Managing users. Account sources. Chapter 2



Similar documents
Managing users. Account sources. Chapter 1

AVG Business SSO Connecting to Active Directory

Managing policies. Chapter 7

The Customer page is only displayed in Admin Portal on Managed Service Provider accounts. It is not displayed in customer accounts.

Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles

AVG Business SSO Partner Getting Started Guide

AVG Business Secure Sign On Active Directory Quick Start Guide

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Using Devices. Chapter 3

Creating a generic user-password application profile

Configuring the Samsung SDS CellWe EMM cloud connector

Configuration Guide for Active Directory Integration

Content Filtering Client Policy & Reporting Administrator s Guide

Security Assertion Markup Language (SAML) Site Manager Setup

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

Configuring SuccessFactors

VMware Identity Manager Administration

OneLogin Integration User Guide

qliqdirect Active Directory Guide

Configuring identity platform settings

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Configuring. SugarCRM. Chapter 121

Protected Trust Directory Sync Guide

Connected Data. Connected Data requirements for SSO

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

Egnyte Single Sign-On (SSO) Installation for OneLogin

Configuring Sponsor Authentication

End User Configuration

Configuring Parature Self-Service Portal

T his feature is add-on service available to Enterprise accounts.

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Introduction to Directory Services

Configuring Salesforce

Active Directory Self-Service FAQ

Getting Started with Clearlogin A Guide for Administrators V1.01

Customer admin guide. UC Management Centre

How to install and use the File Sharing Outlook Plugin

VMware Identity Manager Administration

SAP NetWeaver AS Java

SAML single sign-on configuration overview

1 Introduction. Windows Server & Client and Active Directory.

Configuring. SuccessFactors. Chapter 67

Quality Center LDAP Guide

Cloud Services ADM. Agent Deployment Guide

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

SpringCM Integration Guide. for Salesforce

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

GoToMeeting, GoToWebinar & GoToTraining. Active Directory Connector Administration Guide Hollister Avenue Goleta CA 93117

Bizconferencing Service

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Office 365 deployment checklists

Mobility Manager 9.5. Users Guide

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

User Management Tool 1.5

Sophos Mobile Control User guide for Android. Product version: 4

McAfee Cloud Single Sign On

SecureAnywhereTM Web Security Service

Managed Security Web Portal USER GUIDE

SpringCM Integration Guide. for Salesforce

Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide

IIS, FTP Server and Windows

McAfee Directory Services Connector extension

Broker Portal Tutorial Broker Portal Basics

Quick Start Guide Sendio Hosted

Sophos Mobile Control Super administrator guide. Product version: 3

Integrating Webalo with LDAP or Active Directory

PaymentNet Federal Card Solutions Cardholder FAQs

In this topic we will cover the security functionality provided with SAP Business One.

Important Information

Sophos Mobile Control User guide for Android

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Cloudwork Dashboard User Manual

AT&T Business Messaging Account Management

Integrating LANGuardian with Active Directory

Microsoft Corporation. Project Server 2010 Installation Guide

Active Directory Management. Agent Deployment Guide

NYS Office 365 Administration Guide for Agencies

SPHOL300 Synchronizing Profile Pictures from On-Premises AD to SharePoint Online

Using LDAP Authentication in a PowerCenter Domain

Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment using Azure AD Sync

MULTI-FACTOR AUTHENTICATION SET-UP

QliqDIRECT Active Directory Guide

Installation and Configuration Guide

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Active Directory Management. User Interface Guide

Managing User Accounts

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

Google Apps Deployment Guide

Senior Systems Cloud Services

Special thanks to the following people for reviewing and providing invaluable feedback for this document: Joe Davies, Bill Mathers, Andreas Kjellman

EMC Documentum Webtop

Kaseya 2. User Guide. Version 1.1

Integration Guide. SafeNet Authentication Service. Using SAS with Web Application Proxy. Technical Manual Template

