EVO: Partner Deployment Guide

11/08/2024 0 People found this article helpful 40,280 Views

Description

IMPORTANT

• Documents here contain information on how to complete an EVO Implementation for a customer.
• This guide is meant to serve as a guide with examples ONLY that you can tailor to fit your needs. 

1. Prerequisites
   1. Please ensure that you have met all of the prerequisites listed here: EVO Prerequisites
2. Firewall and Network Requirements
   1. Please ensure that you have all of the Firewall and Network Requirements in place prior to deploying EVO as outlined here: EVO Firewall and Network Requirements
3. Evo System Requirements
   1. Please review the minimum system requirements as outlined here: Evo System Requirements
4. Supported Operating Systems and Architecture
   1. EVO is supported on the operating systems and architecture outlined here: EVO Supported Operating Systems and Architecture

Step 1. Assigning Licenses

The first step we need to do it to assign the available licenses to the customer (tenant).

1. Expand the below section to see instructions on how to assign licenses to a customer (tenant):

How to Assign Licenses to a customer (tenant)

1. Click your name from the top navigation bar.
2. Click Billing & Licenses.

3. Click the Edit Allocation button for the customer (tenant) that you want to add/remove licenses to/from.

4. Update the number of licenses.

5. Click Allocate.

6. If the number of licenses were increased, click I’ll do it later.

Step 2. Directory Setup

The next thing we need to do is setup a directory so that we can sync users to EVO.

1. To setup a directory, expand the applicable section below for instructions:

Azure Active Directory

How to sync EVO wtih Azure Active Directory

Evo Security syncs with active directory (AD) via Microsoft 365 Azure Active Directory service. The service will complete a scan once every 10-minutes, to confirm if there are changes to the users or any new users to be synced to your instance of Evo. The only user details that are synced are first name, last name, and email address. Passwords remain managed by your systems.  

Requirements:

• Organization configured for Microsoft Azure Active Directory.
• You have admin access to the organizations Microsoft Azure Active Directory.
• All users have been created under Microsoft Azure Active Directory.
• All users have a unique email address, specific to their user.
• All users are a member of a group to be synced.
  • It is recommended that all users that will be synced to EVO are put in a Security Group and only that group is synced with EVO.

1. To setup a new directory that syncs to the customer’s Azure AD, follow this KB: Sync with Azure Active Directory (AD) – Evo Support (evosecurity.com)

LDAP/On-Prem Active Directory

How to sync EVO wtih LDAP/On-Prem Active Directory

Evo Security syncs with on-premise active directory via a LDAPs (Secure Lightweight Directory Application Protocol) service. The service will complete a scan once every 10-minutes, to confirm if there are changes to the users or any new users to be synced to your instance of Evo. The only user details that are synced are first name, last name, and email address. Passwords remain managed by your systems.

Requirements:

• Active Directory has been setup on a server of Windows Server 2012r2 or higher.
• .NET Framework 4.7.2 (or higher) has been installed on the server.
• All users have been created under the Active Directory.
• All users have a unique email address, specific to their user.
• All users are a member of a group to be synced.
  • It is recommended that all users that will be synced to EVO are put in a Security Group and only that group is synced with EVO.

1. To setup a new directory that syncs to the customer’s LDAP/On-Premise AD, follow this KB: Sync with On-Prem Active Directory (LDAP) – Evo Support (evosecurity.com)

Google Workspace

How to sync EVO wtih Google Workspace

Evo Security syncs with Google Workspace service.

Your users will be able to login using Evo, with their network credentials. The user will be required to enter a code based on multi-factor authentication (MFA) being enabled, and their credentials are authenticated by your network.

Requirements:

• Organization configured for Google Workspace.
• All users have been created under Google Workspace.
• All users have a unique email address, specific to their user.
• All users are a member of a group to be synced.
  • It is recommended that all users that will be synced to EVO are put in a Security Group and only that group is synced with EVO.

