Installing Manually

For testing and pilot purposes you can install the HYPR Passwordless client application manually for each user. However, for deploying to larger segments of your workforce population you'll want to integrate with a configuration management solution such as Microsoft Endpoint Configuration Manager (formerly SCCM) or Jamf on macOS.

This page describes the available installation parameters and shows how to run the installer from the command line for compatibility with configuration management tools.

Installation Parameters

For both Windows and macOS, the HYPR installer reads its configuration parameters from the hypr.json file located in the same directory as the installer. For Windows, you can also pass the parameters directly on the command line.

All Right

If your downloaded install package already includes a hypr.json file, be cautious about changing any of the preconfigured values. This is how HYPR provides the necessary custom parameters for your installation.

The hypr.json file is a simple collection of name-value pairs, each defining a single install parameter. For example:

{
  "version": "1.0",
  "rpUrl": "https://highlandsbank.gethypr.com/rp",
  "appId": "HYPRDefaultWorkstationApplication",
  "pinningHash": "Sp4nxBnLypng05MKvujez/+y8raO7p9wc9ctaPNGI5U=,++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI=",
  "installToken": "0f03f635-4d9a-46ff-b537-cd97ad77cb6e",
  "certTemplate": "hyprwin",
  "securityKeyCertTemplate": "",
  "supportEmail": "support@hb.com",
  "fullUI": "1"
}

All parameters are optional unless specifically listed as Required.

The available parameters are as follows:

JSON	Command Line	Description
`rpUrl`	`HYPRRP`	(Required) The URL of your HYPR instance: `https://yourtenant.gethypr.com/rp` Note that the URL must end in `/rp`
`appId`	`HYPRAPPID`	(Required) The ID of the HYPR Control Center internal application used to configure the Workstation functionality. The value is the same for all HYPR deployments: `HYPRDefaultWorkstationApplication`
`pinningHash`	`HYPRHASH`	(Required) A hash of the HYPR server SSL/TLS certificate which serves as a public key pinning value. This value can be obtained from the `hypr.json` file included when you download HYPR Passwordless.
`installToken`	`HYPRINSTALLTOKEN`	(Required) A token used to establish encrypted communication between the HYPR Passwordless client and the HYPR Server. The value is pre-set for each HYPR deployment and shouldn't be changed.
`certTemplate`	`HYPRTEMPLATE`	The name of the Active Directory certificate template for Advanced Installs and mobile enrollment. HYPR Support will help you create and name the template, but by default the template name is either `hyprwin` (for Windows) or `hyprmac` (for macOS). If you prefer to create your own custom AD certificate template, please follow these instructions.
`supportEmail`	`HYPRSUPPORT`	The email address used for any support requests sent by the user from within the HYPR Passwordless client.
`proxyServer`	`HYPRPROXYSERVER`	A proxy server to be used when the HYPR Passwordless client communicates with the HYPR Server, in the form `proxy[:port]`. For example: `proxy.myoffice.com:3128` The port is optional and defaults to 8080.
`proxyBypass`	`HYPRPROXYBYPASS`	A comma-separated list of host names to be excluded from the proxy connection. If the URL matches any of the hosts in the list, the proxy will be bypassed and a direct connection made. Host names can include wildcards (e.g., `.mycompany.com` or `10.20.`).
`qrCodeUrl`	`HYPRQRCODEURL`	The URL to handle incoming QR code requests. Typically this will be your tenant URL, but may differ.
`allowPasswordForPairedUsers`	N/A	(macOS only) Disables the password prompt at login for users who have previously paired using HYPR. Set to false to enforce passwordless login. Enabled (true) by default. This corresponds to `AllowPasswordForPairedUsers` described in Configuration Parameters. See Passwordless Enforcement for a full description.
`allowPasswordUnlockForPairedUsers`	N/A	(macOS only) Enables/Disables the password prompt at unlock for users who have previously paired using HYPR. Set to false to enforce passwordless unlock. Enabled (true) by default. This corresponds to `AllowPasswordUnlockForPairedUsers` described in Configuration Parameters. See Passwordless Enforcement for a full description.
`certPublishers`	N/A	(macOS only) A comma-separated a list of DNS names for the servers running the service that can generate certificates on behalf of the user. The HYPR Passwordless client will browse the AD forest if you omit this parameter, but if you have multiple servers deployed to manage the domain infrastructure it can take time to explore all of them. This corresponds to `CertificatePublishers` described in Configuration Parameters.
`certAuthority`	N/A	(macOS only) The name of the publisher of the Active Directory. The HYPR Passwordless client will browse the AD forest if you omit this parameter, but if you have multiple servers deployed to manage the domain infrastructure it can take time to explore all of them. This corresponds to `CertificateAuthority` described in Configuration Parameters.
`disablePasswordLogin`	`HYPRDISABLEPASSWORDLOGIN`	Windows Only Removes the Windows login screen option to authenticate with a password. Corresponds to the registry entry Disable Password Login.
`fullUI`	N/A	(Windows only) Should the Environment Setting dialog be displayed during the install? 0 - hide the dialog 1 - show the dialog Hiding the dialog keeps users from changing any of the configuration parameters set in the `hypr.json` configuration file when the installer is run normally. Not applicable when installing using `msiexec` with command-line parameters.
`customLogo`	`HYPRCUSTOMLOGO`	(Windows only) The path to a locally-stored custom image to override the default HYPR logo. Branding configuration options are described in Branding Customization Supported formats: PNG, JPEG, or BMP Preferred image size: 101x82 pixels Backslashes in the file path must be doubled. For example: `C:\\myImages\\hb_logo.png`
`customBackground`	`HYPRCUSTOMBACKGROUND`	(Windows only) The path to a locally-stored custom image to override the default background. Branding configuration options are described in Branding Customization Supported formats: PNG, JPEG, or BMP Preferred image size: 633x398 pixels Backslashes in the file path must be doubled. For example: `C:\\myImages\\hb_background.png`
`noYKMD`	`NO_YKMD`	(Windows only) If enabled (value 1), the installer will not install or attempt to update Yubico's smart card mini-driver to the version embedded into HYPR Passwordless.
`passwordlessUserTile`	`HYPRPASSWORDLESSUSERTILE`	(Windows only) If enabled (value 1), the Passwordless User login tile displays by default. Otherwise (value 0), the default is controlled by Windows. The equivalent registry setting is Passwordless User Tile.
`protectLogs`	`HYPRPROTECTLOGS`	A Boolean parameter that controls access to the HYPR's logs folder. See Setting Log Access on macOS for a full description.
`sendLogsPrompt`	`HYPRSENDLOGSPROMPT`	The name to override the default Contact Support label. Contact Support customizations are detailed in Contact Support.
`securityKeyCertTemplate`	`HYPRSECURITYKEYTEMPLATE`	(Windows only) The name of the Active Directory certificate template if using non-exportable private keys. If this parameter is defined, HYPR Passwordless client will use the `certTemplate` value when requesting a certificate for a mobile enrollment, and the `securityKeyCertTemplate` when requesting a certificate for a security key or smart-card. If a value is not specified (or is empty), the same template will be used for mobile devices and security keys and smart-cards. Installations using this parameter will generate a Certificate Template (Security Keys) registry value in the key, `HKLM:\SOFTWARE\HYPR Workforce Access`. To create your own custom AD non-exportable security key certificate template, please follow these instructions.
`securityKeyPinCharacters`	`HYPRSECURITYKEYPINCHARS`	(Windows only) Set the valid characters for security key or smart-card PINs. Can be `Numeric`, `AlphaNumeric`, or `Any`. The default is `Numeric`. `AlphaNumeric` allows digits plus the ASCII letters 'A' through 'Z'. Both upper- and lowercase letters are allowed. PINs are case-sensitive, so letters must be entered the same way every time the PIN is used. `Any` allows any ASCII character from 0x21 to 0x7E. This includes letters, numbers, and punctuation characters, but excludes spaces. `AlphaNumeric` and `Any` are only available with Yubico security keys. Other keys only support numeric PINs.
`securityKeyPinComplexity`	`HYPRSECURITYKEYPINCOMPLEXITY`	Set the complexity required for security key or smart-card PINs. Can be `"basic"` or `"strict"`. The default is "basic". Choosing "basic" prevents using PINs containing "123456" or PINs consisting of repeated characters or character sequences (e.g., "111111" or "121212" or "123987"). See Using a Security Key for the complete rules on PIN Complexity.
`securityKeyPinMinimumLength`	`HYPRSECURITYKEYPINMINLENGTH`	(Windows only) Set the minimum length for security key or smart-card PINs. Can be `6`, `7`, or `8`. The default is 6. (The maximum length is always `8`.)
`securityKeyPinRetries`	`HYPRSECURITYKEYPINRETRIES`	(Windows only) Set the number of allowed PIN/PUK retries during security key or smart-card pairing if PIN is set. If value is empty, zero or a negative number, the number of retries is not set and the security key or smart-card's default apply. (The maximum value is always `255`.)
`securityKeyTouchPolicy`	`HYPRSECURITYKEYTOUCHPOLICY`	(Windows only) Set the YubiKey touch policy during security key pairing. If value is 3 ("Once"), a touch is required after the user enters the PIN. The default is 0 ("Never"). See Yubico's documentation for more details about the touch policy values and its behavior.
`smartCardPairing`	`HYPRSMARTCARDPAIRING`	(Windows only) Enables the pairing of smart-card devices. The default is 0 (disabled). Set to 1 to enable pairing a smart-card.
`supportURL`	`HYPRSUPPORTURL`	A URL to override the default Need Assistance? label. When clicked the default browser will be used to open the provided URL. Contact Support customizations are detailed in Contact Support.
`unlockAppName`	`HYPRUNLOCKAPPNAME`	(Windows only) The name that will be provided to the HYPR Passwordless client. Branding configuration options are described in Branding Customization
`userAccountCheck`	`HYPRUSERACCOUNTCHECK`	(Windows only) If enabled (value 1), HYPR Passwordless client will attempt to perform a certification revocation check during the login process. This is in addition to the native Windows revocation checks, and might impact the user experience by introducing additional delays. The equivalent registry setting is User Account Check.

Passwordless for Windows

Command Line Installation for Windows

You can use the msiexec command to deploy the HYPR Passwordless for Windows client without the displaying the installation UI. Note that if you're doing this manually at the command line you'll need to run from a command prompt that has administrative privileges.

You have two options for setting the necessary parameters:

Option 1

Define the installation parameters in a hypr.json configuration file located in the same folder as the HYPR Passwordless .msi file. (See Installation Parameters above.)
Run msiexec without any parameters:

msiexec.exe /qn /i WorkforceAccess_x64.msi

Option 2

Pass the installation parameters directly to msiexec on the command line. For example:

msiexec.exe /qn /i WorkforceAccess_x64.msi HYPRAPPID="HYPRDefaultWorkstationApplication"
HYPRRP="https://highlandsbank.gethypr.com/rp" HYPRSUPPORT="support@hb.com" HYPRHASH="LeM
8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=,5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
HYPRINSTALLTOKEN="0f03f635-4d9a-46ff-b537-cd97ad77cb6e" HYPRSUPPORT="support@hb.com"

HYPR Registry Keys

The installation process adds a HYPR key to the Windows Registry at the following location:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access

The contents of this registry key are required for normal functioning of the application and shouldn't normally be changed post-install. However, for troubleshooting purposes HYPR Support may ask you to review or modify some of the values.

Passwordless for macOS

Terminal Installation for macOS

You can use the installer command to deploy the HYPR Passwordless client for macOS without displaying the installation UI. Note that if you're doing this manually in a Terminal window you'll need to use sudo to grant the necessary privileges.

Define the installation parameters in a hypr.json configuration file located in the same folder as the HYPR Passwordless .pkg file. (See Installation Parameters above.)
Run the installer command as follows:

installer -pkg /path/to/WorkforceAccess-\<version\>-Installer.pkg -target /

The installer will prompt you for a password (if using sudo) and report on the status of the install. For example (replace <version> with the HYPR version):

ghopper@MacBook-Pro ~ % sudo installer -pkg /Users/gracehopper/Desktop/WorkforceAccess-
[<version>](http://google.com)-Installer.pkg -target /
Password:
installer: Package name is WorkforceAccess-<version>-Installer
installer: Upgrading at base path /
installer: The upgrade was successful.
installer: The install requires restarting now.
ghopper@MacBook-Pro ~ %

Restart the workstation when finished.

HYPR Application `.plist` Keys

The installation process stores a number of key values in an application .plist file in the following location:

/Library/HYPR/HyprOneService.plist

These keys are required for normal functioning of the application and shouldn't normally be changed post-install. However, for troubleshooting purposes HYPR Support may ask you to review or modify the values.

