Enabling and Disabling MFA on GuardPoints
In Multifactor Authentication (MFA), access to the requested data is granted only after the requester satisfies two or more authentication criteria.
Note
MFA is applicable to the MFA-capable CTE for Windows clients.
After you have configured MFA, you can enable it for individual clients and GuardPoints at the client and client group levels.
GuardPoint-level MFA can be enabled at the time of GuardPoint creation. Also, you can enable or disable it later.
GuardPoints on Clients
When MFA is disabled at the client level, you can enable MFA for individual GuardPoints on clients. In this case, the CTE Agent processes the MFA configuration of individual GuardPoints. However, if client-level MFA is enabled, the MFA configuration of the client takes priority.
GuardPoints on Client Groups
MFA cannot be enabled at the client group level. However, you can enable MFA for individual GuardPoints on client groups.
While propagating the MFA-enabled GuardPoints to the member clients, the CTE service on the CipherTrust Manager checks the MFA capability on the member clients. If a client is MFA-capable, the GuardPoints are added to the client. If a client is not MFA-capable, the GuardPoints are skipped.
Note
After GuardPoints are propagated to the member clients, the MFA configuration specified in the profiles associated with the member clients is used to send the security configuration to the CTE Agent.
Therefore, if the profiles of a client group and its member clients are different, the profiles of the member clients are used.
Enabling MFA on GuardPoints
MFA for individual GuardPoints can only be enabled when the client-level MFA is disabled.
To enable MFA on a GuardPoint:
Open the Transparent Encryption application.
Select the client or client group on which you want to enable the GuardPoint.
Click a client under the Client Name column (Clients > Clients).
Click a client group under the Client Group Name column (Clients > Client Groups).
On the GuardPoints tab, turn ON the Multifactor Authentication toggle corresponding to the desired GuardPoint.
MFA is enabled on the selected GuardPoint.
Disabling MFA on GuardPoints
MFA can't be disabled on individual GuardPoints of a client if MFA is enabled at the client level. Before proceeding with disabling MFA for individual GuardPoints, make sure that MFA is disabled on the client. Refer to Enabling or Disabling MFA on Client Level for details.
MFA enabled on the GuardPoints created on client groups can be disabled directly.
To disable MFA at GuardPoint:
Open the Transparent Encryption application.
Select the client or client group on which you want to disable the GuardPoint.
Click a client under the Client Name column (Clients > Clients).
Click a client group under the Client Group Name column (Clients > Client Groups).
On the GuardPoints tab, click the expand icon () corresponding to the desired GuardPoint.
Clear Multifactor Authentication.
Click Apply.
MFA is disabled at the GuardPoint level.