1. To setup a new directory that syncs to the customer’s Google Workspace, follow this KB: Sync with Google Workspace – Evo Support (evosecurity.com)

EVO Cloud

For the below we’re going to add a simple Evo Cloud Directory-as-a-Service (DaaS). Unlike the other directory types, an Evo Cloud directory doesn’t sync users, once the directory is created, you’ll need to add users directly to Evo.

1. From the left navigation menu, select My Company. Alternatively, select Customers and choose a customer from the list.
2. From the side navigation, click Directories.
3. Select the Evo Cloud tab.
4. Click the Add New Directory
5. Enter a name for the directory.
6. Click Create Directory.

At this point, users will automatically start to populate into the People section of the Evo portal if you have setup one of the sync options.

Step 3. User Licensing

Once you have users syncing and showing up in the People section, the next step is to assign those user licenses. To enable features like MFA, SSO, or Elevated Access, all users must have an Evo license assigned to them. 

1. Expand the below section to see instructions on how to assign licenses to users:

Assigning Licenses

1. On the People screen, select the user(s) using the checkbox on the left.
2. Click Actions → Assign Licenses → EVO Standard.

1. The license for the user now shows EVO Standard

Step 4. Converting Users to Admins

The next step is to convert users to admins. When you or your technicians need to manage customers, need to have privileges within the Evo portal or use Elevated Access/Shared accounts, their user will need to be converted into an Admin. 

Converting a user to an admin does not give them additional privileges or access. That is configured separately in subsequent steps.

1. Expand the below section to see instructions on how to convert users to admins:

Converting Users into Evo Admins

1. Select People from the left navigation menu.
2. In the displayed list of users, click on the user you want to edit.
3. Click Convert to Admin.

4. Click Yes.

Step 5. Setting Up EVO Portal Admins

EVO Portal Admins are users that will have administrative access to your EVO MSP portal.

Role-Based Permission Groups

Role-Based Permissions are permission groups.

1. Expand the below section to see instructions on how to create a permission group:

Creating Role-Based Permission Groups & Assigning Users

1. From the dashboard, click Access.
2. Click Role-Based Permissions.
3. Click Create New Permission Group.
4. Enter a name for the new group (EVO Admins) for example, and optionally a description.

5. Click Next.
6. Check Select All Roles

1. If creating a group for restricted permissions (Technician access for example), you can use the “Technicians” example permissions below.

7. Click Next.
8. From the list of administrators, check each administrator that should be included in the group.
9. Click Complete.

Examples of Permissions for technicians that normally preform basic EVO management functions:

• Users
  • All
• Directories
  • View Directories
• Elevated Access
  • Can be Elevated Admin
• Keys
  • All
• Devices
  • All
• Billing
  • All
• Customers
  • All
• Dashboard
  • All

Customer Access Permissions

Now we need to grant access to customers (if any) to your EVO admin users.

1. Expand the below section to see instructions on how to grant customer permissions to EVO admins:

Managing Customer Access

1. From the dashboard, click Access.
2. Click Customer Access.
3. In the displayed list of customers located on the left, find the customer for the restrictions that are to be made. Click the customer’s name.
4. From the list of administrators: Changes made are automatically saved.
   1. To grant access: Check the row for each user who should be granted access.
   2. To remove access: Uncheck the row for each user who should no longer be granted access.

Step 6. Aliases

If you have users that need to use different and/or multiple users names, users can use an alias in order to authenticate and log in.

For information on where to find, how to add, delete, and use Aliases, see: Custom Aliases – Evo Support (evosecurity.com)

Step 7. Elevated Access/Shared Accounts

Follow the below steps to create and give access to shared/elevated access accounts.

For users to be a part of a Permission Group, use a shared account, or have EA groups assigned to them, users need to have been converted to an Admin (See Step 5: Converting Users to Admins).

Role-Based Permission Groups

The first thing you need to do is make sure the EVO users that will be using shared/elevated access accounts, have the correct permissions to do so.

Skip this step if your EVO admin users are already a part of a permissions group with the Can be Elevated Admin option selected.

