Company Christmas Holidays
North American Headquarters in Miami, USA: Dec 25, 2015, Jan 1st 2016
European Headquarters in Muenster, Germany: Dec 21, 2015 until Jan 03rd 2016
Limited support is available during this period.
We at PROVISIO wish you Merry Christmas and a Happy New Year!

 

Support Request: Chrome Windows 10 Accounts add-in

Description

You can use "Windows 10 Accounts" add-in for Chrome? I am trying to configure a site that has Azure Access Control enabled on it. Each time the site is launched I am prompted for MFA. this is due to the device information not being reported to Azure.

If I use MSEdge and go to the site, I do not have this issue.

Answer: (6)

Re: Chrome Windows 10 Accounts add-in 4/2/2021 9:34 PM
Hello,

Thank you for your inquiry. Can you tell us what Azure Access Control looks for in a user? Are you part of a domain? There is a possibility that when you tested MS Edge, you were in a domain user and the browser pulled the SSO information from the domain user account. When SiteKiosk is in Auto Start mode, it uses the local standard user (SiteKiosk). You can launch SiteKiosk (IE or Chrome browser engines) with a domain user instead and still have access to SSO/domain services. To do that, you would enter the logon user credentials in SiteKiosk Quick Start Menu>>Customized>>Logon automatically at Windows startup>>Settings.

If you need to individualize the access to the SiteKiosk machine, you can follow the steps in this previous forum post - https://www.provisio.com/en-US/CustomerSupportCenter/ArticleDetails.aspx?ArticleID=25201

If you need a particular Chrome plugin, then you would not be able to use that in SiteKiosk safely. Please let us know more about your scenario before more instructions can be given.

Best regards,
Andre.
Re: Chrome Windows 10 Accounts add-in 4/5/2021 10:31 PM
The computer is domain and hybird Azure Domain Joined. I configured a start menu with a web link. When the user selects the URL, they are prompted for Microsoft Credentials, which is what we want. the individual user can specify their e-mail address. Next they are prompted for their domain logon credentials. Again this is as expected and is good.

However they are then prompted for Microsoft MFA authentication. When I reached out to the Identify team they stated it is because the browser did not send the device information back to Azure. The Conditional Access policy is set to see "Require Hybrid Azure AD joined device".

This information is sent when using a Modern MS Edge browser. It does not appear to be sent with the Provisio Chrome Browser
Re: Chrome Windows 10 Accounts add-in 4/6/2021 12:43 AM
From the Windows 10 Accounts plugin description:

Use this extension to sign in to supported websites with accounts on Windows 10. If you have a Microsoft supported identity on Windows 10, you won’t be required to enter your credentials to sign in to supported websites. You’ll need to use this extension if your organization has implemented conditional access policy. Currently, this extension supports Azure Active Directory identities.

https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji
Re: Chrome Windows 10 Accounts add-in 4/6/2021 4:35 PM
Hello,

Thank you for the update. SiteKiosk does not support any Chrome Plugins as the Chrome Skin is using a Chromium CEF engine installed with SiteKiosk. Though SSO (domain user sign in) solution will work with SiteKiosk browser, it seems that you may need to use an external browser like Microsoft Edge as an external application.

In that case, SiteKiosk would have no means of enforcing Surfing Area and File Download restrictions, so you will need to setup your own content filter on your network for access control. You can still use the SiteKiosk user (Auto Start mode) for local file folder restrictions but users can launch applications after download from external browsers.

To allow Microsoft Edge, you will follow these steps:

1. In SiteKiosk Configuration, click Access/Security

2. At "Block system critical windows and dialog boxes", click the Settings button

3. Then select appropriate rule e.g. (Title:'*icrosoft Edge*' Class:'Chrome_WidgetWin_1')

4. Click "Edit"

5. Select the radio button "Explicitly allow the display of this window"

6. Click Ok and then save the configuration file.

In the log files, you will see this example message, when an unapproved window is being displayed:

[SiteKiosk] Notification: According to the windows monitoring rule (Title:'*oogle Chrom*' Class:'Chrome_WidgetWin_1') the window (Title:'Google Chrome - *****' Class:'Chrome_WidgetWin_1') will be closed.

See helpful links on these topics:
Surfing Area - https://www.provisio.com/helpconsole/SiteKiosk%20Help/en-US/default.htm?surfing_area.htm
SiteKiosk User Policies - https://www.provisio.com/helpconsole/SiteKiosk%20Help/en-US/default.htm?policies.htm
Files and Downloads - https://www.provisio.com/helpconsole/SiteKiosk%20Help/en-US/default.htm?file_manager.htm
Applications - https://www.provisio.com/helpconsole/SiteKiosk%20Help/en-US/default.htm?applications.htm
FAQ on external applications - https://www.provisio.com/en-US/CustomerSupportCenter/ArticleDetails.aspx?ArticleID=25533

Best regards,
Andre.
Re: Chrome Windows 10 Accounts add-in 4/16/2021 8:11 PM
I was able to use the MSEdge browser by apply a black list and white list of urls, in a local group policy. This allowed the Conditional Access Policies to work on the machine without having to use MFA.

Please close the case.
Pages (2): [1] 2 Next »