Specops First Day Password (Onboarding)

Onboarding allows uReset customers to allow new users (typically new hires in the organization) to access the network using two-factor authentication, even when they have not enrolled with any ID services yet. This makes the onboarding procedure secure and efficient, avoiding the unsecure method of sending new users their (temporary) password unencrypted by mail. Onboarding is a Powershell-based workflow and can be combined with existing workflows within the organization.

Configuring First Day Password

Configuration in Authentication Web

The First Day Password settings as well as the necessary notifications can be configured in Authentication Web.

  1. In the left navigation, click on First Day Password.
  2. In the Settings tab, configure whether users can continue with enrollment after setting their first password and whether the First Day Password can be accessed through the uReset page.
    • Enable enrollment: allows users to continue to enrollment after setting their initial password, to enroll with any other ID services that the organization has configured in their uReset policy..
    • Allow First Day Password from uReset: allows user to access First Day Password from the uReset page.
  3. Click Save.
  4. Click on the Notifications tab. Here you can configure the notifications associated with First Day Password. These notifications can be sent either as an email or as a text message.
  5. Click New to create a new notification.
  6. In the Event drop-down, choose which notification you want to create:
    • First Day Password invite: the invitation sent to the new user containing the First Day Password link.
    • First Day Password Complete: the notification sent to confirm the completion of the First Day Password process.

    As with other uReset notifications, these notifications make use of placeholders, such as %UserEmail% and %UserFirstName%, to dynamically populate the notification with information.

  7. Configure the notification.
    NOTE

    The invitation notification should contain the First Day Password URL (placeholder %OnboardingUrl%) in order to for the new user to be able to access the First Day Password web page.

    If no URL is provided, users can only access the First Day Password web page by clicking the reset password link on the login screen of a company-issued computer.

    NOTE
    When using the Insert link button in the ribbon and putting the URL placeholder in the To what URL should this link go? field, make sure to uncheck the Use default protocol checkbox. If this is not unchecked, the resulting link will not work because of a repeated "http://" inserted before the link.
  8. Click Save.

Initialization and scheduling

First Day Password is a Powershell-based feature. There are three commands associated with First Day Password.

Command: Get-SAOnboarding

Retrieves all users with an active First Day Password.

Command: Set-SAOnboarding -Username [username]

This command marks the user as ready for First Day Password. It takes the following parameters:

Parameter Description
-UserMobile The mobile number of the new user. This is the phone number where the user will receive the mobile code to authenticate with. This parameter is optional.
NOTE

Although this parameter is optional, either -UserMobile or -PersonalEmail needs to be included for the user to be able to authenticate with First Day Password, unless the user is enrolled in other ways, for example:

  • The user has been issued a company mobile phone, and that number has been enrolled. This is then the phone that will be used for the mobile code for authentication.
  • The user has already been enrolled with the Personal Email identity service.
NOTE

This parameter requires that the mobile number included starts with an international prefix, followed by the country code. The only international prefix allowed here is "+". Other prefixes, such as 00, 011 or others cannot be used.

Thus, for example, the following notation is allowed (example for Swedish mobile number): +46706123456 or +460706123456. If the interational prefix is omitted, a warning message is displayed.
-PersonalEmail The personal email address of the new user. This email address will be used to send the authentication link to. This parameter is optional (see note under -PersonalMobilePhone for instances where this parameter can be omitted).
-FromDate The date on which the invitation link will be sent out. This is an optional parameter. If no date has been entered, it defaults to today's date. Invitation notofications are always sent at the next User Counting.
-ValidNumberOfDays States the number of days the First Day Password link should be valid for. Default is 20 days.

Command: Remove-SAOnboarding -Username [username]

This command removed the user from First Day Password.

Enabling and disabling user First Day Password

Under User counting you can configure whether or not First Day Password invitation notifications are sent out at the next User Counting.

  1. In the left navigation, click on User Counting.
  2. Mark the checkbox for Send First Day Password welcome email when the scheduled counting is complete (default is checked).
  3. You can also manually start a USer Counting and send invites as soon as this counting completes. Check the box for Send First Day Password welcome email when the counting is complete under Start a new user count.
    NOTE
    This option only appears if at least one invite notification has been configured.

Customization

Some of the texts on the First Day Password web pages can be cutomized to suit your organization's tone.

Text Default Description
First Day Password start page title First Day Password Title for the First Day Password landing page
First Day Password start page description Welcome to First Day Password... Description for the First Day Password landing page
Invalid First Day Password URL message The First Day Password link has expired or is invalid Information to end user when the link has expired or is invalid
Not eligible for First Day Password You are not eligible for First Day Password For example if user was not marked for First Day Password.
Password Reset Information Error message when a user is not eligible for First Day Password after signing in Information message on the password reset page during First Day Password

Reporting

Reporting

A report is available showing the number of users who have used First Day Password per time period.

  1. In the left navigation, click on Reporting.
  2. In the Usage tab, access the First Day Password tab.
  3. A graph shows the number of users who have used First Day Password per hour, day, week or month, depending on your settings. You can change the start and end dates for the report.

End user experience

The following is a short step by step walkthrough of the end user experience when using First Day Password.

  1. The new user receives the invite notification with the First Day Password URL and clicks on the link.
  2. They get to the First Day Password landing page and click Continue.
  3. The user comes to the authentication page where they can collect stars using the ID services that have been provided in the Powershell command (either mobile phone number or email, or both. Only one star needs to be collected.
  4. After authenticating with the ID service, they get to the page where they have to choose their password (here a set of password rules is shown).
  5. After setting their password and clicking OK, the First Day Password link will expire.
  6. The user gets a password reset confirmation email. They also get an First Day Password Complete mail if that has been configured.
  7. The user is signed out and prompted to signin again to complete enrollment with other ID services (if that has been configured in the First Day Password settings).