Cloud. Hosted Exchange Administration Manual

Administrator's Guide

Introduction to Google Apps for Business Integration

ECAT SWE Exchange Customer Administration Tool Web Interface User Guide Version 6.7

Transcription:

Chapter 2 Managing users The Users page in Admin Portal lists all of the user accounts in the Samsung cloud service. This includes all of the users you create in the service and, if you are using Active Directory/LDAP for user authentication, the Active Directory/LDAP users who have logged in to the portal or enrolled devices. Your role must have the cloud service Users Management administrative right to view, add, and modify user accounts. This section contains the following topics: "Account sources" on page 2-3 "Using the Active Directory/LDAP and cloud directory ID repositories" on page 2-4 "Default user accounts" on page 2-5 "Managing cloud accounts from the Users page" on page 2-5 "Referencing accounts from Active Directory/LDAP" on page 2-10 "Sending invitations to users" on page 2-12 "Deleting accounts" on page 2-13 "Specifying a user s application login settings" on page 2-13 Account sources The Source column indicates the ID repository that contains this user account. Active Directory/LDAP. These users are authenticated using their Active Directory/ LDAP accounts. The account s Active Directory/LDAP domain is shown in the parenthesis. The Samsung cloud service does not replicate Active Directory/LDAP accounts and their attributes in the cloud service. Instead, the accounts are referenced when the user logs in to the user portal, enrolls a device, or opens a password-protected application. Note If you have multiple cloud connectors managing multiple, independent domain trees or forests, the Source column also shows the source domain. To use Active Directory/LDAP as a source, you must install the EMM cloud connector. See " EMM cloud connectors and administrator consoles" on page 1-1 for the details. Any user with an Active Directory/LDAP account can log in to the EMM user portal. However, to enroll a device the user must be a member of a role with a policy 3

Using the Active Directory/LDAP and cloud directory ID repositories set that has Permit device enrollment policy in the Device Enrollment settings set to Yes. See "Enabling users to enroll devices" on page 1-1 for the details. Cloud: These users have a service account. The account information resides in the Samsung cloud service only. You must create cloud accounts explicitly before these users can log in to the user portal or enroll a device. You can add cloud accounts individually or in bulk from a CSV file or Excel spreadsheet. Any user with a cloud directory can log in to the user portal. However, to enroll a device the user must be a member of a role with a policy set that has Permit device enrollment policy in the Device Enrollment settings set to Yes. See "Enabling users to enroll devices" on page 1-1 for the details. Using the Active Directory/LDAP and cloud directory ID repositories The Samsung cloud service can use Active Directory/LDAP and service accounts to authenticate users. You must have the cloud connector installed to use Active Directory/LDAP accounts. When the cloud service receives an authentication request, it checks the ID repositories for the account name in the following order: 1 cloud directory by name 2 Active Directory/LDAP user by user 3 Active Directory/LDAP user by email 4 samaccountname In addition, the Samsung cloud service uses the contact information in Active Directory/ LDAP or the cloud accounts to contact users when multifactor authentication is enabled for logging in to Admin Portal and the portal (see "Authentication - Setting authentication policy controls" on page 3-67). If the contact information is wrong, the user is not able to log in. If you plan to use Active Directory/LDAP as your ID repository, there are some use cases that justify creating either alternate or exclusive accounts in the Samsung cloud service: Emergency access: If the network connection to the domain controller breaks down and users cannot be authenticated against their Active Directory/LDAP account, they can instead be authenticated against their cloud account. Thus, they can continue to use the applications from the portal and their devices. Temporary user: Some organization s security policy can make adding a short-term user to Active Directory/LDAP a complex and time-consuming task. If you have a Admin Portal user s guide 4

