How can we help you today?
Device Approval
Contents
Overview/Purpose
With version 6.2, MyWorkDrive introduces Device Approval for Enterprise Licenseholders. With Device Approval, the administrator can control what devices with install clients are able to connect to the MyWorkDrive server – including Windows, macOS, iOS and Android.
Devices which have not been approved will not be allowed to connect. Users attempting to connect from an unapproved device will be provided with a message that indicates approval is required in order to use that client.
Device approval can be run in monitor mode to simply collect devices which are connecting to the MyWorkDrive server. You can use this as a simple audit tool or as part of your deployment plan to collect devices prior to enforcing approval.
When require approval mode is enabled, devices which have not been approved will not be allowed to connect.
Device approval works in conjunction with all login methods including SSO, and is compatible with any MFA – whether that is Duo through MyWorkDrive or any compliance required by your SSO.
Device Approval appears as a new menu item, “Devices” in server version 6.2 of MyWorkDrive.
If you do not have Device Approval as an option in server 6.2 it may not be a feature available to your license level. Please contact support for additional information.
Important Update
A potential issue was identified in the calculation of the Device ID on Windows map drive clients which may cause the client to generate a new Device ID. This new Device ID would require approval as if it was a new device, occasionally requiring a user to seek multiple approvals for the same Windows workstation.
A revision to the Device ID process was made to prevent the client Device ID from changing.
Anyone who has deployed Device Management is strongly encouraged to update their Server to version 6.2.1.14 (or later), and Windows map drive clients to 6.2.1.16 (or later).
This issue does not existing on macOS or Mobile clients, it is specific to the Windows map drive client.
Client/Server support/requirement
Device approval in MyWorkDrive requires a compatible server and compatible install clients.
- 6.2.1.14 or later MyWorkDrive server.
- 6.2.1.16 or later Windows client
- 6.2 or later macOS client
- 6.2 or later mobile clients for iOS and Android.
Device approval does not block/approve/monitor Web or Mobile Web clients
The Device Approval process
- Set server to require approval mode
- When users attempt to log in, if their device is not approved, they will receive a message that approval is acquired and be shown a device ID.
Windows Client
Android Client - The device ID can also always be found in the About information on all clients.
- The user should contact the administrator and provide them with their device ID.
- The administrator should then go onto the server, find the device ID and approve the device.
- If the device is approved, they will just be allowed to login and no additional feedback is provided to the user.
We’ve added a number of features to make that process easier/simpler for the administrator to mass approve and manage a large number of devices.
Device Information Collection
Whether device approval is in monitor or require approval mode on the MyWorkDrive Server, the server will capture information about the clients which are connecting or attempting to connect if they are Device Approval compatible. Earlier clients will not report this information in monitor mode, and will not be able to connect in require approval mode.
Device approval starts by capturing a unique device ID, the user who logged in (or attempted to log in), client version, client type, Operating System, and the date and time of the login or login attempt. On the list screen all of the columns are sortable.
You can use this information which is captured to determine if a client should be approved to connect.
Please note that Windows client version 6.1.1 will report some information including connecting user, device id and time – but will not enforce approval mode or be able to login if Approval Mode is enabled. No other earlier clients will report any device information to the server
The Device Identifier (Device ID) which is captured is unique to each device and is pulled from the device’s hardware and operating system combination. The unique ID should persist through MyWorkDrive client upgrades, but may change if the underlying operating system or hardware are changed. Completely removing and reinstalling the client on macOS or mobile devices will result in a new device ID being issued to the client.
Device approval only works for Installed clients. Web clients are not tracked in Device Approval and access cannot be approved or denied to Web or Mobile Web clients through Device Approval.
Enabling and enforcing
When enabling require approval mode you have the option of choosing to require approval for mobile or desktop clients or both.
Note that if you approve a 6.1.1 client with Require Approval, that client ID will be approved should they upgrade to 6.2, but the user won’t be able to login with the 6.1.1 client.
When you approve a device, you’re approving all users who have access to the MyWorkDrive server to use that device. In environments with kiosk or shared devices like RDS, all users who have permission to the MyWorkDrive server will be able to use that device. Of course, their access and the shares they are granted will be determined by the MyWorkDrive configuration and their permissions to shares and Active Directory / SMB
Requiring approval makes no changes to login method or any MFA that is required.
Search
The search box on the Device Approval page permits you to easily find users or devices to approve or disapprove.
Entering a value in the search field will search:
- Device ID
- Username
- Version
- Operating system
The search field will take a partial value. If you were looking for any Android client you could simply type in “And” or if you were looking for the user Samantha typing “Sam” would return Samantha, as well as Samuel, Sam, Samar, etc.
Approving Devices
Approving device is it simple as sliding the toggle on the left hand side over so that it shows green. All devices where the toggle is green will be permitted to login
Approving Multiple Devices at once
Using the select and multi select buttons on the left, in conjunction with the approve and delete links at the top of the page you can bulk approve or remove devices from the system.
You can use this feature in conjunction with the search feature to approve say all Windows devices or approve all of Samantha’s clients.
Note that the select all option selects all pages, so if you have additional pages, make sure you review those pages to be sure all selected clients should be approved/deleted
Approving by user/group – exemption/bypass
Device approval includes a feature which allows you to default approve specific users or Active Directory groups to log in, regardless whether their device is approved or not.
This functionality might be used for MyWorkDrive users who have special access such as
- IT administrators or support personnel for testing purposes
- Executives
- Users who only have access to leak protected data.
You might also temporarily bypass a user to collect what devices they are using for future approval. This avoids them being blocked from logging in initially and requiring them to request access. You might bypass them for 48 or 72 hours, then approve their devices and remove them from the bypass list.
When require approval is enabled, click on the authorized users & groups button.
Check the enable bypass box. This will show you the interface to add and edit bypassed users and groups.
Use the edit link to choose the users or groups that should be in bypass mode.
You can see in this example the users Tabitha and Gerard have been bypassed. They can log in on any installed client on any device. The device does not need approval for them to log in. Any other user who attempts to log in on an unapproved device will be denied because we have require approval enabled in this example.
Integration with Logs
When require approval is enabled, approval information is included in the logs. You’ll see a device ID and whether the device was approved or not as part of the login entry for the user.
If the user is a bypass user, that will also be noted in the log entry.
Recommendations
We recommend starting the approval process by leaving your server in monitor mode (not requiring approval) and collecting device information.
By not immediately requiring approval, this avoids disrupting normal operations while collecting device information.
You can then stage upgrades to users devices to 6.2 without needing to upgrade everyone all at once.
After sufficient time that most users have logged into the MyWorkDrive server, review the devices that have connected and make sure they seem reasonable, and approve the existing devices. And then enable require approval mode.
In this manner, existing users will be approved and their workflow will not be disrupted. Only new devices will need to be approved.
A reminder that requiring device approval will require a 6.2 client to connect. So any users who are not upgraded will no longer be able to connect even if you put them in bypass.
We do not recommend approving by user or group using the bypass method. The bypass feature should only be used in very select situations.