Access Manager Agent - Agent registration page
Last updated
Last updated
The Agent registration
page provides the ability to configure how Access Manager Agents can register with the Access Manager server.
Enabling Windows authentication allows Active Directory-joined devices to use their machine identity to authenticate to the Access Manager server.
If this setting is enabled, devices can use Windows authentication (kerberos or NTLM) to authenticate to the Access Manager server.
Clients will use Kerberos whenever available to authenticate to the AMS server. However, Kerberos requires that clients have line-of-site to a domain controller. If you are registering devices that are not on the corporate network at registration time, you will need to enable NTLM authentication as well.
Once an agent has registered, line-of-site to a domain controller is no longer required. The agent creates a AMS-specific authentication certificate and registers that with the server to use going forward.
If you wish to allow agents to register with their Active Directory identity, you will need to configure a service principal name (SPN) on the service account used by the Access Manager Service.
If this SPN is not set, the following warning will appear in the Service account
section of the Host configuration
page. Use the Set SPN...
script to configure the correct SPN for the service account.
Enabling Microsoft Entra support allows Windows 10 and higher devices that are joined to Microsoft Entra to authenticate to the Access Manager server. These devices will use their Microsoft Entra credentials to register with AMS.
Enabling support for key-based registration allows support for devices that are not joined to an Active Directory or Microsoft Entra.
You must enable key-based device registration in order to support non-domain joined devices running macOS, Linux, and/or Windows.
A registration key is required for a device to register with the AMS service, when an alternative form of authentication, such as Windows or Microsoft Entra authentication is not available.
A registration key is used by a device only once, to allow it to register its own unique set of credentials with the AMS server, which is used from that point on.
When you create a new registration key, a unique string value is automatically generated. You must assign a friendly name to this key, and optionally set parameters around reuse and approval.
You can choose a unique name for the key, so its use can be identified in the UI and in audit logs.
The read-only registration key that was generated by the system
You can choose to limit the number of times the key can be used, but default keys can be used an unlimited number of times. If you are creating the key for use on a specific device, then you can set this value to 1
, which will invalidate the key after its use.
You can choose to require that the device be manually approved in the Devices
section of the app, before it can start sending its password changes.
Shows the number of times the key has been used to successfully activate a device
You can automatically add devices that use the key to any number of AMS groups that you specify. You can use this feature to ensure that specific access rules and password policies automatically apply to newly registered devices.