Default user accounts temporary worker who needs access to just the applications you deploy through the cloud service, it may be simpler to add the account to Samsung cloud service. Contractors or less-trusted users: Sometimes you do not want users to have the full set of privileges and access rights an Active Directory/LDAP account provides. In this case, you create the account in the cloud only and these users are limited to the Samsung cloud service applications. Default user accounts The Samsung cloud service creates a default service account when your organization signed up. The login name of the default account is based on the work email account entered in the cloud service sign-up form. Generally, the login name to the default cloud directory account is the same as the full email account for example, if the email account is bob.smith@acme.com, the default cloud directory account is bob.smith@acme.com However, if the login suffix in the email account is already in use by another Samsung cloud service customer, a number is appended to the login suffix. The login suffix is that part of the full account name following @, acme.com in this example. For example, if acme.com is already in use, the default cloud directory account would be bob.smith@acme.com.2 (or another number). The account name is provided in the email you received after you signed up. You use this account to log in to Admin Portal and the user portal. This account is automatically added to the sysadmin role, giving you full administrator permissions in the cloud service. Managing cloud accounts from the Users page You create, modify, and delete service accounts from Admin Portal. You create, delete, and modify Active Directory accounts from Active Directory Users and Computers only. You must be a member of the sysadmin role or any Samsung cloud service role that has the User Management administrative right to create, delete, and modify cloud accounts. Click the column header to sort the rows. Admin Portal provides two actions you can initiate from a user s account listing on this page: Click a user to display the user s account details page. For cloud accounts, you can edit the account properties from this page. Right-click a user to invoke a command on the user s account. Chapter 2 Managing users 5

Managing cloud accounts from the Users page Understanding account sources The Source column indicates the account s ID repository: Active Directory/LDAP These users are authenticated using their Active Directory/LDAP accounts. The account s Active Directory/LDAP domain is shown in the parenthesis. The Samsung cloud service does not replicate Active Directory/LDAP accounts and their attributes in the cloud service. Instead, the accounts are referenced when the user logs in to the user portal, enrolls a device, or opens a password-protected application. Note If you have multiple cloud connectors managing multiple, independent domain trees or forests, the Source column also shows the source domain. To use Active Directory/LDAP as a source, you must install the EMM cloud connector. See " EMM cloud connectors and administrator consoles" on page 1-1 for the details. Cloud These users have a service account. The account information resides in the Samsung cloud service only. You can add cloud accounts individually or in bulk from a CSV file or Excel spreadsheet. Understanding account statuses The Status column indicates the account state. Status Active Invited Not Invited Indicates The user has either logged in to one of the portals or enrolled a device. An administrator has sent an invitation to login to the user portal or enroll a device, however, the user has not responded. You can send an invitation when you create a service account (see "Creating user accounts" on page 1-3) or separately to accounts in all sources using the Invite User button (see "Sending invitations to users" on page 2-12). The Last Invite column indicates the date and time of the most recent invitation. When you add accounts to the cloud directory using Bulk import (see "Bulk import user accounts" on page 1-5), Admin Portal automatically sends an email invitation to all new accounts by default. The account was created in the cloud directory but no email invitations have been sent. Admin Portal user s guide 6

Managing cloud accounts from the Users page Managing users from their account details page When you click a user, Admin Portal displays the account details and provides a set of tabs along the left side that offer more information about the account. The following table describes each tab and the tasks you can perform after you click the link. Tab Contains Tasks you can perform Account Account and profile information For Active Directory/LDAP accounts: You cannot change any of these fields using Admin Portal. For cloud accounts: You change any Account, Status, or Profile field value. Activity Event log of user s cloud Read the user s activity log. Application Settings Applications with custom login settings Assigned Applications Devices Roles Provisioned Applications Policy Summary Applications assigned to the user Devices enrolled by the user Admin Portal roles in which the user is a member and the associated administrative rights A list and status of applications that were provisioned to this user Listing of policies set for this users You can specify login credentials for a specific application. See "Specifying a user s application login settings" on page 2-13. Review the applications assigned to the user. Clicking on an application opens the application configuration area. You can click the check box for one or more devices and send a command to the device. See "Using the device management commands" on page 2-44 for the device command descriptions. You can also click on the device to show the device s details page. Review the user s roles and the associated administrative rights for those roles. You can click on the role to see more information about that role and change the user s roles. None Provisioning is available for a limited number of applications. See the release notes for the current list. None Click Policy Summary to see which policies are enabled for this user. The display indicates the setting for each policy enabled and the policy set in which the policy is enabled. Open the policy set to change the setting. Note: The mobile device policy settings are only displayed when you use the EMM policy service to manage device policy. Modifying a user account Click the Account tab to view a user s account properties and status. For Active Directory accounts, you must use Active Directory Users and Computers to update the account details. The field values are updated in the cloud service according to Chapter 2 Managing users 7

