Evo Cloud is our answer to a cloud directory. If you do not have a domain, or do not use another directory, we offer this service as part of Evo so that you can utilize a directory for yourself and for your users. This could be an answer for you if you are trying to protect workstations that are non-domain joined and all users are local. Let's take a look at how we accomplish this:
- Create a Directory
- Add Users / Matching Users
- For Elevated Access, add the shared accounts that will be elevated into
- Set appropriate user permissions for the added user
- Install Evo Agent
- Setup Elevated Access (License required)
Getting started with Evo Cloud
1. First, head on over to "Directories" within your portal of the selected Customer (or your own company) and create a new directory:
2. Select "Evo Cloud Directory as a Service"
3. Enter a name for your directory
4. Click complete, and your directory will now be created.
Adding Users
Now that your directory is created, you will now need to add your users. Let's take a look at how to add users
NOTE: If you plan to use Evo Cloud as your directory type, the usernames you create MUST match the usernames that exist locally on the machine and create an Alias for that user.
Identify the username of your computer with a whoami on the Command Prompt
For Example:
- Local Username: Thomas
- Evo Cloud: Thomas@domain.com
- Alias: Thomas
Evo considers the username to be the text before the @ symbol.
Users are added to your tenant in one of two ways – the first being via a sync from a configured directory, such as Google Workspace, or Active Directory. The second is by adding the user manually into Evo.
- Evo Cloud User: This is a regular user. This user can only be associated with an Evo Cloud Directory.
- Evo Cloud User (Admin): This is an admin user. This user can only be associated with an Evo Cloud Directory.
- Evo Cloud User (Guest): This is an admin user. This user can be associated to non-Evo Cloud Directories, such as Google Workspace, or Active Directory. Adding this user type should only be done under special circumstances, such as the user only requires temporary access to the client’s site and shouldn’t be added as a synced user.
- From the left nav menu, select My Company. Alternatively, select Customers and and choose a customer from the list.
- From the side navigation, click People.
- Click the Add User button.
- Select the type of user you want to add: Evo Cloud User, Evo Cloud (Admin), or Evo Cloud (Guest)
- Select a directory the user is to be associated.
- Enter the user details for the user you’d like to add (First name, Last name, and Email address). To add multiple users with the same user type and assigned directory, click the Add New button.
- Optionally, check Send Email, to send the new user a welcome email now. Otherwise, you can send a mass email later.
- Click the Create User button.
- Repeat steps 5 to 9 for each new user to add.
For more information about Aliases, please refer to the following article - https://support.evosecurity.com/hc/en-us/articles/18354140942363-Custom-Aliases
User Permissions
For each user that you are adding, you'll need to make sure the appropriate permissions are applied from the Access page
- Convert Evo users to Evo admins (Where applicable for users that will be using Evo as IT administrators)
- Role Based Permissions - Add users into the appropriate permission group
- Customer Access - Make sure the users are able to access the customer
- Elevated Access - For users of Elevated Access, you'll need to designate the shared account via the Local Accounts page (Done after the agent installation) on each machine that you are accessing with a shared account
Installing the Evo Credential Provider
So, you now have your directory created, your users created and enrolled with the Evo Mobile Secure Login App (If not, please reference this article - Evo Mobile App), and you are now ready to install the Evo Credential Provider on your workstation.
To do so, please follow this guide here - Integrating Evo with Windows Desktop.
Once complete, finish the install, and you're done! You have now finished configuring Evo for Secure Logins on Local Machines with Local Users using Evo Cloud! You can begin authenticating at your earliest convenience.
Elevated Access Support?
Yes! You do have Elevated Access support when using Evo Cloud. However, there are a couple key differences that you must be aware of in order to correctly implement this:
- The domain account must also be a local account on the machine
- The domain account credentials must match on both the cloud directory and the local machine
Evo Cloud Elevated Access Example:
- User1@testmachine.local is created in Evo. The username on the machine being accessed is user1. The user is set up in Evo and gets MFA set up on their device under the user1 account.
- The user is now able to test logging in to their own system via Secure Login.
- Make sure to create an Access Token for the agent installation.
- The Evo agent is installed and Secure Login can be tested (If desired)
-
The user now needs to be able to elevate into a target machine
- The user has a matching user1 account created on the target machine.
- A SharedAdmin administrator account is also created on the machine that needs to be accessed.
- After the agent is installed, the SharedAdmin account now shows up in Evo under the Local Accounts section.
- Turn on password rotation for the SharedAdmin account on the Local Accounts page. Confirm that the password rotated.
- Make sure that permissions are set for the SharedAdmin account in the Elevated Access section.
- The user1 user should have access to the designated Local Account.
- If needed, create a manual domain account (With any credentials) to bypass the selection screen
- The EA Assignment can select the manually created account and then the appropriate user1 account as a permissioned user
- After this, test Elevated Access on the target machine using the Connection Test with Elevated as the mode and the user's full Evo credentials.
- Test again logging out fully and then try Secure Login first (No Elevated Access selected). You can just use the username of user1 to access Secure Login.
- After this, log out again and select the Elevated Access prompt and use your full Evo credentials to access the SharedAdmin account as your Evo user.
Still have questions? Let's take a look at some of the frequently asked questions about Evo Cloud.
FAQ
Question: Does Evo Cloud pass my credentials down to my local machine and users?
Answer: No, these two are separate and must be done manually. Whatever changes you make, either locally or on the cloud, do not sync so be sure to make all changes in both places accordingly.
Question: Can an Evo Cloud Credential Provider on Machine A speak to an Evo Cloud Credential Provider on Machine B, so that I can log-in as users that exist on other machines?
Answer: No. You are only able to login with local users that exist on the machine, as these users are not joined by any domains.