The logon policy applies to every logon agent that is configured on the Applications tab in SafeNet Trusted Access (STA). The logon policy does not apply to versions of the SafeNet Agent for Windows Logon that are not configured on the Applications tab. The logon policy has no effect until a logon agent is configured on the Applications tab and then deployed.

The logon policy is evaluated only when the user's machine is running the logon agent. It allows you to specify whether the user must provide their one-time password (OTP) on the lock screen.

If there is a machine that is shared by users from multiple virtual servers, you can share the Windows Logon agent from a parent virtual server to child virtual servers. In that case, the logon policy from the parent applies to the virtual servers that the agent is shared with.

Configure the global logon policy

By default, the global logon policy applies to all users and to every SafeNet Agent for Windows Logon that is configured on the Applications tab. This means that the logon policy applies to every machine that is running the SafeNet Agent for Windows Logon.

You can configure whether the user must provide their OTP for re-authentication.

1. On the STA Access Management console, select the Policies tab.

2. Select the Logon tab.

   

3. If this is your first time accessing the Logon policies tab, select Set Your Global Logon Policy.

   After you save the global logon policy, this prompt no longer displays.

   

4. If the Set Your Global Logon Policy prompt doesn't display, on the Global Logon Policy for STA, select Edit.

   

   By default, the global logon policy for STA applies to all users and all logon agents. When a logon or unlock attempt occurs, then access is granted after authenticating with the domain password and OTP. Only the options under OTP for logon and OTP for unlock are configurable.

   

5. Under Authentication Methods, select the requirements for authenticating with OTP for logon:

   • Every access attempt: Prompt users for their OTP every time they log on.

   • Once every <amount of time>: After the selected amount of time passes, prompt users for their OTP. STA supports periods of: 1, 2, 3, or 8 hours; 1, 2, or 3 days; or 1 week.

6. To require an OTP at unlock, under Authentication Methods, select the OTP for unlock check box, and then select requirements for authenticating:

   • Every access attempt: Prompt users for their OTP every time they unlock their machine.

   • Once every <amount of time>: After the selected amount of time passes, prompt users for their OTP. STA supports periods of: 1, 2, 3, or 8 hours; 1, 2, or 3 days; or 1 week.

7. Select Save.

8. On the Congratulations screen, select I'm Done.

   

   The logon policy has no effect until SafeNet Agent for Windows Logon is configured on the Applications tab and then deployed.

9. To configure SafeNet Agent for Windows Logon, select the Applications tab and add an agent.

   Specify the IP addresses to synchronize with the policy or configure the SafeNet Agent for Windows Logon.

Specify IP addresses

The SafeNet Agent for Windows Logon enables you to base the unlock policy on the location of the user by using network conditions to define the IP addresses that are valid for the user. The network condition checks whether the access attempt originates inside or outside the IP address ranges that you specify.

The re-authentication time for Windows unlock is determined based on the public IP range that is specified in the policy. After the re-authentication time expires, users who are enabled with this policy are prompted for an OTP.

1. Below the Global Logon Policy for STA, select Add Scenario.

   

2. In the Conditions section, ensure that the IP Address condition is selected and expanded.

   

3. Select one of the following options:

   • Inside these networks: Checks whether the access request originates from an IP address that is included in the network.

   • Outside these networks: Checks whether the access request originates from an IP address that is not included in the network.

4. In the text box, enter each IP address or IP address range on a new line, and use these formats:

   • Single IP address: 1.1.1.1

   • Range of IP addresses: 1.1.1.1-1.1.1.255

5. Select Save.

To configure SafeNet Agent for Windows Logon, select the Applications tab and add an agent.