(New UI) Evo Cloud: Directory-As-A-Service Setup and Installation

Evo Cloud is our answer to a cloud directory. If you do not have a domain, or do not use another directory, we offer this service as part of Evo so that you can utilize a directory for yourself and for your users. This could be an answer for you if you are trying to protect workstations that are non-domain joined and all users are local. Using Evo DAAS enables you to provide all the of the incredible security features that Evo has to offer for customers that don't have a domain. Once the directory is created, you’ll need to add users directly to Evo.

You will use your Break Glass user to perform this initial setup process. Once your other user(s) are synced in and provided the correct permissions you can then log in to your newly synced account and complete administration there.

First a tenant and directory must be created if you are doing this for a new customer.

Note: When an Evo portal gets created, an Evo Cloud directory is created with your company name automatically and the Break Glass user is placed inside that tenant. You can add users into this tenant and directory if you would like if these users are part of your own company. If this is done for a customer it is advised to create a new tenant/directory.

On the tenant homepage, select New on the right side

Create a name for your new Tenant/Customer and then create a name for the underlying directory.

Users are added to your tenant in one of two ways – the first being via a sync from a configured directory, such as Google Workspace, or Active Directory.

As there is no directory source when doing an Evo Cloud setup, the second is by adding the user manually into Evo.

On the next screen you'll add your users in manually

Give your user a name to identify it within Evo. Give it a level of access depending on your needs:

When you add the email in, remember that the email must match exactly the user on the machine that is being logged into.

In this example, we are using evo-local-user as the user.

You can confirm this username by opening the command prompt and running the whoami command. You can also check in User Management (lusrmgr.msc) to identify your users.

The email provided doesn't have to be a legitimate email although if possible it is preferable. You can use an alternate email to complete the MFA setup later on.

Once you complete the user details, select the Add User option to add the user into the Evo Cloud directory.

You can add additional users as well at this time. Once completed, click next to move to the next screen.

The next screen in the Tenant setup will be for creating an access token. This token will be used for the Evo Login Agent installer.

Give your token a name, ideally one that will help you distinguish this token from others you can create in the future.

Give it an expiration date. At this date, all communication between agents installed with this token and the Evo Cloud will be cut off. Evo Admins will get notices that the token is about to expire and you can extend the date by coming back to the Evo Portal and changing the expiration date.

After you select the date click Create Access Token.

Once you leave this screen the Token values will disappear and the secret value cannot be retrieved. Be sure to save the token details in a password manager or some vehicle that will allow you to retrieve the token details later on.

This can also be done later on in the tenant menu and Access Tokens by just clicking next.

Select next to move to the next portion.

Next we're going so set up licenses for these users.

Now that your tenant has been created and directory created and a user has been added manually you have access to the tenant menu. You can select the Tenant from the homepage and the tenant menu should appear below.

Once your tenant shows up in that field, select the Users tab and make sure your users that have been added appear in this list. If you need additional users you can use the New button on the right side to add additional users into your Evo Cloud directory.

Now that users have appeared we need to get licenses moved over to the appropriate tenants. Evo licenses are pooled and need to be allocated per tenant.

Go to the Settings tab and Billing to make the adjustments.

Select your tenant at the bottom by clicking the pencil icon on the right side.

Select the number of licenses that you want to add to the tenant and click Save.

Now that your licenses are part of the tenant you can now add them to users.

Select the user by clicking on the checkbox next to their name and select the Assign Licenses option that shows up on the bottom of the screen.

If the user only requires MFA login you can assign them a Secure Login license. If they are going to be using Elevated Access to elevate onto machines on this tenant give them an Elevated Access license (Comes with Secure Login included)

Now that the user is licensed, we need to set up MFA on their account.

Select the user by clicking on their name which will pull up their profile summary on the right side.

Select the View Full Profile option to pull up their user details.

From here you can also allocate licenses. You'll want to enable MFA as well for the account by selecting the slider.

For users that are going to be needing roles and permissions to work with items in the Evo Portal you'll also want to convert them to Admins by selecting the option on the right. These are only admins within Evo, not anywhere else. Once they are converted and set up, you can now send a welcome email to that user.

If the users email is a legitimate email you can just click the option to send the welcome email. If you need to send it to another address, an option to do so is within the window.

That user should now receive a welcome email that will look like this:

Click the first link to create a password.

For users of Secure Login, the password that is created in Evo must match the password that is used to log in to their machine in order for the authentication to work. If the password is mismatched the user will not be able to log in via Secure Login.

If a user is only using Elevated Access, the passwords do not have to match.

Once that is completed do not attempt to log in just yet (Doing so will send a one-time code to your email address, this indicates your user is set up but the MFA is not set up on a mobile device)

Download the Evo Secure Login App for the appropriate device.

After that is complete, select the option to scan the QR code. The QR code will appear on screen. If this is the users first QR code follow the instructions on screen for scanning and setting up security questions.

Once that is completed you should now be able to log in to your Evo Portal with your email address and Azure-based credentials. Once you do so, you should get a prompt to respond to your push authentication or enter your 6 digit TOTP code for access.

After that you should be logged in to the Evo Portal with your newly created Evo credentials.

If you are working with an end user, this process is complete.

Depending on your user designation in Evo (User or Admin) you will see a different version of the Evo Portal.