Managing cloud accounts from the Users page the Active Directory user verification interval you set in the cloud connector (see "Using the Cloud Connector tab" on page 1-2). For cloud accounts, you can change all of the fields in the Account tab. Be careful when you change the user s login suffix because this affects their role memberships and policies. If you have users who will be enrolling devices or you are using mobile devices as a form of multifactor authentication, be sure to put the device s phone number in the Mobile Number field. The following options can be updated anytime: Option Locked Password never expires Require password change at next login (recommended) Add to Everybody role Select to do this Locks the account. Set this field to prevent the user from logging in to the user portal or launching applications from the CellWe EMM client. Overrides the default Maximum password age policy setting. Regardless of the Maximum password age setting, the password for this account never expires. The default maximum password age for user service accounts is 365 days. You use the Account Security Policies > Password Settings > Maximum password age policy on the Policies tab in Admin Portal to reset this value. Note: This setting and the Require password change at next login setting are interdependent. If you select one, the other is reset. Forces users to create a new password the next time they log in. When you select this option, users are immediately prompted to create a new password the next time they log in to the user portal with their current password. The user is also subject to any password reset policy controls and settings you have enabled (see Setting password controls). This setting is reset as soon as the user logs in and creates a new password. Note: This setting and the Password never expires setting are interdependent. If you select one, the other is reset. Adds this account to the Everybody role. It is best practice to leave the Add to Everybody role setting selected unless you plan to assign this user to a specific role. Admin Portal uses roles to assign applications, administrative rights, and policies to separate sets of users. You must assign a user to a role that has the CellWe portal deployed if you want that user to have access to the CellWe portal. See Managing roles for more information. Admin Portal user s guide 8

Managing cloud accounts from the Users page User Management commands Admin Portal provides several user management commands. They are displayed when you right-click the name on the Users page and in the Actions menu on the account s details page. Command ID repository Result Delete MFA Unlock Send email invite for user portal setup Send SMS invite for device enrollment Reload Sync All Apps Set Password Active Directory/ LDAP and service Active Directory/ LDAP and service Active Directory/ LDAP and service Active Directory/ LDAP and service Active Directory/ LDAP and service Active Directory/ LDAP and service service only Deletes a cloud directory account from the Samsung cloud service. The user is no longer listed on the Users page and is no longer able to log in to the portal or Admin Portal. For Active Directory/LDAP user accounts, the deleted account is only removed from the Users page. You must use Active Directory Users and Computers to delete the Active Directory/ LDAP account. Suspends multi-factor authentication for 10 minutes. Multi-factor authentication requires users to perform additional steps (such as verify their identity by email or phone call) to log in to the portal and Admin Portal. If the user is having trouble logging in, select the user and select this action to let the user log in with just a user name and password. Sends an email to the selected users with their login account name and a link to the user portal. Sends an SMS message with a link that downloads the Samsung SDS EMM client to the device. The user account must have a mobile phone number to use this command. Updates the user s rights immediately to put into effect any changes you have made to the account for example, if you added the user to a new role or changed the user s administrative privileges. Use this command immediately after modifying the user s role or rights. Force synchronization for all applicable applications. Note: This only applies to web applications that support provisioning. If Sync Daily is selected, the cloud service synchronizes user accounts for all provisioned applications for this user. Prompts you to reset the user s cloud account password. Note: You must reset the password for Active Directory/LDAP accounts by using Active Directory Users and Computers. In the window that appears, you enter a new password for the user. Chapter 2 Managing users 9