Configuration Parameters

Parameter	Description	Type	Example
`ApplicationId`	Name of your Application in the HYPR Control Center	Required	AcmeMacOSApp
`RelyingPartyPins`	SSL Pinning for the RP application	Required	[PIN value]
`RelyingPartyUrl`	URL of your HYPR tenant with added `/rp` path.	Required	https://acme.hypr.com/rp
`SupportEmail`	Email address of your support team managing the HYPR server.	Required	support@acme.com
`SupportURL`	URL to override the Need Assistance? label.	Optional	https://highlandsbank.gethypr.com/help
`SendLogsPrompt`	Name to override the Contact Support label.	Optional	"Contact Highlands Service Desk for help"
`ProtectLogs`	A Boolean parameter that controls access to the HYPR's logs folder. See Setting Log Access on macOS for a full description.	Optional	true
`CertificateAuthEnabled`	A Boolean parameter that enables/disables certificate-based authentication.	Optional	true
`CertificateTemplate`	Name of your Certificate Template in the Microsoft Security Authority. This is a required parameter if you're using the domain-joined computer.	Optional	AcmeMacOSUser
`CertificatePublishers`	A comma-separated a list of DNS names for the servers running the service that can generate certificates on behalf of the user. The HYPR Passwordless client will browse the AD forest if you omit this parameter, but if you have multiple servers deployed to manage the domain infrastructure it can take time to explore all of them. This corresponds to `certPublishers` described in Installation Parameters.	Optional	DNS1.ADDRESS.COM, DNS2.ADDRESS.COM
`CertificateAuthority`	The name of the publisher of the Active Directory. The HYPR Passwordless client will browse the AD forest if you omit this parameter, but if you have multiple servers deployed to manage the domain infrastructure it can take time to explore all of them. This corresponds to `certAuthority` described in Installation Parameters.	Optional	hypr-DEVW2012R9DOMXDC-CA
`AllowPasswordForPairedUsers`	Enables/Disables the password prompt at login for users who have previously paired using HYPR. Set to false to enforce passwordless login. Enabled (true) by default. This corresponds to `allowPasswordForPairedUsers` described in Installation Parameters. See Passwordless Enforcement for a full description.	Optional	true
`AllowPasswordUnlockForPairedUsers`	Enables/Disables the password prompt at unlock for users who have previously paired using HYPR. Set to false to enforce passwordless unlock. Enabled (true) by default. This corresponds to `allowPasswordUnlockForPairedUsers` described in Installation Parameters. See Passwordless Enforcement for a full description.	Optional	true
`SecurityKeyPinComplexity`	Set the complexity required for security key or smart-card PINs. Can be `"Basic"` or `"Strict"`. The default is "Basic". Choosing "Basic" prevents using PINs containing "123456" or PINs consisting of repeated characters or character sequences (e.g., "111111" or "121212" or "123987"). See Using a Security Key for the complete rules on PIN Complexity.	Optional	Basic

Manual Configuration

In a terminal, use sudo to edit /Library/HYPR/HyprOneService.plist via an editor (vi, nano, etc.).

Modify the file according to your configuration. It will appear similar to this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ApplicationId</key>
	<string>hyprWindowsLogin</string>
	<key>LogLevel</key>
	<integer>5</integer>
	<key>QrCodeUrl</key>
	<string></string>
	<key>RelyingPartyPins</key>
	<string>g1eupqU9HGvXhObmQWABAKQXRYqKB/IziIWKgnn44IY=,LeM8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=,klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=,grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=</string>
	<key>RelyingPartyUrl</key>
	<string>https://highlandsbank.hypr.com/rp</string>
	<key>SupportEmail</key>
	<string>support@hypr.com</string>
</dict>
</plist>

Update the ApplicationId, RelyingPartyUrl, RelyingPartyPins, and SupportEmail based on the current server configuration.
Reboot the computer to apply the changes.

Enterprise Deployment and Configuration

To deploy the HYPR Passwordless client in an enterprise, wrap a script around that installation package. The script installs the package and updates the HyprOneService.plist file of all affected users.

This can be achieved with a combination of the defaults and plutil commands.

Example

#! /bin/bash

PLIST_FILE=/Library/HYPR/HyprOneService.plist

# Install the HYPR Employee Access package.
installer -pkg EmployeeAccess-2.1-Installer.pkg

# Customize the configuration.
defaults write $PLIST_FILE ApplicationId "NAME OF YOUR APP IN CONTROL CENTER"
defaults write $PLIST_FILE RelyingPartyPins "<COMMA DELIMITED LIST OF PINS>"
defaults write $PLIST_FILE RelyingPartyUrl "https://CONTROL_CENTER_URL/rp"
defaults write $PLIST_FILE SupportEmail "SUPPORT EMAIL"

# Convert the configuration file to XML.
plutil -convert xml1 $PLIST_FILE

FileVault Configuration

Apple FileVault doesn't support the smart card authentication protocol, and it can only be unlocked with a user password. Still, there's an option to require HYPR authentication after the FileVault unlock to ensure that users are always using an MFA solution.

Disable the automatic login option of FileVault by executing the following command:

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

If this is disabled, users will be required to authenticate with HYPR Mobile App after entering the FileVault password.

See the article about Passwordless Enforcement for details on how to implement this feature in your environment.

Installation Parameters​

Passwordless for Windows​

Command Line Installation for Windows​

Option 1​

Option 2​

HYPR Registry Keys​

Passwordless for macOS​

Terminal Installation for macOS​

HYPR Application .plist Keys​

Configuration Parameters​

Manual Configuration​

Enterprise Deployment and Configuration​

FileVault Configuration​

Passwordless Enforcement for Unlock and Login​