EVO: FAQs

11/08/2024 0 People found this article helpful 41,002 Views

Description

General

What happens if I change a user’s email address?

Rather than changing the email address on the user profile, add an alias. The change in the email address will be considered a brand-new user that must be synced, which means the user will need to scan a new Evo QR code for authentication.

If a user has issues Authenticating with EVO after an email address change, see: User cannot login after changing email – Evo Support (evosecurity.com)

Can a user’s username be different from their email address?

Yes!

On-Prem AD: In an on-prem AD environment with users that have different username vs. email address.

Evo syncs both AD username and email address; and keeps them on the system along with first name and last name.
When user logins to an AD joined PC (with EVO agent installed), they have to use username to login, which is the same way they login without Evo agent installed.
If user wants to login to Evo portal (to get QR code), they have to use email address.

Azure Ad: In AAD only environment, Evo only uses UPN (synced from AAD) and puts that in the email section in the Evo portal. Evo does not capture email from AAD so the email in AAD can be different from UPN.

This means that:

Users will use their UPN to login into the EVO portal or SSO/SAML applications, websites, etc. integrated with EVO.
When you need to send a welcome email, QR code, password reset, etc., you will need to enter the users AAD email using the Send to an alternate email address option.

Does EVO Support Aliases?

YES! Your users can use an alias in order to authenticate and log in via Secure Login, SAML, & VPN (RADIUS). Elevated Access & EVO Portal Logins do not support Alias login.

For more information, see: Custom Aliases – Evo Support (evosecurity.com)

How Do I Update EVO Software?

There are a couple of ways a user can update their Evo software (The LDAP agent and/or the Evo Credential Provider):

Scripting
Manually downloading/updating

For instructions on updating EVO software, see: How do I update Evo software? – Evo Support (evosecurity.com)

What if I forget my Security Questions?

Your keys are lost to the abyss…

Actually, you can reset those for users so that they can create new ones For more information, see: Reset Security Questions and Answers – Evo Support (evosecurity.com)

EVO Portal

What is the End User Portal?

If your user type has been set as User, you will be logged into the user web portal for your organizations instance of Evo. The user web portal is limited to scanning the QR code to pair a new device with Evo and the Evo Secure Login application.

SAML/SSO Integration

EVO does not support ACS (Reply) URLs or Custom Identifiers (Entity IDs). If your website/console/portal/etc. requires these, you will not be able to integrate it with EVO at the moment.
When testing SAML integrations, have at least 2 separate browser windows open inside of the environment of the 3rd party application you are testing. NEVER Only use one session. If the SAML integration is configured incorrectly, you can lock yourself out of that 3rd party application.

General/Other

Is your favorite 3rd party app not listed as a tile? No worries! Multi-factor authentication (MFA) is possible with Evo and your SAML supported web applications. Not all options will be used, so please refer to your 3rd party web-app to see which will be needed.

Office/Microsoft 365 Integration

You can use Evo as your Identity Provider for your Office 365 domain, however there are a few pre-requisites you must have in place as well as a few things to keep in mind:

You need to have access to an admin account within your Office 365 domain.
The environment must use AD (Active Directory) or AD FS (Active Directory Federation Services).
Only synced users can successfully authenticate. They must reside within the AD.

CRITICAL THINGS TO REMEMBER

Once you federate your domain, you will immediately begin using Evo Security as your identity provider.
After federation, you cannot create new users using Azure AD any longer, they will need to use Active Directory.
MFA will be applied to ALL users. This includes Global Admins, Normal Users, Service Accounts, etc.
Users cannot be excluded from 365 domain federation because all accounts with the domain suffix will become federated accounts once the domain is converted to federated ones.
If you have not configured your users into Evo, please do so before attempting this as you can lock yourself out of your Office 365 environment.

If you have 365 users/accounts that cannot have MFA enabled such as service accounts for example, it is recommended to use Microsoft’s built in MFA policies in order to exclude these users.

To start your Office 365 Integration with EVO:

Ensure you have the above pre-requisites in place.
Be familiar with Microsoft’s process on using a SAML 2.0 Identity Provider (IdP) for Single Sign On with 365, see: Azure AD Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure - Microsoft Entra | Microsoft Learn
To integrate your Office 365 with Evo (SAML), see: Federating Office 365 with Evo (SAML) – Evo Support (evosecurity.com)

Are there any Unsupported Programs

SSO/SAML integrations for the following programs/applications are not currently supported by EVO due to SAML compatibility issues.

