Shared authenticators on Windows
SafeNet MobilePASS+ tokens can be managed and accessed by multiple users in Windows 10. You control which tokens can be accessed, and by whom, by setting permissions on the token files with Windows file management.
This feature is applicable to new tokens that are created in exe- or msi- based installations of SafeNet MobilePASS+ for Windows 10.
Authenticator sorting
When using shared authenticators within SafeNet MobilePASS+, authenticators are by default sorted alphabetically when users launch the app.
Enable shared authenticators
-
Before installing the SafeNet MobilePASS+ app, enable the group policy, to allow data-sharing among Windows users.
Alternatively, create a REG_DWORD parameter, titled AllowSharedLocalAppData, with a value of 1 under:
HKEY_LOCALMACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager.
-
During the SafeNet MobilePASS+ setup, select Multiple users to install a SafeNet MobilePASS+ token for sharing.
After selecting Multiple users, the app data will be stored in a shared location.
C:\ProgramData\Microsoft\indows\AppRepository\Families\05EB1CFA.SafeNetMobilePASS_bnm8hg3x9na9j\SharedLocal -
Open SafeNet MobilePASS+.
You will be prompted for permission to fetch account information to uniquely identify the user.
-
Select Yes to continue.
After installation, when a token is enrolled, a dat file is created in the shared location, titled with the token serial number.
-
Use Windows file rights management to provide access to other users on that machine for that dat file (token).
If the policy is disabled and/or the dat files are not accessible to the user, then an error message displays.
Virtual machines are supported. However, if there is a hardware change on the host on which the VM is running or VMs are moved to another host, then the tokens will no longer work. However, if a VM is cloned on the same host, the tokens will still be accessible.
Manage user permissions for shared authenticators
-
Open SafeNet MobilePASS+.
-
Enroll a token.
-
Go to the app data shared folder, TokensPermissions, to view the .dat file that is titled with the token's serial number.
By default, these files are accessible by every user in the system.
-
Restrict access to these files by removing all users and groups that should not have access. Repeat this step for all of the token .dat files.
-
Right-click a token .dat file and select Properties > Security > Advanced > Permissions.
-
In the permission entries table, select Everyone and then select Disable inheritance.
-
Select Convert inherited permissions into explicit permission on this object.
-
In the permission entries table, select Everyone, again.
-
Select Edit > Clear all permissions and then select OK.
This blocks everyone on the system from accessing this token file. Next, add the users whom you want to have access.
-
Right-click the token .dat file and select Properties > Security > Edit.
-
To change the permissions, select Add user and then select the user from Select Users or Groups and select OK.
-
Select the permissions that are appropriate for the user and then select OK.
Permission Capabilities Full control View, rename, and delete authenticator. Enable biometrics. Share and download log files. Change PIN. Modify View and rename authenticator. Enable biometrics. Share and download log files. Read & execute View and rename authenticator. Enable biometrics. Read View authenticator. Enable biometrics. Share and download log files. Write View and rename authenticator. The example that follows shows the options selected for a user granted full control.
The example that follows shows the settings that display in the SafeNet MobilePASS+ app for a user granted full control.