1. Expand the below section to see instructions on how to create a permission group for shared/elevated access permissions:

Creating Role-Based Permission Groups & Assigning Users

1. From the dashboard, click Access.
2. Click Role-Based Permissions.
3. Click Create New Permission Group.
4. Enter a name for the new group (EVO EA Users for example), and optionally a description.
5. Click Next.
6. Ensure the Can be Elevated Admin is selected under the Elevated Access section.

7. Click Next Step.
8. From the list of administrators. Check the row for each administrator to be included in the group.
9. Click Add Permission Group.

Shared Accounts

Shared Accounts are any accounts separate from your normal “user” account. These can be account such as Domain Admins, Local PC admins, Local PC users, conference room accounts, or accounts that need to be used by multiple users. When you log onto a windows machine, or get prompted User Account Control (UAC), you check the Elevated Access option, use your Evo credentials, and the Shared Account will be securely passed onto that machine through the Evo agent (Credential Provider). 

Shared Account Examples

Working with Elevated Access Accounts

Adding Elevated Access Accounts

1. From the dashboard, click Access.
2. Click Shared Accounts
3. Choose the applicable customer.
4. Click the Add Shared Account button.
5. Choose one of the below options:
   1. Add Manually
      1. Manual EA accounts will need to have the password updated here if it is changed in AD for example.
      2. Enter the email or username, password and domain.
      3. Click the Add Shared Account button.

2. Selected from Synced Directory
   1. Choose the directory you wish to import the EA account from.

2. Click Next Step
3. Select the account(s) from the drop down

4. Click Add.
5. Click Next Step
6. Enable Password Rotation. Synced EA accounts require password rotation. This means EVO will automatically change the password for this synced EA account in the directory it’s synced from.
   1. Choose the length of time that EVO should rotate the account’s password.
7. Click Add Shared Account.

Elevated Access

Elevated Access is a group that contains shared accounts that gets assigned to EVO admin users with the privilege to use them

1. Expand the below section to see instructions on how to create Elevated Access groups and assign them to EVO users:

Creating & Assigning Elevated Access Groups

1. From the dashboard, click Access.
2. Click Elevated Access
3. Click Create Assignment button.
4. Enter the group name.

5. Click Confirm and Next Step.
6. Select Customers
   1. All Customers - This means that Shared/Elevated access accounts will be used for all customers. This is not common as most customers have different domains/directories.
   2. Select Customers - This is most common and means that Shared/Elevated access accounts will only be used for selected customers.

3. Click Confirm and Next Step.

7. Select the shared account(s) that you wish to assign to user(s).

8. Click Confirm and Next Step.
9. Select the user(s) that you wish to assign the shared account(s) to

10. Click Complete Group Assignment.

Licensing Users

1. Select People from the left navigation menu
2. In the displayed list of users, click on the user you want to edit.
3. In the bottom row for Licenses, apply the Elevated Access License

Step 8. Integrating Evo with Windows Desktops

The EVO Credential Provider (ECP) Windows Agent is what makes multi-factor authentication (MFA) against a Windows workstation is possible.

Access Tokens

The first step is to create a Token that your machines will use to securely communicate back to Evo.

1. Expand the below section to see instructions on how to create an access token:

Creating an Access Token

1. Select Access from the left Navigation Menu.
2. Select the Access Tokens tab.

3. Select the Create Access Token button.
4. Fill out the required information.
   1. Name, enter any name you'd like for the new Access Token
   2. Type, select Evo Credential Provider
   3. Customer, select which Customer this Token will be associated with
   4. Directory, choose the directory it will be associated with
   5. Expiration Date, choose a date you wish this token to expire. Once it expires, you will no longer be able to use Elevated Access as it will not work, and you'll need to create a new Token.
      1. Set this for 10 years out.
   6. Once complete, click Create Access Token

5. Once complete, you will be given JSON of your newly created Access Token.
6. Click Copy to Clipboard and paste it in your favorite text editor.

7. Click Finish and Close.

Save the information copied as you will need it to install the EVO windows Credential Provider application. - THERE IS NO WAY TO VIEW THIS INFORMATION AGAIN

Downloading EVO Credential Provider

To install the ECP, we will first need to download the msi agent from the Evo portal.