Referencing accounts from Active Directory/LDAP Referencing accounts from Active Directory/LDAP Generally, when you use Active Directory/LDAP accounts to authenticate cloud service users, you do not add them to the EMM cloud connector. Instead, the Samsung cloud service automatically adds the Active Directory/LDAP accounts to the Users page when they log in to the portal or enroll a device. You manage the account s properties (for example, email address and phone numbers), entirely in Active Directory/LDAP. However, you do need to add an Active Directory/LDAP account to a role to deploy applications to that user. You can add either the user s Active Directory/LDAP account or the user s Active Directory/LDAP group to the role. See "Creating roles and adding users to roles" on page 1-7 for the details. Notes After you add an Active Directory/LDAP user or group to a role, the name is not listed on the Users page until the user logs in to the user portal or enrolls a device. The EMM User Portal web application must be assigned to a role in which users are a member before they can log in. By default, EMM User Portal is assigned to the Everybody role so this is normally not a problem. In addition, when you use the Invite User button (see "Sending invitations to users" on page 2-12), the role you specify is automatically added to the EMM User Portal User Access settings. You can delete an Active Directory/LDAP account from either Active Directory/LDAP or the service. When you remove the account using Admin Portal, the account is automatically deleted from the cloud service, but it is unchanged in Active Directory. Deleted object detection from Active Directory to Cloud Manager requires that each Cloud Connector has permission to read the deleted objects container in Active Directory. For the connector to detect a user account deletion performed in Active Directory and update the Users page in Cloud Manager, you need to run a few commands on each connector. After permission has been granted for each connector, deletions are automatically detected. If you do not have the necessary permissions to change the permissions of the deleted objects container, then run this command: dsacls "CN=Deleted Objects,DC=<EXAMPLE>,DC=<COM>" /takeownership The following command grants the Cloud Connector permission to read the deleted objects container in Active Directory: dsacls "CN=Deleted Objects,DC=<EXAMPLE>,DC=<COM>" /user:administrator@<example.com> / passwd:* /g <EXAMPLE>\<MACHINENAME>$:LCRP /I:T Admin Portal user s guide 10

Referencing accounts from Active Directory/LDAP Notifying users with Active Directory/LDAP accounts Users with Active Directory/LDAP accounts log in to the user portal and enroll devices using their Active Directory/LDAP credentials. To get Active Directory/LDAP users started with the cloud service, you can send them an invitation (see "Sending invitations to users" on page 2-12) or you can provide the following URL to the users and tell them to use their Active Directory/LDAP credentials to log in: https://cloud.samsungemm.com/my They use the same credentials to enroll devices. Simplifying logging in to cloud service portals for Active Directory/LDAP accounts Users with Active Directory accounts can log in to the user portal and Admin Portal without entering their user name and password from computers that are within your organization s intranet. For example, you can log in to Admin Portal without entering your credentials by appending the login suffix to the portal s URL as follows: https://cloud.samsungemm.com/manage?customerid=<loginsuffix> If you have not yet defined any other login suffixes, you can use the default suffix your Active Directory account s UPN suffix. For example, if your domain name is abcorp.com, you would enter the following URL to log in without entering your user name and password: https://cloud.samsungemm.com/manage?customerid=abcorp.com See "Using login suffixes" on page 1-41 to learn about login suffixes. Similarly, users can log in to the user portal by adding the login suffix to their URL. In this case the syntax is as follows: https://cloud.samsungemm.com/my?customerid=<loginsuffix> Both of these methods use Integrated Windows Authentication to authenticate the user using their Active Directory credentials and require the user to be on your organizations intranet. You may need to reconfigure the default Integrated Windows Authentication settings and define IP Addresses on your EMM cloud connector to use this feature. See "Configuring cloud connectors" on page 1-8 to configure a cloud connector. You can also define a login suffix as an alias for a long Active Directory/LDAP UPN suffix. See "Creating an alias for long Active Directory domain names" on page 1-43 for the details. Chapter 2 Managing users 11

