The Secure Service Desk
provides all
the tools necessary for your service desk agents to help users calling
in with authentication problems. Agents can help users reset their
passwords or unlock their computers (if encrypted with Bitlocker or
Symantec) in a secure and easy to use environment. The Service Desk also
holds user information and statistics.
Note on phone numbers in Active Directory
Important: in order for text messaging to function correctly in
the Service Desk, the mobile phone number registered in Active Directory
has to follow the E.164 numbering plan format. This means that mobile
phone numbers have to have the following format:
+[country_code][subscriber_number_omitting_first_zero]. For
example, for the Swedish (country code 46) phone number 073-3123456, the
number in AD should be +46733123456; for the US (country code 1) phone
number 415 555 2671, the format in AD should be +14155552671.
Note that registering phone numbers in Active Directory using any other
format will result in the service desk agent being unable to send text
messages to the user in question.
Configuring a policy for access to the
Secure Service Desk
For added security, you can configure multi-factor authentication
policies for users (typically service desk agents) accessing the service
desk.
- Click on Service Desk in the left navigation.
- Click on the Configure button to configure the policy.
- Configure the policy, then click Save.
On the Settings page you can configure the following:
- Identity verification
- verification override URL
- Password reset options
- User privacy options
- Key recovery options
- Enrollment options
Identity verification
If this setting is enabled, the user’s password cannot be reset, nor can
their computer be unlocked by the service desk, until the users identity
has been verified by having them authenticate with any of the identity
services they have previously enrolled with.
- Click on Service Desk in the left navigation.
- Click on the Settings button to configure the settings.
-
Check the Enforce identity verification checkbox, and click
Save.
Verification override URL
Here you can enter a verification override URL which will be shown to a Service Desk agent when the verification URL can't be sent to the user directly. The service desk agent can then read the URL to the user. For more information on this feature and its set-up, see the Override URL page.
Password reset options
The following options can be enabled in the password reset settings:
- Force users to change password after reset
If this option is enabled, Service Desk agents cannot input passwords manually for resets. The new password will be sent to the user in an email or text message.
- Allow manual password override (to override system-generated passwords if the System-generated passwords option has been enabled)
- Allow only system-generated passwords (to enable the generation of passwords by the system; the Service Desk agent will not be able to read the generated password)
- Notifications (see the Enabling additional notification methods section below)
Enabling additional notification methods
This section allows for configuring the notification possibilities for the service desk agent. In addition to the user's email and mobile phone, several additional notification methods can be enabled. This is especially helpful if the user's email and mobile number have not been configured in Active Directory. The following settings can be enabled:
- Enable sending new passwords through email or text message: when this option is checked, the email and text notification methods are available to the service desk agent (provided that the attributes for the user are configured correctly in Active Directory)
- Send to custom email: allows sending notification emails to email addresses other than those registered in Active Directory.
- Send to manager: allows sending notifications to the user's manager (email and text message, if correctly configured in Active Directory)
- Select Service Desk in the left navigation.
- Click the Settings tab.
- Expand Password reset options options.
- Check Enable sending new passwords to managers to enable sending to a manager.
- Check Enable sending new passwords to custom email addresses to enable sending to custom emails.
This option is not available if the System-generated passwords option has been enabled. This is a security precaution to avoid having the Service Desk agent be able to read the generated password.
- Click Save
User privacy options
These options can be used to restrict service desk agents' access to certain user information. The following options are available:
- Part of number: enables showing, hiding or only showing part of the user's phone number for the service desk agent.
- Show/Hide (email): enables showing or hiding the user's email address for the service desk agent.
Hiding a user's phone number and/or email address
- Select Service Desk in the left navigation.
- Click the Settings tab.
- Expand User privacy options options.
- Set the first drop-down to Hide to hide the user's phone number from the service desk agent's view.
- Set the second drop-down to Hide to hide the user's email from the service desk agent's view.
- Click Save
Key recovery options
This section allows you to configure additional notifications for key recovery operations:
- Enable sending the Recovery Key to managers: allows sending the Recovery Key to the user's manager if configured correctly in Active Directory.