Teramind (SaaS & On-Prem)
Ninja RMM
Cylance Console
ConnectWise Home

Radius

Radius authentication can be used for integration with devices that don’t support SAML/SSO. To get started:

Setting up RADIUS Authentication with EVO

Prerequisite:

If you haven't done so already, please create an SSO Reset Frequency Rule. For more information, see: How do I add a rule for single sign-on (SSO) expiration? – Evo Support (evosecurity.com)

Submitting the RADIUS Server request
1. From the left nav menu, select My Company. Alternatively, select Customers and choose a customer from the list.
2. Select Applications from the left nav menu.
3. Click the RADIUS Server card.
4. Complete all of the fields on the page
  1. Select a directory < This is the directory that the RADIUS Server with auth against.
  2. Create a Server Name < This is a friendly name for the config in Evo.
  3. Enter IP Address < This is the public IP where the auth requests will come from.
  4. Create a Shared Secret < This is secret needed to auth again the RADIUS Server. Save this for later when you are configuring your platform for RADIUS auth.
5. Click Submit Request to Evo.
6. Once Submitted, this request will be completed with 2 business days.
Configuring RADIUS Server authentication
1. Choose the option for RADIUS authentication in the platform you are intending to use.
2. Use the server and port provided in the completed RADIUS Server request response.
3. Provide the shared secret entered at the time of the RADIUS Server request.
4. Test the authentication with a known credential in the directory chosen in the RADIUS request.
No Access to push notifications? No problem!
1. If you are using RADIUS with AD-Synced accounts, and there is no support for push notifications, use the following:
  1. Username: the user's user principal name
  2. Password: use this format password,totpcode where password is the user's password, and totpcode is the 6 digit TOTP code

Windows EVO Credential Provider (ECP)

Do I have to Disable Windows Hello?

Windows Hello and PIN must be disabled on any machine that Evo Security will be installed to. We are working to find the best way to integrate Windows Hello but no ETA at this time.

Please verify this has been disabled prior to your Evo install, as this may lock the user out with no way to log back into the machine.

MFA Grace Period

The Evo Credential Provider offers an option for an MFA Grace Period, basically to delay MFA. This is designed and implemented for user lock out, not user log out. Locking your screen with a grace period active will allow you to unlock that screen and not have to MFA. However, if you log out, you will need to MFA regardless.

The Grace Period takes into account the time between MFA's. If you set your MFA grace period to 5 minutes, but have been logged in (from an MFA) longer than this period, once you lock your screen, you will need to MFA again.

Hard Keys

Does Evo Support Hardware Keys?

EVO supports hardware keys that generate a token (not biometric based), or a One-Time Password (OTP). Or more precisely, hardware keys that are either TOTP or HOTP based. For more information see: Does Evo Support Hardware Keys? – Evo Support (evosecurity.com)

Does Having a Hardware Key Affect E-Mail OTP or Mobile Push Notifications?

Yes. If a Hardware key is attached to an EVO user, the mobile app push/notification will still work (they will both occur at the same time). However, the E-mail OTP only exists (and gets sent) if no Hardware key or Mobile device is attached to the user. Sort of like a fallback/failsafe form of MFA.

Directories

Should I Sync All Users?

No! Have security groups set up with users in them that you wish to sync over via Active Directory (Azure or On-Premise). Ensure that the users have a unique email address. DO NOT try to sync users without an email address, or with a non-unique email address.

Can I install the On-Prem AD Sync Agent on Multiple Servers?

Not at this time. This has been added as a feature request.

Azure Active Directory (AAD)

If you experience issues getting users to sync from AAD to EVO, see: Azure users not syncing to Evo – Evo Support (evosecurity.com)

On-Prem Active Directory

If you experience issues with your On-Prem AD sync to EVO, see: How do I troubleshoot issues with the Evo LDAP Agent? – Evo Support (evosecurity.com)

Elevated Access

Do I Need both Licenses for EA Functionality?

Yes. All users still need the basic MFA license as it is required for basic EVO functionality. The EA license is essentially an add-on that enables EA functionality.

How Do I Login/Authenticate Using a Shared/EA Account:

Logging In with a shared account

At the login screen or Windows User Access Control prompt, select the Elevated Login box.

Enter your EVO email address and password.
After approving the mobile push, select the account you would like to login with.

EVO Secure Login Mobile App

How do I Download the Mobile App?

For information on installing & configuring the EVO Secure Login Mobile App: Evo Secure Login mobile app

How do I Use the Mobile App?

For information on using the EVO Secure Login Mobile App: How to use the Evo Secure Login mobile app

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO