Solved: Re: BYOD Windows Non-Admin User

omadrile · ‎08-14-2018

Hi team,

Just as a sanity check, consider the scenario where we have multiple users (both admin and non-admin) in Windows running on the same machine. If a non-admin user runs the browser as an admin and follows the BYOD flow, is it possible for the non-admin user to install the BYOD cert?

Also, if an admin user (after having completed the BYOD flow) authenticates against ISE using the cert, and then using fast user switching a non-admin user logs in (without sending any EAPOL logoff message). Will the non-admin user be able to reuse the existing authenticated session from the admin user?

Thanks,

Oriol

howon · ‎08-14-2018

Non-admin user won't be able to complete the BYOD flow as it requires running executable and also access to the certificate store. In the fas-user-switching, yes what you describe is correct, since the first user did not log off, from the network perspective, the first user is still logged in.

View solution in original post

howon · ‎08-14-2018

Non-admin user won't be able to complete the BYOD flow as it requires running executable and also access to the certificate store. In the fas-user-switching, yes what you describe is correct, since the first user did not log off, from the network perspective, the first user is still logged in.

Jason Kunst · ‎08-14-2018

It’s not recommended to use BYOD with shared machines

The whole point of the feature is really to onboard devices used by a single person. Register a device to a person. Otherwise you have the same Mac flipping between different ownership as a portal user id. This maybe even introduces issues as haven’t tried

Would recommend looking into deploying one (perhaps a machine cert) for identifying the machine and then rely upon user credentials such as CWA chaining as an example

Or using a certificate management platform such as sccm or gpo push out user certainty and manage that way