1. Expand the below section to see instructions on how to download the MSI file:

Downloading EVO Credential Provider

1. Select Applications from the left navigation menu.
2. Click the Windows Desktop card.

3. Click Download Evo Windows Login Agent.

Installing EVO Credential Provider

Requirements:

• Windows Server 2012r2 or higher.
• Windows Desktop 10 or higher.

1. Expand the below section to see instructions on how to install the ECP:

Installing/deploying the Windows Agent

1. For different methods of installing/deploying the ECP, follow the steps outlined in the Integrating Evo with Windows Desktops KB found here: Integrating Evo with Windows Desktops – Evo Support (evosecurity.com)
2. Take note of the following recommendations/best practices before installing

During Installation

1. On the Customer Setup step for EVO Login only:
   1. Entire Feature will be unavailable (Default Selection).
      1. Leaving this default will allow you authenticate through EVO but also still using windows credentials as well.
      2. It is recommended to leave this default for testing!

2. Entire Feature will be installed on local hard drive.
   1. Selecting this will replace the Windows Default Credential Provider entirely. This means you will only be able to authenticate to the machine through EVO.

2. When you get to the Configuration step for Authentication Mode:
   1. End User Only > Will only allow for a regular user (non-Elevated) to login.
   2. Elevated Only > Will only allow Elevated users to login.
   3. Both > Will allow for either an end user or elevated user to login. (Recommended option)

3. MFA Grace Period
   1. This is how long the machine can stay locked before asking you for MFA again.

After Installation

1. DO NOT logoff - stay logged into the same session!
2. Start Evo Settings Editor
3. Select Connection Test

4. Enter your windows username that matches a synced account in EVO and click Connect

5. You should get a prompt in your EVO mobile app and after approving, see a Success message.

6. NOTE FOR AZURE AD USERS
   1. EVO will natively pass through the username of your Azure AD user that is synced to EVO!
      1. If you are logging onto a PC with a non-Azure AD/local account, you will need to add that account in EVO as a shared account and grant your EVO user the privileges to use it. See Step 6. Elevated Access/Shared Accounts.
7. To test a Shared Account
   1. Select the Elevated option.
   2. Enter your EVO credentials.
   3. Click Connect.
8. Do not move on until successfully connecting!
   1. If you cannot connect, verify that the Environment URL and Evo Directory are correct.
9. Lock the current session and then try to unlock using the Evo Security login tile. (Other tiles should be available depending on the EVO Login only setting you chose during installation). Make sure you can unlock.
10. Once you are convinced all settings are correct, in the Evo Settings Editor select the EVO Login Only checkbox and click Apply (this is not needed if you choose Entire Feature will be installed on local hard drive for the EVO Login only setting during installation).

Scripting

• If you want to save the settings in a JSON file for another installation, start an elevated PowerShell session and run the command "C:\\Program Files\\EvoSecurity\\EvoSecureLogin\\EvoCredProSettings.ps1" -generate . With that command, you can either dump it to the screen or re-direct it to a file.
• You can then use the JSON file to install the CredPro on all computers in the domain using the Evo Installation Script (or using ConnectWise RMM).

Script - https://download.evosecurity.com/release/installers/evoinstall-latest.zip

Step 9. Integrating Evo with Apps

EVO has the ability to integrate to any environment, console, portal, etc. that is able to be configured to use external SSO/SAML authentication. This means that after a SAML integration between Evo and the website, users will be able to use the same 2FA they use to log into their machines.

Configuring SingleSignOn (SSO) Timeout Policy

The first step is to create an SSO policy which lets you control a temporary duration for SSO before the user must re-authenticate or re-approve multi-factor authentication (MFA).

• The SSO rule set as globally will apply to all users.
• Only 1 SSO rule is allowed.

