Device registration

  • 2 minute read
Prev Next

Once the Client profile has been added the user will be able to authenticate. The next (optional) step that happens is device registration.

Use the Identity Providers UI to manage device registration (MFA at sign in).

Device registration happens when a new device it is encountered for the first time at which point an on-boarding cookie is sent to the Client. The on-boarding cookie relates to both the user and device.

Once it has been received, it is saved in the context being used at sign-in time. So normal Clients save the cookie in the user space, headless and Windows SSO Clients save the cookie in the system space.

MFA at sign-in

Device registration is controlled through the use of MFA at sign-in time.

There are three modes available:

  1. Not required (automatically register all devices)

  2. Once (MFA required to register all new devices)
    Required to register any new device, as long as the new device registration count has not been exceeded

  3. Always (MFA required at every sign-in)
    Required whether a device has been registered or not, as long as the new device registration count has not been exceeded

If option 1 is configured this happens silently in the background. If option 2 or 3 is configured then the cookie is only sent AFTER a valid MFA has been entered by the user.

This on-boarding cookie is always presented at sign-in and if option 2 is configured then it is checked by the Controller and MUST match the original one sent before the sign-in can complete.

Removing the on-boarding cookie

It is possible to remove the on-boarding cookie from devices if required. This is where they are stored:  

  • Windows: In Credential Manager - look for  'OnBoardingCookie' in Generic Credentials

  • macOS: In Keychain - look for 'Appgate SDP Client' in internet passwords with Kind 'OnBoardingCookie...'

  • Linux: In ~/.local/share/appgatesdp-service/application.data

  • Android: In /AppGate/settings.xml: adb shell cat storage/self/primary/AppGate/settings.xml

Hazards with cloning Client instances

Because the on-boarding cookie relates to both the user and device, there can be some situations where users can't on-board. This can relate to single machines but may be an issue if cloning Client instances for say VDI use.

Originally on-boarded

Device

Current PC user

AppGate ZTNA user

Result

By PC user A

Original PC

logged in as B

signed in as A

not OK - A has no access to cookie in B's user-space

no one (before clone)

VM clone of original PC

logged in as A

signed in as A

OK in 1st clone ONLY (A has no access to cookie from other clones)

By PC user A (before clone)

VM clone of original PC

logged in as A

signed in as A

OK on all clones (until the cookie changes on one of the clones)

Related articles
  • Device registration
    Admin Guide > Admin Guide v6.7 > General administration > Client deployment and management
  • Device registration
    Admin Guide > Admin Guide v6.5 > General administration > Client deployment and management
  • Client Profiles
    Admin Guide > Admin Guide v6.7 > General administration > Client deployment and management