You can protect RSA SecurID Authenticate device registration with an access policy to control which users can complete device registration. You might want to use this access policy to allow only a subset of your users (for example, your Sales org) to use the Authenticate app for additional authentication.
You specify identity source user attributes and certain conditions (Authentication Source, IP Address, and Trusted Network) to define the target population for this access policy. By default, all users are allowed to complete device registration. This access policy does not currently support Additional Authentication options.
This access policy only applies to users who have not completed Authenticate device registration. If you do not want existing users to continue using the Authenticate app, delete their Authenticate devices in the Cloud Administration Console. When they try to complete Authenticate device registration again, this access policy prevents it.
This access policy exists by default. You can enable, edit, or disable it. Unlike other access policies, you cannot clone or delete it or view access usage. When you disable the access policy, the current configurations are saved and are available when the access policy is enabled again.
To configure this access policy, complete the following:
In the Cloud Administration Console, click Access > Policies.
- In the Policies page, enable the RSA SecurID Authenticate Device Registration policy.
Edit the access policy by specifying the LDAP user attributes and conditions of the target population.
Publish the changes.
The Cloud Authentication Service enforces this access policy immediately for new Authenticate device registrations.
Device Registration Policy Flow Example
The following example describes how the RSA SecurID Authenticate Device Registration policy works for an allowed and denied user.
The administration enables the access policy.
The administrator creates a rule set to only allow Sales users to complete Authenticate device registration. All other users are denied.
A Sales user downloads the Authenticate app from the app store, opens the app, and follows the instructions to complete device registration.
An HR user downloads the Authenticate app from the app store, opens the app, and starts following the instructions. After the user submits the company ID, user ID, and password, the app displays "Unable to Complete Setup. Contact your administrator."
When a user is blocked from completing Authenticate device registration, the Event Monitor logs error 3009. Check for this error when testing this policy and assisting users who might be blocked unintentionally.