The CyberArk Identity Connector provides a secure, mutually authenticated, inbound communication channel with the CyberArk Identity SaaS. This feature is essential for ensuring that the communication between CyberArk Identity’s cloud services and the internal network is secure and authenticated, preventing unauthorized access and potential security breaches.

References : The information is based on the official CyberArk documentation which describes the installation and deployment of the CyberArk Identity Connector, highlighting its role in enabling secure communication between CyberArk Identity and other services on the internal network 1 2 .  It is also supported by the content found in the CyberArk Identity release notes and product announcements 3 .

To enforce passwordless authentication for business-critical web applications managed by CyberArk Identity, you can take the following steps:

Configure a certificate-based authentication policy in CyberArk Identity that only allows access to CyberArk Identity or the business-critical web applications. This ensures that only authenticated users with the correct certificates can access these applications, aligning with the passwordless authentication initiative.

Roll out the CyberArk Windows Cloud Agent to the affected endpoints. The Cloud Agent will facilitate secure access to the applications without the need for a traditional password, as it can handle certificate-based and other forms of passwordless authentication methods.

These actions will help in transitioning to a passwordless environment by leveraging CyberArk Identity’s capabilities to manage and secure access to critical applications.

References :

CyberArk’s official documentation on Passwordless Authentication 1 .

CyberArk’s guide on Authentication Mechanisms 2 .

Role Management, such as add user to role: can be performed in the Admin Portal

Report Management, such as create, delete, and run reports: can be performed in the Admin Portal

CyberArk Identity User Behavior Analytics Settings Configuration, such as Models, Risk Models and Threat Intelligence: can be performed in the Admin Portal

Identity Verification, such as perform the identity verification process for end users with a mobile phone number: cannot be performed in the Admin Portal

In the CyberArk Identity Admin Portal, administrators have the capability to manage various aspects of user roles and security:

Role Management is a core function of the Admin Portal, allowing administrators to assign users to different roles, reflecting their permissions and access within the organization's resources.

Report Management is also available in the Admin Portal, providing administrators the ability to generate, modify, and delete reports that help in monitoring and auditing purposes.

CyberArk Identity User Behavior Analytics (UBA) settings configuration is part of the advanced security features that can be managed by administrators in the Admin Portal. These settings help in identifying potentially malicious activities by learning the typical behavior of users and detecting anomalies.

Identity Verification for end users, particularly actions like performing the identity verification process, is typically a user-driven process and may not be directly managed through the Admin Portal. It is generally part of the self-service capabilities provided to end users to verify and manage their identities.

 Integrated Windows Authentication (IWA) and FIDO2 Authentication are two methods that can enable a user to bypass the default authentication rules and profile when logging on to the User Portal. IWA allows users to authenticate using their Windows credentials, which can be configured to bypass additional authentication challenges. FIDO2 is a modern authentication standard that supports passwordless authentication, which can also be set up to bypass the default authentication mechanisms.

References : The information is based on CyberArk’s official documentation, which provides details on configuring multi-factor authentication (MFA) for the User Portal and the ability to bypass user authentication for launching applications 1 2 .

Login to the User Portal.

Click the Devices page, and click Add Devices.

On the mobile device app, use the camera to scan the QR code.

Authorize the application download.

Enroll the mobile device.

The process of installing the CyberArk Identity mobile app using a QR code involves several steps to ensure a smooth and secure setup. First, the user must log into the User Portal provided by CyberArk, which is the centralized interface for managing user settings and security options. After logging in, the user navigates to the Devices page where they can manage and add new devices to their profile. The option to add a device will prompt the user to use their mobile device to scan a QR code. This QR code contains the configuration details and a link to download the mobile app. Once scanned, the mobile device will prompt the user to authorize the download of the CyberArk Identity mobile app from the app store. After the app is downloaded, the final step is to enroll the device with the user's CyberArk Identity account, which may include setting up a PIN or biometric verification and agreeing to any necessary permissions. This completes the installation and ensures the device is securely managed under the user's identity profile.

In order to restrict access to the CyberArk Identity user portal to only corporate-issued domain-joined laptops without the need for a VPN, you would utilize the Windows Device Trust agent with certificate-based authentication. This agent can ensure that only devices with a trusted certificate, typically deployed through domain-joined status, can access the portal. This method relies on the presence of a specific certificate on the laptop which confirms its trust status and domain-joined condition. It provides secure and seamless user access while ensuring compliance with corporate security policies, allowing access only from corporate-managed devices.

When users are unable to enroll into the system using the enrollment code, it could be due to limitations on the number of endpoints that can join or lack of clarity in the enrollment process. By setting the maximum number of joinable endpoints to “unlimited”, you remove any restrictions on the number of devices that can be enrolled with the same code. Adding a description within the enrollment code can provide users with additional context or instructions, which may help them during the enrollment process.

References : The information is based on general best practices for managing endpoint authentication and enrollment processes. For the most accurate and detailed information, please refer to the latest CyberArk Defender Access (ACC-DEF) course materials and documents.  Specific details about managing authentication certificates and enrollment can be found in the CyberArk documentation 1 2 .