- Enable sending the Recovery Key to custom email addresses: allows sending the REcovery Key to emails other than those associated with the user in Active Directory. The custom emails are required to be in the registered domains.
Enrollment options
Here you can configure whether or not service desk agents can enroll users for certain identity services without user inytervention. This feature can only be used when the user has been verified. For more information on this feature, please see the Enrollment section.
Secure Service Desk
admin menu
The top menu for the
Secure Service Desk
consists of the
following items:
- Admin: gives information on the account you are signed in with,
and what privileges that account holds.
- Service Desk: the interface for performing service desk actions
(for the agent; see section below for more information).
- New password: to change the password for the current user.
- Enroll: view and change the enrollments for the current user.
Secure Service Desk
This is the interface for service desk agents where all actions for
helping users can be performed. Note that the interface is empty until
you search for a particular user.
Searching for a user
Before any actions on behalf of users calling in to the service desk can
be performed, the user in question has to be found in Active Directory.
-
Fill in the user’s name or username in the top right search field and
click the search icon.
-
If there is only one match, the user’s information will be displayed.
In case of partial matches a list of possible Active Directory names
will be displayed.
- Choose the correct user from the list.
Verify Identity
Until a user’s identity has been verified, a red user icon with a strike
through it will appear in the top right corner of the service desk
interface.
Service desk agents can verify the identity of the user calling in to
the Secure Service Desk
by having the
user authenticate with any of the identity services the user has
previously enrolled with.
Note that if the Enforce identity verification setting has been
enabled, the user’s identity has to be verified before other actions
(reset password, and unlock computer) can be performed.
-
Once the user has been found in Active Directory, click on the
Verify identity tab.
-
Click on the identity service you want the user to authenticate with.
The user will be prompted on their computer to authenticate. Note that
until the user has authenticated, the service desk agent should leave
the Verify identity tab open.
-
Once authenticated, the service desk agent will receive a success
page, and all other service desk actions can be performed.
Alternatively, if the enrolled identity services are not used, the service desk agent can send a text message, Email, or PingID push (Quick Verification) containing a code. This message will be sent to the mobile number associated with the user in Active Directory or appear in the PingID app if that option was chosen. Once received, the user should either read the code to the service desk agent to confirm their identity, or acknowledge the push message from the PingID app. Note that the option to send a code by text message will not
appear on screen if the user’s mobile phone number has not been
registered in Active Directory; the option to send a Quick Verification
will not appear if the user’s email has not been registered in Active
Directory.
Quick Verification with Symantec VIP and Okta
Quick verification with Symantec VIP/Okta works in much the same way as PingID.
NOTE
Make sure the user is enrolled with Symantec VIP/Okta in order to use this identity service.
Verify by push notification
(available if the user has a push-enabled device enrolled and active with Symantec VIP/Okta, or if text messages have been enabled for Okta)
- Click on the Symantec VIP/Okta tab in Quick Verification.
- Click Start; a push notification will be sent to the user being verified.
NOTE
For Okta, if the user has access to multiple notification methods, an additional screen will be shown to the Service Desk agent where they can choose which type of message to send: Text Message, Push request, Enter Code. If only one method is available, this will be selected automatically. See the section Verify by code for more information.
- The user can acknowledge the push notification which will verify their identity.
Verify by code
- Click on the Symantec VIP/Okta tab in Quick Verification.
- Click Start.
- Click the Enter Code link.
NOTE
For Okta, if the user has access to multiple notification methods, an additional screen will be shown to the Service Desk agent where they can choose which type of message to send: Text Message, Push request, Enter Code. If only one method is available, this will be selected automatically.
- In case of Symantec VIP, if the user has the Symantec Desktop App installed, they can retrieve the code from there. Alternatively, the agent can have a code sent to them via SMS or phone call by clicking the appropriate button. Note that this option will be shown automatically if the user only has SMS notification enabled.
- Have the user read the code, and enter it in the field, then click Verify.
Manager Identification
There may be situations in which users are unable to verify their identity themselves due to communications/data restrictions. In those cases it can be beneficial to have the user's manager identify their identity for them.
Enabling Manager Identification
- In Authentication Web go to Service Desk, and access the Settings tab.
