Onboard Computers

Owned by Phillip Hanegan
Feb 29, 2024
4 min read

EmpowerID provides an Onboard Computer wizard workflow to streamline the process of integrating computers into an organization's network. This workflow aims to simplify the process by assisting system administrators in correctly configuring, securing, and connecting computers to the organization's infrastructure. In addition to provisioning computers, the wizard guides users through configuring access request settings for each computer and, if needed, securely vaulting credentials. This comprehensive approach ensures a smooth and efficient onboarding experience for both administrators and end-users alike.

Onboard a computer

  1. On the navbar, expand Privileged Access and select PAM Workflows.

  2. Click Create Computer and Credential.


    This opens the Onboard Computer wizard workflow.

     

  3. Enter the following information in the computer form:

    • DNS Host Name – DNS of the computer

    • Display Name – Display name of the computer

    • Description – Description of the computer

    • Publish in IAM Shop – Select this option if you want users to be able to request access to the computer in the IAM Shop

      • Allows RDP Connections – Select this option to allow users to initiate RDP connections to the computer

      • Allows SSH Connections – Select this option to allow users to initiate SSH connections to the computer (Linux)

      • Enable Just in Time Account Provisioning – Select this option to enable accounts to be created on the computer for users requesting access to the machine. If this option is selected here and deselected on the policy governing access to the computer, EmpowerID overrides the policy setting and provisions the account.

    • Computing Platform – Select one of the available options or leave the default setting of Unknown

    • Operating System Type – OS of the computer

    • Computer Type – Type of computer, such as Windows Workstation

    • Private Address – Private IP address of the computer

    • Public Address – Public IP address of the computer

  4. Click Next to progress to the Select Creation Location configuration step.

  5. In the Select Creation Location lookup, search for and select the account store and, in the case of AD or LDAP, the specific OU within that account store where the computer is to be created.



  6. Click Submit to progress to the Access Request Settings configuration step.

  7. Under Owners and Policies, configure the following settings:

    • Access Request Policy – Select the Access Request policy appropriate for the credential. For computers, the following policies are pertinent. Each is linked to the Owner Approval Approval Flow policy, which means the owner of the computer must approve access requests.

      • Default Access Request Policy – Select this option when creating a computer without vaulting credentials for it in EmpowerID

      • Computer Creds - Allow Multi-Check-Out - No Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials that initiate an RDP or SSH session where more than one session (credential check out) is allowed and you do not want EmpowerID to reset the password for the account when a user checks in the credentials. This policy is configured with the Owner Approval Approval Flow policy.

      • Computer Creds - No Multi-Check-Out - Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials that initiate an RDP or SSH session where more than one session is not allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.

      • MFA - Computer Creds - Allow Multi- Check-Out - No Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials that initiate an RDP or SSH session where multi-factor authentication is required, more than one session (credential check out) is allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.

    • Responsible Party – Search for and select the person responsible for the computer.

    • Computer Owners – Search for and select one or more persons as owners of the computer and then click Add.

       

    • Computer Deputies – Search for and select one or more persons as deputy owners of the computer and then click Add.

  8. Under Configure Eligibility, optionally add any eligible users for the computer as needed. Users must have a form of eligibility to request access to the computer in the IAM Shop. If you are not publishing the computer to the IAM shop, you can skip this and proceed to the next step.



  9. Click Next to progress to the Select Gateway (Optional) configuration.

  10. Optionally, search for and select the gateway computer used for PSM sessions and click Next to progress to the Select Credentials (optional) setting. If this setting is not applicable, simply click Next.

  11. Optionally, search for and select the vaulted credentials for the computer and click Next to create the computer. If this setting is not applicable, simply click Next.

Â