1. Expand the below section to see instructions on how to create the environment’s SSO rule:

Configuring the SSO timeout Policy

1. From the dashboard, click Policies.
2. Click the Add New Policy.
3. Click Single Sign-On (SSO) Reset Frequency.
4. Use the slider to define the rule.
   1. To Always Require MFA. Move the slider all the way to the left.
   2. To expire SSO after a period. Move the slider based on your organizations’ rules. Anywhere between 1 to 7 days.

5. Click Add Rule.
6. It is recommended that if the SAML capable web application allows you to configure a session timeout. You match it to the policy defined within your Evo Portal.

Other SAML Supported Webapps

Next will be a combination of gathering info from the Evo Portal and then uploading it into your favorite SAML supported webapp. Some web apps are pre-defined and have step by step instructions on the Applications page as well.

1. Expand the below section to see instructions on how to gather the SAML information you’ll need for your 3rd party application from the EVO portal:

Retrieve the URLs, Fingerprints and public certificate from Evo

1. From the left nav menu, select My Company. Alternatively, select Customers and choose a customer from the list.
2. Select Applications from the left nav menu.
3. Click the SAML Web App card.
4. Open your favorite text editor. One at a time, click the copy button at the end of each field. Paste the copied detail into the text editor.
   1. Copy and paste the Sign In URL.
   2. Copy and paste the Sign Out URL.
      1. Optionally, copy the Fingerprints as needed. Your 3rd party application should denote which fingerprints are needed.
5. Click Download Public Certificate.
   1. Some SAML webapps will require the public certificate to be rendered in text. Please use your favorite text editor to do so.
6. Click Download metadata file.

That’s it for the Evo Portal.  Now head on over into your SAML support webapp and uploaded the provided information into it. 

Step 10. Creating Customer Sites

Customer sites are used for customers . To create a customer, follow the below process. After that, you would setup the customer’s tenant/environment just like we did for the partner’s internal tenant/environment in the steps above.

1. Expand the below section to see instructions on how to create a customer:

To add a new customer, please follow these steps.

1. Click on Customers on the left.
2. Click Add New Customer on the right.
3. Add the Customer Manually
4. Name the Customer and your all set.

How do I add or delete customers? – Evo Support (evosecurity.com)

Step 11. Branding

Branding lets you apply your logo and customer colors to the EVO console.

Note that branding is setup at the MSP level and will apply to all customers within the MSP.

1. Expand the below section to see instructions on how to setup branding:

Setting up Custom Branding

1. Simply head to Customization on your home screen.
2. Click the option to Upload your Company logo
3. Optionally while here you can also change the Primary Color for your Evo portal.
4. Once done, click Apply Changes

Step 12. Onboarding/Email Campaigns

In step 4, you saw how to manually send a welcome email to an individual user. EVO’s built in Onboarding tools let you setup automated mass email campaigns to onboard users on a larger scale.

1. Expand the below section to see instructions on how to setup an onboarding/email campaign:

Setting Up an Email Campaign

1. From the side navigation, click Onboarding.
2. Click New Onboarding.

3. Select a directory (ensure to select the directory that you’re syncing users from).
4. Enter a description of your email campaign (optional).
5. Select the appropriate time zone.
6. Select the users to exclude from the communications (for example yourself or any users that are already logged into EVO).
7. Select the template for the communication. 
   1. There are currently three email templates you can select from.
      1. Welcome Email: Send the welcome email to welcome all new users to Evo.
      2. Reminder Email: Send the reminder email to remind your new users to setup MFA.
      3. Final Reminder: Send a final reminder email to your users to setup MFA.

8. Select the date and time that the email should be sent.
9. You can also edit the subject and body if desired.
10. If you’d like to send multiple reminders, click the “+” icon to include additional reminders in the campaign. Repeat steps 7 thru 9 for each additional reminder.

11. Click Schedule Emails.
12. Once the campaign has completed it will be moved from In Progress to Completed.

Related Articles

• MSS FW Best Practices: CLI/Console
• MSS FW Best Practices: DPI-SSL (Client)
• MSS FW Best Practices: Configuration Export & Import

Categories

• Managed Security Services > MFA Identity and Access Management