- Check the Manager identification as Quick verification checkbox.
- Click Save.
Using Manager Identification as Quick Verification
The following is an example of how this quick verification method can be used.
- When the user calls into the Service Desk, click on Verify Identity.
- Under Quick Verification, choose Manager Identification. You will see a message saying "You can identify the identity of [user_name] by sending a verification request to the manager of [user_name]."
- Click Start.
- The manager (if registered as such in Active Directory) will receive an email asking to verify the user. It is up to the manager (and the user in question) to make sure the correct user is verified (e.g. by calling the user).
- The manager clicks Continue in the Manager Identification email. The manager will be redirected to a browser window with the Service Desk verification request.
- The manager clicks Verify to verify the user.
WARNING
It is essential in these types of scenarios that the manager is aware of the Service Desk call, and that they ascertain that it is in fact the user in question who is trying to get verified.
Identity Verification and security
If Enforce identity verification is enabled, the service desk
agent is required to verify the identity of the user before being able
to either reset the password or unlock the user’s computer, thereby
increasing the security of the interaction. Once the identity is
verified, the interaction with the Service Desk will rely on the
creation of secure session tokens to maintain session integrity.
In a typical service desk session, the service desk agent issues an
identification request to the user, using one of the user’s identity
services. Once the user has authenticated with the identity service, the
secure token is created. This token is shared between the specific
service desk agent and the user for the duration of the session. Every
interaction (password reset, unlock computer) is validated against this
token. For the duration of the session, the token will only work for the
service desk agent who initiated the identity verification, to perform
action for the user who verified their identity.
Traceability
Besides providing a secure way to authorize actions from the Service
Desk, the tokens also allow for the creation of a continuous event log
associated with every Service Desk session. This makes every session
trackable and searchable. All information regarding the session is
accessible through the Reporting menu. More information on logging
features and reports can be found in the Reporting section above.
Reset Password
Once the user has been found and their identity verified, the service
desk agent can reset the password for the user.
- Click on the Reset password tab.
- Do one of the following:
-
Enter a new password manually. Make sure it adheres to the password
rules, which are listed underneath the text field.
This option is not available if the System-generated passwords option is enabled in the settings. See Reset password settings section below for more information.
-
Click the Generate button. This will generate a new password,
which will adhere to the password rules. The service desk agent can
never see this password.
-
Under Options, check the “[user] must change password upon next logon.” option, to make sure that the user changes their password next
time they log on.
- In the notification section, check the boxes for each notification method to use. The following notification methods are available (note that more than one notification method can be chosen):
- To user via email (the mail will be sent to the email address associated with the user in Active Directory)
- To user via text message (the text will be sent to the mobile number associated with the user in Active Directory)
- To manager via email (the text will be sent to the manager associated with the user in Active Directory). This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
- To manager via text (the text will be sent to the manager associated with the user in Active Directory). This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
- To custom email. Use the dropdown to choose between different registered domains. This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
- By reading it to the user.
If the System-generated passwords option has been enabled in settings, the Service Desk agent will not be able to read the new password.
User's email and text message are only visible if these have been configured in Active Directory. Send to manager and custom email are only visible if the correct options have been enabled in the settings, and if the user's manager has been configured in Active Directory.See Reset password settings section below for more information.
- Click the Reset password button.
For information on password reset options (settings), see the Configuring settings for Secure Service Desk section.
Unlock Computer
For users whose computers have been encrypted with Bitlocker or Symantec
Endpoint Encryption, the service desk can assist in unlocking a locked
computer. The service desk agent will be presented with a series of
screens that will guide the user through the unlocking process and
provide the response key required for unlocking the computer.
-
Once the user’s identity has been verified, click the
Unlock computer tab.
-
Choose the correct encryption software (Bitlocker or Symantec)
according to what the user is running. For users running Symantec
Endpoint Encryption, an additional choice will have to be made
depending to the type of Symantec:
-
Native Symantec Endpoint Encryption (recognizable by the last logon
time indicated on the screen)
-
Symantec Endpoint Encryption for Bitlocker (user’s screen says
Bitlocker Recovery)
-
Older versions of Symantec Endpoint Encryption (user’s screen says
WDRT token)
-
Depending on the type of encryption, a particular number has to be
input by the service desk agent.
-
Native Symantec Endpoint Encryption:
Sequence number
-
Symantec Endpoint Encryption for Bitlocker:
Recovery Key ID
-
Older versions of Symantec Endpoint Encryption:
Machine/Disk ID (UUID or DISKID)
- Native Bitlocker: Recovery Key ID
-
Choose how to relay the recovery key to the user. Note that multiple
methods can be chosen. Check the desired method, or check none if the
service desk agent chooses to only read the number to the user.
- To user via email (the mail will be sent to the email address associated with the user in Active Directory)
- To user via text message (the text will be sent to the mobile number associated with the user in Active Directory)
- To manager via email (the text will be sent to the manager associated with the user in Active Directory). This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
- To manager via text (the text will be sent to the manager associated with the user in Active Directory). This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
- To custom email. Use the dropdown to choose between different registered domains. This option is only visible if enabled in the settings, see Enabling additional notification methods section below.
- By reading it to the user.
-
Click Continue; the service desk agent will be presented with a
Recovery key. If none of the methods above (email or text
message) was chosen, the number needs to be read to the user for them
to input it on their computer.
NOTE
for users running native Symantec Endpoint Encryption, there will
be a checksum code above the Recovery key field that can be used
to verify that the user has entered the correct key into their
computer (in which case they codes should match).
Enabling additional notification methods
In addition to the user's email and mobile phone, several additional notification methods can be enabled. This is especially helpful if the user's email and mobile number have not been configured in Active Directory. The following methods can be enabled:
- Send to manager (email and text message, if correctly configured in Active Directory)
- Send to custom email
- Select Service Desk in the left navigation.
- Click the Settings tab.
- Expand Key Recovery options.
- Check Enable sending the Recovery Key to managers to enable sending to a manager.
- Check Enable sending the Recovery Key to custom email addresses to enable sending to custom emails.
- Click Save.
Enrollment
Here you can see what identity services the user has enrolled with.
Here you can also add enrollments for identity services (Personal Email and Mobile Code (SMS)) without user intervention.
Certain identity services can also be removed so that the user can
re-enroll with them.
Add Enrollment
If configured, Service Desk agents can enroll users with Personal Email and/or Mobile Code (SMS) without any user intervention.
NOTE
Enrollments can only be added after the user's identity has been verified. See
Verify Identity for more information on identity verification.
NOTE
Only those identity services that are correctly configured will be shown on the Add enrollment page.
Configuring Add Enrollment
- Go to Secure Service Desk > Settings
- Open Enrollment options
- Check the option Allow Service Desk agent to enroll users
- Make sure the identity services are configured correctly to allow adding enrollments.
NOTE
The setting
Update mobile in AD needs to be set to one of the following:
- Always
- If number is missing in Active Directory
- Store in user subobject (encrypted)
Note also that if the setting is set to
If number is missing in Active Directory and the number is already present in Active Directory, the Add enrollment feature will not work.
Adding enrollment for a user
- Verify the user (see Verify Identity for more information)
- Click Enrollment
- In the User enrollment info section, click the Add enrollment button
- Enter the user's phone number or personal email and click Send Code
- Have the user read the verification code they received to the Service Desk agent
- Enter the verification code in the Verify Code field, then click Add Enrollment
NOTE
Once the user has been enrolled with the identity service, it will appear in the Enrolled Identity Service list.
Troubleshooting Add Enrollment
If the Add enrollment button is inaccessible, administrators should check the following:
- Check that Add Enrollment is enabled in the Secure Service Desk Settings (Enrollment options).
- Check that the Mobile Code (SMS) and/or Personal Email identity services are enabled.
- Check that the settings for the Mobile Code (SMS) identity service allow adding the user's mobile number to AD.
NOTE
The feature will also not be available if the Update moble number in AD setting is set to If number is missing in Active Directory and there is already a number present in AD.
User Details
This section shows the details for the user currently accessed by the
service desk agent. It contains information on
User info (information registered in Acive Directory),
Password info (information on password expiration and Specops
Authentication enrollment), and History (events recorded for
this user in the Service Desk).