There’s another level here that I’ve been wanting to explore.
In our old Data Collection stations, we had a Windows Login and then and Kinetic Login. The Windows login was set up to autologin (like Kiosk mode). The Kinetic login was a shared username/password for that workstation. Not ideal.
It is possible to log into Windows using a local certificate. What would be better identity control is having users log into a browser profile on that machine using Entra. Now each user’s work is recorded under their ID.
The tough part is teaching the operators to switch to their profile. Will they time out if they walk away, etc.
Is it possible for you to share some more insight on how this all functions? What the users see, what stations you have this setup on and so on.
I’m finding it difficult to get the Office or Entra login to work smoothly with a YubiKey and as noted above I’m finding that you need some sort of 2FA already setup on the account before you can enroll a YubiKey. It will not let you register that as the initial 2FA method. It’s a pain in the ass but I can work around that with using a temporary passcode as the first login type.
I guess the best thing is to explain my environment more. We have a large manufacturing floor with multiple PC’s on it that will auto login to our local domain, and now they auto launch Epicor MES and login as the same user in every location (approx 32 machines). We have only one user ID that is assigned as a MES user. The employees who are 100% assembly personnel will walk over to those machines and just use the MES screen to clock in, and log into and off jobs. They have absolutely no other responsibilities in Epicor which is why they are never issued a login. In addition to that we have what we call Group Leads, and Department Supervisors. The Group Leads are probably 75/25 when it comes to assembly vs Epicor usage so they are given unique network logins to access network resources, as well as they are given an Epicor user ID as well so they can interact with production responsibilities on the floor. The supervisors are more of a 50/50 split, yeah they still spend time in the production area assisting in assembly but they are also responsible for the department scheduling and material supply for jobs running through. Those users also have network login’s/email and Epicor ID’s. Currently any user who has access to CUI or is involved in any of our government contracts is issued a YubiKey for network access, so that is already deployed, and currently any user who has OWA or access to email on their Mobile device is setup with O365 MFA utilizing Microsoft Authenticator or TXT codes. In addition to the production area we have an office administrative/engineering/R&D area where those users all have network login’s, most already MFA, and they all have Epicor ID’s as well.
I know adding additional YubiKey’s is possible for local AD users on my AuthLite install here, but I’m guessing Microsoft isn’t going to allow 32 different YubiKeys to be assigned to one MES user ID to be used on those ~32 machines.
This is one scenario that we use in maybe 2-3 locations. There are some departments where multiple users are trained to do one task in Epicor and the single PC that logs in to Epicor in that area uses a stored auto login process. So they don’t even know the User ID or Password, but it is a shared account.
Those are the main areas that I don’t know what we are going to do with yet, and those are pretty frequently used areas too.
The data collection clients really have me bothered though since they so widespread and I have production users who are not computer literate at all, so expecting them to login to a web browser client and utilize password less login with a YubiKey and Pin is a bit concerning.