control Console have no effect when users are accessing the Control Console from their internal network. Instead, the Control Console identifies an accessing user by the user's IP address and authenticates against Active Directory through the Identity Bridge. McAfee Cloud Single Sign On Setup Guide 11

Checklist for required Account Management setup Table 1 Account Management tasks to support Cloud Single Sign On (continued) Task Description Where to go Add users to the Control Console You can add users in a variety of ways: One by one manually In a batch file With Directory Integration With Directory Services Connector In the Control Console, click one of the following sequences: For Directory Integration, select Account Management Configuration Directory Integration. To add users manually or in a batch file, select Account Management Users New. For Directory Services Connector, see Directory Services Connector Getting Started Guide. Be sure to complete all relevant data fields for each user if you plan to provision users on some applications using Cloud Single Sign On connectors. With Directory Services Connector, be sure to enable all relevant user attributes so those attributes are available in the Control Console for user provisioning of applications. Create one or more groups Assign users to a group Groups are used when access to applications should be different for different groups of users. Users must be assigned to at least one group for Cloud Single Sign On, even if all users have the same access privileges. Each user must be assigned to one or more groups in order to use Cloud Single Sign On. In the Control Console, select Account Management Groups Create. In the Control Console, select Account Management Groups Members. 12 McAfee Cloud Single Sign On Setup Guide

Checklist for configuring application connectors You must configure at least one application connector for each application to which you want users to have single sign on access. You must also have an administrator account on the applications to provision users and/or configure the application to communicate with the Cloud Single Sign On connector. Table 2 Checklist for configuring application connectors Task Description Where to go Create a new application connector Configure the application connector Create a new application connector so that users can access the application from the Cloud SSO. You can enter some characters of the application in the Application field or use the Browse button to search for the application. Some connectors require no configuration other than giving the connector a name that users see in their My Apps page. Other connectors require more complex configuration, both in the cloud application itself and in Cloud Single Sign On. The more complex connectors use Security Assertion Markup Language 2.0 (SAML 2.0) format, with authentication certificates and trusted URLs that must be configured. On the Control Console, select Cloud SSO New. See Cloud SSO online help for details. After you create a new connector, the New Connector page displays configuration fields. See Cloud SSO online help for details. Restrict access to the connector (optional) Assign groups Enable the connector View the application connectors a user can use. Select to use multi factor authentication, if desired, so users must generate a unique password with Pledge each time they access the application. You can also define IP address ranges to allow or disallow user access to the connector. Assign one or more groups to the application connector so that users in the group or groups can access the application through Cloud Single Sign On. After you have configured an application connector in Cloud Single Sign On, you must enable the connector so users can use it. After you have configured connectors and enabled them, you can verify whether or not an individual user has access to the intended applications. From the New Connector page, click the Restrict Access tab. See Cloud SSO online help for details. From the New Connector page or the Restrict Access tab, click Group Subscriptions. See Cloud SSO online help for details. Select Cloud SSO, select the connector from the list, and click Enable. Select Account Management Users. Select a user and click the Cloud SSO tab. McAfee Cloud Single Sign On Setup Guide 13

Checklist for configuring application connectors 14 McAfee Cloud Single Sign On Setup Guide

Checklist for configuring Identity Bridge for internal network SSO Configure Identity Bridge to automatically authenticate users with internal network credentials when users access the Control Console and other applications in the cloud. Your company must be using Active Directory to manage users in your company network. Table 3 Checklist for configuring Identity Bridge for internal network SSO Task Description Where to go Set Directory Integration to AD Domain user synchronization Download the Directory Services Connector Getting Started Guide and the Directory Services Connector extension Install Directory Services Connector on epolicy Orchestrator (epo) Configure a service principal user account in Active Directory The Control Console must be set to accept user account data sent from Directory Services Connector, which in turn retrieves user data from your company's Active Directory domains. The Directory Services Connector Getting Started Guide contains most information for configuring Identity Bridge. You must download the Directory Services Connector Getting Started Guide extension so you can install it on epolicy Orchestrator (epo). epo must first be installed and configured at your company location. Then, you can install the Directory Services Connector extension software. Identity Bridge uses Integrated Windows Authentication (IWA) in Active Directory. Therefore, your company's Active Directory must have a service principal so that Identity Bridge can retrieve data from Active Directory. On the Control Console, select Account Management Configuration. Set the Logical Structure field to AD domain. On the Control Console, select Account Management Configuration. After you set the Logical Structure field to AD domain, the Directory Services Connector Getting Started Guide and Directory Services Connector extension are displayed on the page for downloading. See the epolicy Orchestrator Installation Guide and Chapter 2, "Installing Directory Services Connector" in Directory Services Connector Getting Started Guide Complete this task on the Active Directory server that passes credentials to Identity Bridge. See Chapter 5, "Configure a service principal user account in Active Directory for use with Identity Bridge" in the Directory Services Connector Getting Started Guide. Configure Directory Services Connector as a registered server in epo. Directory Services Connector must be able to communicate with the Control Console. Complete this task in epo. See "Set up the Directory Services Connector server as a registered server" in Chapter 4 of the Directory Services Connector Getting Started Guide. McAfee Cloud Single Sign On Setup Guide 15

Checklist for configuring Identity Bridge for internal network SSO Table 3 Checklist for configuring Identity Bridge for internal network SSO (continued) Task Description Where to go Set up Identity Bridge in epo (Optional) Set up AD domain synchronization in Directory Services Connector Identity Bridge is configured to allow epo to access the Active Directory through the AD service principal. Directory Services Connector must be configured to transfer user data from an Active Directory domain to the Control Console. Complete this task in epo using the bottom portion of the same Registered Server page on which Directory Services Connector is configured. See "Set up the Directory Services Connector server as a registered server" in Chapter 4 of the Directory Services Connector Getting Started Guide. Complete this task in Directory Services Connector. See Chapter 7, "Setting up Directory Services Connector," in Directory Services Connector Getting Started Guide. Configure users' browsers for Identity Bridge Test Identity Bridge (Optional) Enable Identity Bridge authentication in the Control Console Firefox, Internet Explorer, and Google Chrome browsers must be set work with Identity Bridge. Users or the IT department can perform this task. On the Control Console, you can test that the Control Console can authenticate a user with Identity Bridge. Only users who have been added to the Control Console with Directory Services Connector can access the Control Console from outside the internal network and still be authenticated over Identity Bridge. To allow this type of authentication, you must enable Identity Bridge authentication in the Control Console. Identity Bridge does not require synchronization of users in the Control Console. Users who are manually added or added in a batch file are still authenticated over Identity Bridge if accessing the Control Console from the internal network. However, users outside the internal network cannot access the Control Console and be authenticated over Identity Bridge unless they are synchronized with Directory Services Connector. Complete this task on each user's computer. See Chapter 6, "Configuring browsers for the Identity Bridge feature of Cloud Single Sign On," in Directory Services Connector Getting Started Guide. If users configure their own browsers, give them the instructions in the Directory Services Connector Getting Started Guide. On the Control Console, select Account Management Configuration. In the Identity Bridge Configuration section at the bottom of the page, the epo server is listed. Click the Test button and enter a username and password in Active Directory to test the connection. On the Control Console, select Account Management Configuration. At the Identity Bridge Authentication field, select Synchronized Users. If this Identity Bridge Authentication field is set to None in the Control Console, Identity Bridge authentication still works for all users who sign on to their internal network first. To turn off Identity Bridge authentication completely, you must access the Registered Server page for Directory Services Connector in the epo, and uncheck Identity Bridge Authentication field. 16 McAfee Cloud Single Sign On Setup Guide

User Access to Cloud Single Sign On and cloud applications Users access the Control Console to access Cloud Single Sign On, and from there, access the My Apps page. On the My Apps page, users have tools to change the display of their available applications. The ways in which users can then access the cloud applications can vary. Accessing the Control Console To access Cloud Single Sign On, users must first access the Control Console. Users access to the Control Console and Cloud Single Sign On in one of two ways, depending on how your company is configured: Enter the Control Console URL in their browser, and at the Sign On page, enter an email address and password. The password can be one of the following: A password the user creates at first sign on. The Control Console emails a reset password message, with which the user creates a password. A password given to the user by an administrator. The password is typically the internal network password, and is updated within the Control Console via LDAP, IMAP, or POP3 connections. In addition, if your company uses Identity Bridge and the user has been created in the Control Console with Directory Services Connector. the internal network password can be used. Sign onto the internal company network, enter Control Console URL in their browser, and go directly to the user's Preferences page within the Control Console. This access is made possible through the use of Identity Bridge. The My Apps page The My Apps page lists the applications available to a user. If the user is restricted by IP address from the application, the application does not appear in the list. If access to applications are restricted to only those within a certain IP address range, users outside of the IP range do not see those applications. The My Apps page offers users the following display options: McAfee Cloud Single Sign On Setup Guide 17

