OneLogin Settings for Desktop

Enabling OneLogin Desktop Service

1. From Administration, go to Devices > OneLogin Desktop and toggle Enable OneLogin Desktop Service.
2. Toggle Enable Download if you want to permit users to download the OneLogin Desktop installation file from their user profile.
3. Toggle Enable Update Notifications to allow a notification to be sent to users when a new version of Desktop is available.

Browser Bypass for Login

You can allow trusted devices to bypass browser logins in your users' security policies.

Device-Level MFA

To require multi-factor authentication at the Windows sign-in screen:

1. Go to Security > Policy > Sign In.
2. Under OneLogin Desktop, check Apply MFA policy requirement when logging into laptops and desktop devices

Users will need to set up Protect for multi-factor authentication via browser login prior to signing in with device MFA. They will be required to authenticate with their OneLogin username and password, then will be prompted to enter a One Time Passcode (OTP) from their Protect app.

If device MFA is required, users may login offline the same as they do for online use and will enter the OTP from their Protect app. However, the total number of times allowed for logging in offline is 10 (within 7 days of last online login), after which they will be required to authenticate online with OneLogin.

Installing Desktop

Installation Packages

The OneLogin Desktop installation packages are available via the OneLogin admin portal, and also from the user profile if your OneLogin security policy permits download by users.

If you want to download and distribute the installation file to users, download the file from the admin portal and disable the download option for the user profile.

Downloading From the Admin Portal

1. Go to Administration > Devices > OneLogin Desktop
2. Confirm that OneLogin Desktop Service and Enable Download are enabled.
3. Click Download for the Desktop version that applies to your subscription.
4. A file named OneLoginDesktopInstaller-3.x.x.xxx.msi will be downloaded to your device (where x represents the version number of the current release).

Download From User Profile

Users may download the Desktop installation package from Profile > OneLogin Desktop if Enable Download is turned on.

The installation packages available are based on your OneLogin subscription as well as the operating system on the device accessing the OneLogin portal.

Installation requires admin privileges on the device. There are two methods to install Desktop for Windows:

Installing with Interactive Mode

In the interactive process, standard users will be prompted for admin credentials. After downloading the installation package, follow these steps to install Desktop for Windows:

1. Double-click the installation package (OneLoginDesktopInstaller-x.x.x.xxx.msi or OneLoginDesktopProInstaller-x.x.x.xxx.msi).
2. On the Welcome to OneLogin Desktop dialog, enter the subdomain for your OneLogin account and click Next.
3. On the OneLogin Terms of Service dialog, read and acknowledge the One Identity terms of service and click Install.
4. If prompted to allow installation click OK. Standard users will be required to enter admin credentials to proceed.
5. When installation is complete, follow the instructions on the confirmation screen to complete the account setup. Users will need to be online and connected to OneLogin services for the initial sign-in to sync the local account on their device with their OneLogin account.

Installing with Silent Mode

Silent mode allows you to install Desktop from the command line. To execute the installation without an interactive UI, login to the device as an admin user and open a Windows command prompt.

For Desktop Pro, execute this command, substituting your subdomain for “mysubdomain”:

msiexec /i OneLoginDesktopProInstaller-x.x.x.xxx.msi SUBDOMAIN="mysubdomain" /qn /norestart /l*v desktop_install_silent_log.txt

For standard Desktop, execute this command:

msiexec /i OneLoginDesktopInstaller-x.x.x.xxx.msi SUBDOMAIN="mysubdomain" /qn /norestart /l*v desktop_install_silent_log.txt

When installation is complete, log out as admin user and log in as a standard user to complete the account setup.

Uninstalling Desktop

The easiest way to uninstall Desktop with the Windows Control Panel, but you can also uninstall Desktop from a command prompt by going to the folder with the OneLoginDesktop.MSI package and executing this command:

msiexec /x OneLoginDesktopInstaller-x.x.x.xxx.msi /qn /norestart

Account Setup

When installation is complete, sign out of Windows. To complete account setup and sync your local account to your OneLogin account, make sure the device is connected to the internet and that OneLogin services are available when you sign in.

Standard Desktop

Sign into Windows with your device credentials. The first time you sign, in the Desktop Tray App will be activated from the Windows Taskbar and will prompt for your OneLogin credentials. Sign in to OneLogin, which will install a certificate in the certificate store on your device. This will enable subsequent access to the OneLogin portal without the need to reauthenticate.

Desktop Pro

Sign into Windows with your OneLogin credentials. If there is no local Windows account that matches your OneLogin account, Windows will create a new account. The setup process may take several minutes.

The local account is based on the user’s OneLogin account, but follows the Windows naming convention:

• Usernames cannot contain \/"[]:<>+=;,?*@
• Usernames are restricted to 20 characters

If the OneLogin account does not meet these criteria, the name will be modified by replacing illegal characters or truncating the length.

To bind to an existing local account, create the account with a name that matches the username in your OneLogin Cloud Directory. The username field in OneLogin Cloud Directory cannot be empty.

Changing Password

Changing your password must be done via the OneLogin portal. If your password has expired, you can still login to your device, but you’ll be prompted to change it if you try to access the OneLogin portal.

After you change your password in the OneLogin portal, the next time you login to your device online the password will be updated for your local account. If you login offline before syncing your password locally, you will need to use your old password at the Windows sign-in screen.

When your password is changed on a device, the OS does a password reset, which may result in cached credentials and URLs for other applications no longer being available.

Notes and Best Practices

Software Updates

When a software update of OneLogin Desktop is available, a notification will be sent to the user’s device, enabling them to install the new version. There is no need to uninstall the old version unless the release notes indicate otherwise.

Multiple users

More than one user may use the same device with OneLogin services. For standard Desktop, each user will log in to their local account and the certificate to access the OneLogin portal will be stored for each user in their private certificate store. For Desktop Pro, a local account will be created for each user based on the naming convention described above.

The log files for the Desktop application are stored in a system folder and are used for all accounts.

Tray App

After the initial login, when you sign into the device, you may access the OneLogin portal using the certificate on your device instead of entering your login credentials. If the certificate is installed, the Tray App icon on the Windows Taskbar will display a green checkbox.

Clicking on the Tray App icon displays these menu options:

• OneLogin portal
• Change password
• Help
• Log out

The Tray App will also display the status of your password and days until expiration.

Desktop Log Files

Desktop logs are stored on the device to assist with troubleshooting. To access the logs, right-click the Tray App icon and click Log files. To enable detailed logging, right-click the Tray app and click Detailed logging.