Requirements
When you download HYPR Passwordless from the Control Center, you can choose either a Quick install or an Advanced install. The HYPR features you can access and the requirements for running the HYPR Passwordless client vary depending on which option you choose.
Requirements for a Quick Install
To perform a Quick Install, you'll need the following:
-
A workstation with a supported version of Windows or macOS (see Supported Platforms)
-
Your local workstation account must have admin privileges so you can install the HYPR Passwordless client
-
Your workstation must not be joined to an Active Directory domain. If you're using AD, please request an Advanced install instead.
Available Features
If you choose the Quick install, you'll have access to the following HYPR features:
Lock and Unlock
Basic and remote workstation unlocking and locking functionality.
Offline Mode
Unlock when the workstation has no internet connection.
Recovery Mode
Admin-supplied emergency use PINs for unlocking the workstation when the user's mobile device is unavailable.
Requirements for an Advanced Install
For an Advanced install, the workstation must be joined to a domain with Active Directory Certificate Services (AD CS) deployed on Windows Server 2008 R2 or above. For information about installing and configuring AD CS, please see the Microsoft Windows Server documentation.
If you choose Advanced during the onboarding, HYPR Support will contact you and assist with the steps required to correctly configure Active Directory.
To perform an Advanced install, you'll need the following:
-
A workstation with a supported version of Windows or macOS (see Supported Platforms)
-
Your local workstation account must have admin privileges so you can install the HYPR Passwordless client
-
Your workstation must be joined to a domain with Active Directory Certificate Services (AD CS) deployed (see note above)
-
You'll need an account with access to the Windows server performing the Certificate Authority role so you can create the necessary custom HYPR custom certificate template
Additional configuration:
-
Make sure there are no credential provider filters active on the workstation
-
Whitelist HYPR with any endpoint security applications installed on the workstation
-
Whitelist the HYPR Tenant URL on any outbound proxy or firewall rules (web socket over TCP 443)
Available Features
If you choose the Advanced install, you'll have access to the following HYPR features:
Lock and Unlock
Basic and remote workstation unlocking and locking functionality.
Offline Mode
Unlock when the workstation has no internet connection.
Recovery Mode
Admin-supplied emergency use PINs for unlocking the workstation when the user's mobile device is unavailable.
RDP Login
Passwordless access to remote desktop machines. Windows only
Roaming Users
Access any workstation in the domain by scanning a QR code on the login screen. Windows only
Passwordless Run-As
Passwordless escalation of admin privileges for a domain user account. Windows only
Security Key Support
Unlock the workstation using a security key or smart-card instead of the HYPR Mobile App.
Security Key Recovery Mode Admin-supplied emergency use PINs for unlocking the workstation when the user's security key or smart-card is unavailable.
Security Key Requirements
Security keys or smart-cards must be equipped with PIV functionality to function fully with the HYPR Passwordless client. Devices that only have FIDO2 functionality are not supported for loggin into the desktop.
HYPR supports the following keys:
- YubiKey 5 Series with firmware 5.X
- YubiKey Bio Series Multi-protocol Edition
- IDEMIA ID-One on Cosmo 8.2
- Feitian K9 Plus and K40 Plus and its offshoots
Non-exportable Private Keys (Windows Only)
The HYPR Passwordless client, by default, requires users' login certificates to have an exportable private key. This is necessary to support different use cases, including offline and recovery. However, this requirement does not apply to security keys or smart-cards, which do not have this dependency. To provide greater flexibility and security, administrators can configure an additional certificate template designed specifically for non-exportable private keys for security key or smart-card pairings. In this case, the private key is generated on the device and never leaves its trusted execution environment.
Mobile Pairings
HYPR exports the private key and certificate for storage on the mobile device. It also stores the user's certificate locally in an encrypted fashion for subsequent desktop logins. Additionally, HYPR utilizes this feature when automatically updating user certificates.
Security Key Pairings
When using security keys or smart-cards, HYPR does not require the user's login certificate to be exportable. Instead, the private key can be generated on the security key or smart-card itself and never exposed to the workstaion.
Additional Configuration for Non-Exportable Private Keys
To use non-exportable private keys with security key or smart-card pairings, you'll need to:
- Define a custom certificate template in your Active Directory server. See Creating a Custom Certificate Template for instructions on making the certificate template.
- Specify the template's value as a configurable parameter during install (either in
hypr.jsonor as a configurable.msiparameter). See Installing Manually for parameter definitions and how to deploy with them.
If the administrator has configured non-exportable private keys, the user won't be able to use Security Key Recovery Mode.
Considerations
Planning
Review the Active Directory (AD) domain environment. Determine if your workstations are domain-joined.
If workstations are domain joined, review the above Requirements. Otherwise, continue with Execution, below.
Execution
-
Configure a custom certificate template.
-
Install the HYPR Mobile App:
-
Consider any Mobile Device Management (MDM) requirements
HYPR Passwordless for Windows
-
Download the
.msifile: Desktop Client Installer. -
Install and Configure: Installing with the UI.
-
Verify the Smart Card Authentication service is enabled on affected workstations.
-
Test the following:
-
HYPR Mobile App enrollment
-
HYPR Mobile App unlock
-
HYPR Mobile App lock
-
-
Perform additional testing, if necessary:
-
Security key/smart-card enrollment
-
Security key/smart-card unlock
-
Offline PIN unlock
-
Recovery PIN unlock
-
Security key/smart-card recovery
-
-
Configure MDM for HYPR Passwordless distribution.
-
Once installation is verified, set up your MDM to distribute the HYPR Passwordless client to your employees' workstations. See Command Line Installation for Windows.
You are ready for the HYPR Passwordless experience!
HYPR Passwordless for Mac
-
Download the
.pkgfile: Desktop Client Installer. -
Install and Configure: Installing with the UI.
-
Test the following:
-
HYPR Mobile App enrollment
-
HYPR Mobile App unlock
-
HYPR Mobile App lock
-
-
Perform additional testing, if necessary:
-
Offline PIN unlock
-
Recovery PIN unlock
-
-
Configure MDM for HYPR Passwordless distribution.
-
Once installation is verified, set up your MDM to distribute the HYPR Passwordless client to your employees' workstations.
See Terminal Installation for macOS.
You are ready for the HYPR Passwordless experience!