User Access to Cloud Single Sign On and cloud applications Accessing applications from Cloud Single Sign On List View Displays a list of applications you can access, with additional information for each application. In this view, the user selects an application and clicks Run. Launch Pad Displays the familiar icon of each application. You can access an application by clicking the icon. Favorites Identifies with a yellow star which applications are the user's favorites. In Launch Pad view, users click the star icon attached to the application icon. In List View, users select the application and click the star icon at the top of the page. Accessing applications from Cloud Single Sign On The steps users follow to access applications from Cloud Single Sign On vary, depending on the type of application and whether a one time password requirement has been set. Accessing applications that do not require one-time passwords In general, applications that do not require one time passwords open immediately when the user clicks on the application from the My Apps page. However, for some applications, such as LinkedIn and YahooMail, the user must enter that user's credentials for the application at the first access. For these applications, subsequent access attempts open the application immediately, without the need for credentials. For these applications, a password reset might be required periodically. In this event, the user must reset the password in the application, then, from the My Apps page, click the Change link in the Credentials column for the application, and enter the credentials a second time. This action saves the new password in Cloud Single Sign On. Applications such as Webex and GoogleApps, which use the SAML 2.0 authentication protocol, are configured so that the application opens immediately at first access. One-time passwords and Pledge client software Though Cloud Single Sign On authenticates a user automatically when the user accesses applications through the My Apps tab, the user might have a one time password requirement for some or all applications. This password is generated by separately run Pledge client software that the user must install on the user's laptop, desktop, Android, or Apple device. Each time the user accesses a one time password application, the user must generate the password with Pledge. Accessing applications that require a one-time password Applications that require a one time password (OTP) are identified on the My Apps page with a padlock icon. When the user selects the application from the My Apps page, the user must enter a password generated by Pledge client software before the application opens. For applications such as LinkedIn and YahooMail, the user must also enter that user's credentials for the application at the first access. For these applications, subsequent access attempts continue to require the one time password, but then the application opens immediately. An application such as ADP and GoogleApps, which use the SAML 2.0 authentication protocol, are configured so that the application, after the one time password is entered, opens immediately at first access. 18 McAfee Cloud Single Sign On Setup Guide

User Access to Cloud Single Sign On and cloud applications Accessing applications from Cloud Single Sign On The Pledge process the first time accessing an OTP application The first time a user tries to access any one time password application, the user must download and run Pledge software. Thereafter, the user can open and use the downloaded Pledge software each time the user accesses a one time password application. The Pledge process has roughly the following steps: For more detailed instructions, see the online help in the Control Console under the My Apps page. 1 The first time the user tries to run an OTP application, the My Apps page displays an Install Pledge page. The user leaves this page open while installing the Pledge software. The user can install Pledge on the following: The desktop or laptop on which the Control Console is open A link is provided to download Pledge on the Install Pledge page. An Apple device Pledge is available from the Apple App Store An Android device Pledge is available from the Play Store. 2 The user downloads and installs the software on the preferred device. For more detailed instructions, see the online help in the Control Console under the My Apps page. 3 After the Pledge software is installed, the user runs it and clicks the plus (+) sign to add a profile ID. 4 The user now leaves the Pledge software open and returns to the My Apps page and clicks Continue on the Install Pledge page. 5 A profile ID is displayed, which the user enters into the Enter a profile ID field in Pledge. 6 The user clicks Continue in Pledge, then clicks Generate one time password. 7 The user notes the password, clicks through the remaining Pledge Enrollment pages in the Control Console until the One time password page appears. 8 The user enters the Pledge generated one time password, and clicks OK. The application opens. Access OTP applications subsequent to the Pledge process For OTP applications, the access steps are as follows: 1 Start Pledge software on your computer, Apple device, or Android device. 2 Click Generate one time password, and note the password that is generated. McAfee Cloud Single Sign On Setup Guide 19

User Access to Cloud Single Sign On and cloud applications Reset a user's Pledge enrollment for use with another device 3 In My Apps, select the OTP application. 4 In the One Time Password Verification field, enter the Pledge generated password and click Submit OTP. Reset an application-specific password If a user accesses an application through Cloud Single Sign On and then changes the password for that application, the user must return to the My Apps page and change the password in Cloud Single Sign On. The user must change the password in the application first before the user can change it on the My Apps page. If a user changes the password to an application, but does not reset it in Cloud Single Sign On, the user cannot access the application through Cloud Single Sign On. 1 Click My Apps. 2 In the Credentials column for the application, click Change. 3 Sign on to the application with the new password previously entered in the application. Cloud Single Sign On saves the changed password. Reset a user's Pledge enrollment for use with another device You must reset a user's Pledge enrollment and one time passwords to enable the user to install and use Pledge client software on different or additional platforms (desktop, Apple device, or Android) other than the initial platform used to run Pledge. You can reset Pledge enrollment also to force a user to sign on again to the applications with a one time password. After a user's Pledge enrollment has been reset, the user can go through the Pledge process with an OTP application to activate Pledge on that device. 1 On the Control Console, select Account Management Users. 2 Select a user and select Edit Cloud SSO. 3 Click Reset.The user is required to download and install Pledge and sign in again to all one time password applications. 20 McAfee Cloud Single Sign On Setup Guide

B00