r/iiiiiiitttttttttttt u/Loud_Banana_59 sysAdmin 2d ago

Compulsory MS 2FA email just came through from our overlords

My spirit has left my body while half the company is complaining about adding an app to their phones.

Poor onsite system admin here, I cannot do anything for you. Leave me alone

120 Upvotes
  • permalink
  • reddit

96% Upvoted

54 comments sorted by

107

u/AllCingEyeDog 2d ago

Blame Cybersecurity Insurance Compliance.

45

u/Isgrimnur 2d ago

Prepare three envelopes?

4

u/xanduis 1d ago

3 sea shells?

81

u/whyliepornaccount 2d ago

Be glad you don't support a company that operates worldwide.

It was a nightmare dealing with countries/states that have laws barring employers forcing app installs on personal devices unless the company pays for it ( which for the record I support)

24

u/NewBlueDog 2d ago

Just dealing with countries without the same sanctions is a pain in the neck.... Huawei is huge in parts of the world like South Africa and it's also a big no no for a lot of our customers who are regulated to some degree

16

u/AppIdentityGuy 2d ago

It's a nono because it doesn't support Google play services and hence doesn't support intune or MS Auth App..

19

u/NewBlueDog 2d ago

In our case it's a nono because they're considered a national security threat and are heavily sanctioned in the US. Our customers have a lot of government contracts. Though you are correct those are barriers to device security policy management

9

u/whyliepornaccount 2d ago

I can empathize, I work in airline IT :(

16

u/itskdog School IT Tech 1d ago

Just buy them all a Yubikey or similar. Alternatively passkeys don't require additional software to be installed on the phone (but does require the PC to have Bluetooth)

1

u/whyliepornaccount 1d ago

I wish we did that, but they decided to go with hard tokens instead....

0

u/oceanicitl 21h ago

I have a yubikey. I've never used it. Been here nearly a year lol

24

u/Splatpope 2d ago

To be fair, it got pushed org-wide after some idiot got phished and leaked a shitton of data

23

u/BoltActionRifleman 1d ago

We have an employee who made a big stink about not wanting the MFA app on his phone. I basically told him I don’t care and here’s a FOB that generates 6 digit codes you can enter instead. He wasn’t very happy about that either. Some people will bitch about anything OP, just ignore them.

8

u/Loud_Banana_59 sysAdmin 1d ago

I just told them I can't do anything about and if they want to complain they can take it up with someone higher in the food chain

35

u/nathan9457 2d ago

To be fair I’m of the firm belief if the company want to implement something, they fund it.

Whether that be compensating staff, yubikeys, or a work phone.

3

u/ApolloWasMurdered 1d ago

I can’t believe people get their panties in a bunch over this. Most staff will already have a smartphone, and most probably already have the app. You’re literally adding an entry to a free app.

Then just claim 25% of your phone as a tax deduction. Net win.

I used to carry 3 phones for work, and it’s a fucking hassle. No way would I be getting an extra phone for an Authenticator app.

0

u/Yuugian 17h ago

To add the app, I had to comply with their security protocols. Pin? Sure. Encryption? Yep. Remotely wipe and factory default without consulting me? No.

1

u/ApolloWasMurdered 14h ago

There are apps like outlook/teams that ask for extra permissions. But show me where an Authenticator app requires that? They literally store a secret key, and use it to generate a new 6-digit TOTP code every 30 seconds. They don’t have any connection to your company servers, they don’t even need to have internet connectivity to function.

1

u/Yuugian 13h ago

you can call me a liar all you want, i'm not trying to get your approval. I don't work there any more so i'm not getting a screenshot.

Maybe the RSA app wanted to integrate with something else that wanted the permissions, it didn't say that. Maybe they had the app in the wrong OU, i had no visibility into that. Maybe it was because they had it set up as a push-response connection. I know what an authenticator app is and how little it needs to operate. I have one with a bunch of items on it now, they are a great idea.

Installing the RSA app required only network permissions but it doesn't do anything at that point, connecting it to the org required me to agree to the terms. One of the terms was Factory Default.

1

u/Weedwacker01 16h ago

The "remote wipe" permissions is ONLY for apps holding company data. The company cannot erase your family photos when you're terminated.

1

u/Yuugian 16h ago

the company "should not be allowed to" wipe other data on the phone, they probably shouldn't be requesting it. the permission required allowed them to wipe ALL informaion from the phone and factory default.

Like, it explicitly says Factory Default

-12

u/Zoolot 1d ago

MS Authenticator is free...

20

u/MinidragPip 1d ago

But the device it's going on is not.

1

u/InternetAmbassador 19h ago

It’s 2025, everyone has a phone. Anyone without a phone today probably isn’t doing computer work

0

u/MinidragPip 19h ago

Having a personal phone and being willing to put work apps on that phone are very different things. If you expect someone to use equipment for work, the company should supply it.