Sending invitations to users Sending invitations to users If you did not send invitations for users to log in to the user portal or enroll a device, you can do so using the Invite Users button. You can send an email and/or SMS message. Option Send email invite for user portal setup Send SMS invite for device enrollment Select to do this Sends an email to users with an invitation to log in to the Samsung SDS portal. The email contains a link to the user portal and their account login name and a one-time password. You can customize the email message sent when you invite users see "Customizing the email messages contents and logos" on page 1-7. Sends an SMS message to the mobile number in the account to help the user enroll the device. To use the SMS invitation, the user s account must have the device s phone number in the Mobile Number field. The message contains a link that downloads the EMM client to the phone. Users then install the EMM client and proceed with enrolling the device. To enroll a device, the user must be enabled to enroll devices see"enabling users to enroll devices" on page 1-1. Sending an invitation To send an invitation: 1 Open Admin Portal and click the Users tab. 2 Click Invite Users. 3 Filter your search by account source (Cloud or Active Directory/LDAP) and by user status. 4 Enter the first characters of the user name or Active Directory/LDAP group. The search results are filtered as you enter each character. 5 Select each account or group that you want to invite. 6 Click Invite. 7 Select the invitation method -- email and/or SMS. 8 Select the user s role. A default cloud directory role is Invited Users. If this role does not already exist, Admin Portal creates it. To select a different role, enter the role name in the text box. Admin Portal user s guide 12

Deleting accounts User accounts that are not already a member of the role are added, and the EMM User Portal application is automatically assigned to that role. 9 Click Send Invites. Deleting accounts For service accounts, deleting the account means that it is disabled and no one can log in using those account credentials. For Active Directory/LDAP user accounts, the deleted account is only removed from the Users page. People can still use those account credentials to log in to the EMM User Suite. You must use Active Directory Users and Computers to truly disable the account. To delete multiple users with one command: 1 Open Admin Portal and click Users. 2 Select the relevant accounts. 3 Click Delete from the Actions menu. 4 Click Yes to confirm. Specifying a user s application login settings By default, the Samsung cloud service provides single sign-on to web applications that use SAML (Security Assertion Markup Language) or a user name and password for authentication based on the user s Active Directory/LDAP or service user name and password. You use the Applications Settings page to provide different credentials for the web applications. If you don t specify the user name and password for the application, users are prompted to enter them once.the cloud service saves the credentials and silently authenticates the user for subsequent logins. Notes If the application prompts the user for log in credentials, you must enter the login name, however, you do not need to enter the password. If you don t, the user is prompted to enter the password. If multiple users open the application with a shared user name, you must specify the login name and password. To specify application settings for a user: 1 Open Admin Portal, click Users, and click the desired user. Chapter 2 Managing users 13

Specifying a user s application login settings 2 Click the Application Settings link in the left pane and click Add. The Select an Application dialog box appears. 3 Select the application for which you want to specify login settings. Either enter a part of the application name or scroll through the list to select an application at a time. The Setting Username/Password dialog box appears. 4 Enter the user name or user name and password required by this application to authenticate the user. The user name is required for all applications. For user-password applications that prompt users for login credentials, you can optionally specify a password. For userpassword applications that share a user name, the password is required. Note SAML web applications just prompt you for the account name. 5 Click OK. The application now appears in the user s Application Settings list. The next time the user opens this application from the user portal or the EMM client on the user s device, the Samsung cloud service uses these application settings to authenticate the user. To modify a user s existing application login setting: 1 On the Users page, click the user account. 2 Click Applications Settings. 3 In the Application Settings area, select an application. The Actions dropdown list provides options to delete or modify the application selection. 4 Select Modify. Change the user name and password as necessary and click OK. To delete a user s existing application login setting: 1 On the Users page, click the desired user. 2 Click Applications Settings. 3 In the Application Settings area, select the application or applications you want to delete. The Actions dropdown list provides options to delete or modify the application selection. 4 Select Delete. 5 Click Yes. Admin Portal user s guide 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information