End users will only see an option to download the Evo Secure Login application and show their QR code. An Evo Admin will see the administration portal (But don't have permissions to do anything yet).

The next steps are associated with Evo Admins and users of Elevated Access.

You'll want to create a role that is appropriate for your Users. To start you can create an All Access Role.

Select the New option on the right to start the Role Creation process.

When you pull up the role menu you'll see any groups that have been added (Azure groups are not added here by default) and all of your admin users underneath.

Groups can be used to more easily assign roles in the future to newly added users. Be aware that if you assign a group you will assign all underlying admin users those group permissions.

You can also select individual administrators to have the roles assigned.

Once you select the appropriate parties you can select the roles you'd like to give them.

More details on individual roles can be found here.

After you select the roles, click save to finish the role creation process.

Select the Tenant Access Tab or from the menu on the left under Onboarding.

Select your tenant by clicking on the pencil icon on the right.

Select all groups and/or users that you would like to have access to the tenant and click Save.

For any admin user that you've added these permissions for, they should now be able to refresh their screens or log out and log back in and now their permissions should give them the ability to see the Evo administrative functionality.

Now if not completed already, create an Access Token for installing the Evo Agent.

Under the tenant menu, select Access Token and click New on the right hand side

This token will be used for the Evo Login Agent installer.

Give your token a name, ideally one that will help you distinguish this token from others you can create in the future. Select the Type as Credential Provider

Give it an expiration date. At this date, all communication between agents installed with this token and the Evo Cloud will be cut off. Evo Admins will get notices that the token is about to expire and you can extend the date by coming back to the Evo Portal and changing the expiration date.

After you select the date click Create Access Token.

Once you leave this screen the Token values will disappear and the secret value cannot be retrieved. Be sure to save the token details in a password manager or some vehicle that will allow you to retrieve the token details later on.

Now you can get the Evo Login Agent set up on your target system.

Now that everything is complete on the Evo Portal side, go to Settings -> Downloads to get a copy of the Evo Login Agent.

Once you download the agent, move the agent over to the system that you want to perform the install on.

You'll also need the Access Token details that you saved from the previous steps so have that accessible to the machine you are testing on.

Start the installer and walk through the process. You will eventually get to a screen that has inputs for the details from the Access Token

Fill in the details from the access token and change the authentication mode to both for now.

Finish the installer and complete setup.

Once complete, search for Evo on the Windows taskbar and you should see Evo Settings Editor pop up.

From here you can do a Connection Test and test the MFA setup.

For Secure Login you can select just the Secure mode and use the username of the Evo user that you have set up (The prefix before the @ sign in the email)

To fully test, log out of your user session.

You should now see an Evo Security Login option on your login screen.

Select that option and the login prompt should appear

Enter your username and password and the prompt should appear to approve the push notification

After that is approved you should now be logged in to the account via MFA.

Now that Secure Login has been tested and working, if desired you can move on to setting up Elevated Access into the target machine (if licensed for it)

Evo Elevated Access on a workgroup machine is a slightly different process from an Elevated Admin for a LDAP or Azure created directory.

Now that the Evo Login agent is installed, you will see a list of administrators that have been pulled in.

You can view these admins by going to the Tenant Menu and selecting Local Accounts

If you haven't already set up an administrative account that you want to elevate into, create a new local administrator on the machine.

You can manually sync any administrator accounts from the Evo Settings Editor as needed by clicking the Administrator Sync. You can also hold Ctrl before clicking the button to perform a full replacement of all administrators.

Once that account is available in the Evo Portal, you'll need to create an assignment for using the Elevated Access account.

First you'll need to create a Dummy Domain Account to allow for a bypass of the Domain Account assignment

Go to the Domain Accounts section and create a new Domain Account

You can give this account any name and password, it will only be to access the Elevated Access assignment for the given user.

Once provided, select save to complete the process.

Now we will provide the assignment for the Elevated Access user

Select Onboarding under the Global menu and then Create Assignment on the right

Name your assignment and select the tenant to filter the list to the designated domain accounts

Select the dummy domain account and then select the appropriate user that you want to be able to elevate into the account.

Once that is complete, click save to complete the assignment.

Now that the assignment is complete, head back to the Local Accounts section and find the administrative account that you want to elevate into.

Determine the account you want to elevate into and select the Pencil option on the right side of the screen.

Select your password rotation frequency and click the save frequency button. After that you'll need to manually rotate the password once to start off the rotation.

Once the password gets rotated, confirm that the rotated password is captured by the agent. You can select the Eyeball underneath the account to confirm the Local Administrator password. Make sure that it matches what is in the listed view for the agent.

If the password doesn't rotate, stop and start the Evo Login agent on the target system.

Once confirmed, you can now test Elevated Logins on the target machine.

Return to the system with the Evo Agent Installed and perform another connection test but this time by using your full Evo email and the password on your account.

Once confirmed, you can now fully test Elevated Login by signing out and signing back into the machine.

Once the login screen appears, select Evo Security Login. Once the prompt appears, select Elevated Login.

The prompt should change from Windows Username to Email Address.

Enter your full Evo credentials.

Once complete, approve the notification again and now you should be logged in to the Elevated Access account using your own credentials.

You can verify this by opening a command prompt and running the whoami command to verify the user you are logged in as.

If any of these tests are unsuccessful, verify you have permissions correctly configured in your Evo Portal.

This includes

Please reach out to the support team with any questions!