[41600] in Resnet-Forum
Re: Duo and IMAP
daemon@ATHENA.MIT.EDU (Paul Coen)
Mon Mar 20 14:53:58 2017
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=001a11378912ee6ea4054b2defaf
Message-ID: <CAJjkvr8iVybVyza8-sj8ChYiitpP4V-c=5G2m-E2mjg1KiJtZQ@mail.gmail.com>
Date: Mon, 20 Mar 2017 14:45:54 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Paul Coen <pcoen@DREW.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CAJYsP4YHN7R2O9GP16mpMHoV1xA8mT6SqwceLOx1LEoEo1dVHA@mail.gmail.com>
--001a11378912ee6ea4054b2defaf
Content-Type: text/plain; charset=UTF-8
We use our identity management system (we're using NetIQ - formally Novell
- IDM with the Google Apps driver) to populate the Google Apps /G Suite
password, telling the users it's a "device password". We expire that on a
significantly more frequent basis than the users' network credentials,
protected by two-factor. We randomly generate the password, and the users
have a portal (protected by their Duo two-factor credential) that they can
use to look up the device password to reset it on their devices. We send
warning emails out ahead of the expiration date .
Note that the Google Apps password also gets used by the Google Sync
(Exchange) support that Google Suite mail/calendaring provides, which is
what we encourage our campus to use.
People have been pretty tolerant of the scheme, wich which we've had in
place for a few years. Not allowing device connections would have been a
non-starter. We likely would have been told to make exceptions for
executives and other key constituencies.
We're also not currently enabling two-factor for students, unless they're
working in certain offices.
On Mon, Mar 20, 2017 at 2:33 PM, Bud Hiller <dhiller@bucknell.edu> wrote:
> Hey all, here's a question for you: we're a G Suites campus, and we've
> moved all staff to Duo multi-factor auth, and we're in the process of
> moving faculty there this semester. Our CIO has hinted that he might be
> dropping any sort of IMAP connection moving forward, since Duo only works
> with web logins through our CAS server (which means if you use Apple Mail,
> you're unaffected).
>
> That would also shut off checking email on your phones, and I can't
> imagine that there's a campus in the country that doesn't allow staff,
> students, faculty and administrators to check their university email on
> their phones without going through a web based interface where you have to
> type in your passwords!
>
> Are there any schools that enforce multi-factor auth to this extent? I
> can't imagine the riot if that was proposed here, and we're no different
> than any other school in that respect.
>
> Bud Hiller
> Bucknell Univ
> Lewisburg, PA
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
--
<http://www.drew.edu/>
*Paul Coen <http://www.drew.edu/directory/?q=email:pcoen>* | Senior
Systems Architect & Instructional Technology Consultant | University
Technology <http://www.drew.edu/ut>
Drew University | 36 Madison Ave | Madison, NJ 07940
973-408-3035 <9734083035> | drew.edu <http://www.drew.edu/> |
@DrewUniversity <https://twitter.com/DrewUniversity>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--001a11378912ee6ea4054b2defaf
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">We =C2=A0use our identity management system (we're usi=
ng NetIQ - formally Novell - IDM with the Google Apps driver) to populate t=
he Google Apps /G Suite password, telling the users it's a "device=
password". We expire that on a significantly more frequent basis than=
the users' network credentials, protected by two-factor. We randomly g=
enerate the password, and the users have a portal (protected by their Duo t=
wo-factor credential) that they can use to look up the device password to r=
eset it on their devices. We send warning emails out ahead of the expiratio=
n date .<br><br>Note that the Google Apps password also gets used by the Go=
ogle Sync (Exchange) support that Google Suite mail/calendaring provides, w=
hich is what we encourage our campus to use.=C2=A0<br><div><br></div><div>P=
eople have been pretty tolerant of the scheme, wich which we've had in =
place for a few years. Not allowing device connections would have been a no=
n-starter. We likely would have been told to make exceptions for executives=
and other key constituencies.=C2=A0<br><br>We're also not currently en=
abling two-factor for students, unless they're working in certain offic=
es.=C2=A0</div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Mon, Mar 20, 2017 at 2:33 PM, Bud Hiller <span dir=3D"ltr"><<a hr=
ef=3D"mailto:dhiller@bucknell.edu" target=3D"_blank">dhiller@bucknell.edu</=
a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0=
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><di=
v class=3D"gmail_default" style=3D"font-size:small;color:#000000">Hey all, =
here's a question for you: we're a G Suites campus, and we've m=
oved all staff to Duo multi-factor auth, and we're in the process of mo=
ving faculty there this semester. Our CIO has hinted that he might be dropp=
ing any sort of IMAP connection moving forward, since Duo only works with w=
eb logins through our CAS server (which means if you use Apple Mail, you=
9;re unaffected).=C2=A0</div><div class=3D"gmail_default" style=3D"font-siz=
e:small;color:#000000"><br></div><div class=3D"gmail_default" style=3D"font=
-size:small;color:#000000">That would also shut off checking email on your =
phones, and I can't imagine that there's a campus in the country th=
at doesn't allow staff, students, faculty and administrators to check t=
heir university email on their phones without going through a web based int=
erface where you have to type in your passwords!=C2=A0</div><div class=3D"g=
mail_default" style=3D"font-size:small;color:#000000"><br></div><div class=
=3D"gmail_default" style=3D"font-size:small;color:#000000">Are there any sc=
hools that enforce multi-factor auth to this extent? I can't imagine th=
e riot if that was proposed here, and we're no different than any other=
school in that respect.=C2=A0</div><div class=3D"gmail_default" style=3D"f=
ont-size:small;color:#000000"><br></div><div class=3D"gmail_default" style=
=3D"font-size:small;color:#000000">Bud Hiller</div><div class=3D"gmail_defa=
ult" style=3D"font-size:small;color:#000000">Bucknell Univ</div><div class=
=3D"gmail_default" style=3D"font-size:small;color:#000000">Lewisburg, PA</d=
iv></div>
______________________________<wbr>_____________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/<wbr>archives/resnet-l.html</a>
______________________________<wbr>_____________________
</p></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br><div cla=
ss=3D"gmail_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr">=
<div><div dir=3D"ltr"><div><div dir=3D"ltr"><div><div dir=3D"ltr">
<table cellpadding=3D"0" cellspacing=3D"0" style=3D"font-family:'Times =
New Roman';padding:10px;border:3px solid rgb(204,204,204);width:auto"><=
tbody><tr><td colspan=3D"3" style=3D"padding-bottom:20px"><a href=3D"http:/=
/www.drew.edu/" style=3D"border:none;text-decoration:none" target=3D"_blank=
"><img src=3D"http://www.drew.edu/scripts/emailfooter/dcity.png" border=3D"=
0" style=3D"border:0px none"></a></td></tr><tr><td width=3D"38px">=C2=A0</t=
d><td valign=3D"bottom" style=3D"padding-top:0px;padding-right:20px;font-si=
ze:15px;font-family:Helvetica,Arial,sans-serif;color:rgb(129,130,125);verti=
cal-align:bottom"><strong style=3D"white-space:nowrap"><a href=3D"http://ww=
w.drew.edu/directory/?q=3Demail:pcoen" style=3D"color:rgb(1,82,135);text-de=
coration:none" target=3D"_blank">Paul Coen</a></strong>=C2=A0|=C2=A0<span>S=
enior Systems Architect & Instructional Technology Consultant</span>=C2=
=A0|=C2=A0<a href=3D"http://www.drew.edu/ut" style=3D"color:rgb(1,82,135);t=
ext-decoration:none" target=3D"_blank">University Technology</a><br><span s=
tyle=3D"white-space:nowrap"><span>Drew University</span>=C2=A0|=C2=A0<span>=
<span>36 Madison Ave</span>=C2=A0|=C2=A0<span>Madison</span>,=C2=A0<span>NJ=
</span>=C2=A0<span>07940</span><br></span><a href=3D"tel:9734083035" style=
=3D"color:rgb(1,82,135);text-decoration:none" target=3D"_blank">973-408-303=
5</a>=C2=A0|=C2=A0<span></span><a href=3D"http://www.drew.edu/" style=3D"co=
lor:rgb(1,82,135);text-decoration:none" target=3D"_blank">drew.edu</a>=C2=
=A0|=C2=A0<a href=3D"https://twitter.com/DrewUniversity" style=3D"color:rgb=
(1,82,135);text-decoration:none" target=3D"_blank">@DrewUniversity</a></spa=
n></td><td valign=3D"bottom" width=3D"138px" style=3D"text-align:right;widt=
h:138px;vertical-align:bottom"></td></tr></tbody></table><table style=3D"pa=
dding-top:20px;padding-bottom:20px;width:100%;min-width:550px" cellpadding=
=3D"0" cellspacing=3D"0" width=3D"100%"><tbody></tbody></table>
</div></div></div></div></div></div></div></div>
</div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--001a11378912ee6ea4054b2defaf--