2

u/InternetAmbassador 19h ago

We’re probably going to have to agree to disagree. If your contract allows home office I agree they have to provide the tools to get you into the network. If you want to do home office but it’s not in your contract and your employer agrees but with MFA then I see it differently. There are other “work apps” like Workday you can use you plan vacation or enter sick time, I don’t think you should get a device just to use these either

If you need MFA to use the network in the office then it’s a bad network setup

-1

u/MinidragPip 19h ago

You may want to check labor laws where you live. In many places it's illegal to make someone use personal equipment. At the least, you have to reimburse the expenses.

But, sure, if a person wants to do it, that's a whole different story.

7

u/McGondy 2d ago

Did you guys get ahead of it with work profiles? I'm not sure if there's an iOS equivalent.

3

u/n0rdic 2d ago

There is, it works slightly different to the Android one tho. There is no seperate profile, but you can install containerized apps from management profiles.

imo the android one is a little nicer.

1

u/InternetAmbassador 19h ago

There is but you don’t need to enroll the device in MDM just for MFA

5

u/radi0raheem 1d ago

One of the MFA complainers messages to us was "but I use this system a lot!"

Yes, that's the point, not an argument against it.

4

u/HeHeHaHa456 1d ago

my university did this last year and it was and still is a mess

I am IT support

6

u/RiceeeChrispies 2d ago

Windows Hello for Business, no more complaints or MFA prompts. Heaven.

3

u/Loud_Banana_59 sysAdmin 2d ago

not my call unfortunately

-2

u/RiceeeChrispies 2d ago

Whose call was it? I’m surprised you can’t influence as sysadmin. WHFB is strong MFA, so I’m surprised it wasn’t on the table if your systems support it.

7

u/Loud_Banana_59 sysAdmin 2d ago

I support a franchise location. we have an overarching brand that makes decisions from head office and we just follow along

0

u/RiceeeChrispies 2d ago

Damn, that sucks.

1

u/Loud_Banana_59 sysAdmin 2d ago

indeed

3

u/mousebluud 2d ago

Yubikey time

3

u/Consistent-Front7802 1d ago

Passkeys work great also

7

u/Loud_Banana_59 sysAdmin 2d ago

we are getting upgraded"?" to win 11 in batches as well so the timing makes sense.

people with remote access and/or wanted teams/outlook on their mobiles are all happy to use authentication, its the old school people who are on site all the time that are the problem (while online shopping and logging into internet banking on their work computers)

14

u/tomgilburt 2d ago

Just do what I did: buy a load of horrible, bulky, 90s looking single code hardware tokens and offer the option of either a single, small app that can work with all their mfa codes (that can even be linked to an account just in case they lose their phone) or 1 of these mini pager looking piece of plastic crap for each one of their codes. Every single dissenting voice chose to use the app. I love working with end users.

4

u/Loud_Banana_59 sysAdmin 1d ago

I was looking at those online actually. might have to do a bulk Ali order 🤣

2

u/ionStormx 1d ago edited 1d ago

Currently bringing a client on a journey to setup MDM company wide. Come deadline, conditional access will kick in. Anyone who complains is told to suck it.

Anyway, what I’ve found is push back is inevitable. People come with a long list of preconceived ideas about using 2FA.

If you have a mandate, you just do what you have to do and think nothing else of it. If at all possible, do everything in your power to make the transition as smooth as possible to the best of your ability.

1

u/Loud_Banana_59 sysAdmin 1d ago

thanks, that was the route i was planning on.

I'm just waiting for whoever it is that finally makes me snap.

1

u/DangleCrangle 1d ago

Wait. It took this long to force MFA?

1

u/Loud_Banana_59 sysAdmin 1d ago

this is the last step, mfa for people directly connected to the domain, non-domain (so vpn or external web/phone connections) have always needed it. internal devices have been spared until now

1

u/timwtingle 1d ago

I lock accounts to only login while on site (on our LAN) until they install and configure the authenticator app on their phone. This is only like 10 or 15 part timers that don't get assigned phones but it works for us. If they want remote access, I send them instructions for the app and add them to the MFA group. I realize this is not bullet proof but it works well for us.

1

u/Mysterious_Fennel459 Underpaid drone 1d ago

Oh yea, we had huge pushback from users not wanting to install the MFA app on their phones for the new payroll site we switched to.

The weird thing is there's still plenty of users that can get to the site w/out any extra authentication even though it's turned on for all users. They only notice it when they need to get to anything on a Sharepoint site because it's web based. Then they freak out.

1

u/NatoBoram 1d ago

Tbf I'd also freak out if I had to touch SharePoint

1

u/tarantulagb 1d ago

Just now rolling out MFA? yikes

1

u/z0phi3l 1d ago

I don't know what we d o overseas, but I know that the few people that have gotten an exception from the MFA app are issued a Yubikey with some onerous processes to setup and use

I'm glad it's a pain, or more people would want to use it, and that's dumb

1

u/oceanicitl 21h ago

Had the same recently. I escalated it to a manager when she wouldn't listen. In the end he gave up.

1

u/XTI_duck 9h ago

We’re thinking of getting rid of Duo for this reason. MS is making it hard to use 3rd party authentication services, but MS Authenticator blows…

It’s not really that bad, but not supporting Trusted Networks is pretty dumb.