DocsICP FilingConsole
官方文档
首页

Configure logon methods

更新时间:
复制 MD 格式
产品详情
我的收藏

With the logon and security settings of Elastic Desktop Service (EDS) Enterprise, you can control the logon methods available to end users and enhance security throughout every stage of cloud computer usage. For example, features such as single sign-on (SSO), multi-factor device authentication, and client logon verification ensure that end users undergo strict identity verification before they log on. The timeout-triggered automatic logout feature helps you effectively control the risk of accidental data leakage. This topic describes these logon security features and how to use them.

Organization ID logon

Basic information

  • Organization ID

    The initial organization ID is an 8-digit random unique identifier that is automatically generated by the system. It contains only uppercase English letters (excluding letters such as I and O that are easily confused with numbers) and digits. You can use the organization ID to log on to an Alibaba Cloud Workspace terminal to access all cloud computers in the office network.

  • Organization ID Network Access Mode

    After you configure this setting, clients connect to cloud computers over private networks by using the PrivateLink service. If you select the VPC option, the PrivateLink service is automatically activated for you at no extra cost.

    • Internet

      The cloud computer gateway accepts client connections from the internet, offering simplicity and convenience. The cloud computer is protected by the gateway and isolated from the internet.

    • VPC

      Cloud computers accept client connections only from within a private network (VPC), and not from the internet.

    • Internet and VPC

      The client determines the connection method, and the gateway is open to both the internet and private networks (VPC).

Logon information

Logon methods

On this tab, you can enable or disable Enterprise Identity Source and adjust their display order.

Logon security

Multi-factor authentication (MFA)

After you enable multi-factor authentication (MFA), when end users log on to an Alibaba Cloud Workspace terminal, they must enter not only their username and password but also a dynamic password or verification code for MFA, which adds an extra layer of security.For more information, see Set up multi-factor authentication (MFA) for logon.

Client logon verification

This feature is disabled by default. When enabled, users logging on to an Alibaba Cloud Workspace terminal from a new device must verify their identity with a code sent by SMS or email.

Note

This takes effect only for convenience accounts that use a public network connection.

For an organization ID

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Logon page, on the Security tab, turn on the Client Logon Verification switch.

  4. In the dialog box, confirm the information and click OK.

For an office network

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

  3. In the top navigation bar, select a region.

  4. On the Office Network page, find the target office network and click the office network ID.

  5. In the More Information section at the bottom of the office network details page, turn on the Client Logon Verification switch.

    Note

    SSO settings, multi-factor authentication, and client logon verification are mutually exclusive. You can enable only one of these logon verification methods for an office network at a time. However, for an organization ID, these features are not mutually exclusive and can be enabled simultaneously.

  6. In the dialog box, confirm the information and click OK.

Trusted device authentication

This feature is disabled by default. When enabled, users can log on only from limited logon terminals that you have added.

Note

This feature applies only to convenience accounts.

Prerequisites

You have added an Alibaba Cloud Workspace terminal in the console and bound a user to it. For more information, see Manage software clients or Manage hardware terminals.

Procedure

For an organization ID

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Logon page, on the Security tab, turn on the Trusted Device Authentication switch.

  4. In the dialog box, confirm the information and click OK.

For an office network

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

  3. In the top navigation bar, select a region.

  4. On the Office Network page, find the target office network and click the office network ID.

  5. In the More Information section at the bottom of the office network details page, turn on the Trusted Device Authentication switch.

  6. In the dialog box, confirm the information and click OK.

Block logons from untrusted terminals

This setting is disabled by default. When enabled, only trusted terminals (such as managed hardware terminals, managed desktop clients, and limited logon terminals added for users) can log on. All other terminals are considered untrusted and are blocked.

Important

This is a strict control measure that may affect user access. Enable it with caution.

Procedure

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Logon page, on the Security tab, turn on the Block Logons of Untrusted Terminals switch.

  4. In the dialog box, select an Interception Scope (at least one is required).

    Scope

    Effect

    Organization ID

    All terminals other than trusted terminals will be unable to use this organization ID to log on.

    Office Network ID

    All terminals other than trusted terminals cannot use this office network ID to log on.

  5. Click OK.

Single sign-on (SSO)

Single sign-on (SSO) is a secure communication technology that allows you to efficiently access multiple trusted application systems with a single sign-on. SSO implements logon based on identity federation.

The following terms are frequently used in SSO scenarios:

  • Identity provider (IdP): an entity that contains the metadata of an external identity provider. An IdP provides identity management services, collects and stores user identity information such as usernames and passwords, and verifies user identities on user logons.

    Common IdPs:

    • On-premises IdPs: use on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth.

    • Cloud IdP: Alibaba Cloud Application Identity Service, Azure AD, Google Workspace, Okta, and OneLogin.

  • Service provider (SP): an application that uses the identity management feature of an IdP to provide users with specific services based on trust relationships with IdPs. In specific identity systems that do not comply with the Security Assertion Markup Language (SAML) protocol, such as OpenID Connect (OIDC), SP is the relying party of an IdP.

  • SAML 2.0: a standard protocol for user identity authentication for enterprises. It is one of the technical implementations for communication between SPs and IdPs. SAML is a de facto standard that is used by enterprises to implement SSO.

After you enable and configure SSO settings, end users log on to Alibaba Cloud Workspace terminals by using SSO. For office networks, SSO settings are disabled by default. For organization IDs, SSO settings are enabled by default. You do not need to turn on any switches, and disabling SSO settings is not supported.

Procedure

You can follow these steps to enable SSO for an office network.

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

  3. In the top navigation bar, select a region.

  4. On the Office Network page, find the target office network and click the office network ID.

  5. In the More Information section at the bottom of the office network details page, turn on the SSO switch.

    Note

    SSO settings, multi-factor authentication, and client logon verification are mutually exclusive. You can enable only one of these logon verification methods for an office network at a time. However, for an organization ID, these features are not mutually exclusive and can be enabled simultaneously.

Password policy

You can turn on Configure Password Rule to configure password settings.

  • Password Length: Set the password length.

  • Password Validity: Turn on this setting to configure the password expiration policy.

    Note

    The password validity period can be set from 7 to 365 days. If you have set a separate password validity period for a specific user, that user's password expiration date takes precedence.

  • Password Rule: Configure password complexity by selecting options such as Uppercase letters, Lowercase Letters, and Digits.

Related topics

Office network logon

On this tab, you can enable Office Network ID-based Logon. When enabled, both Organization ID-based Logon and Office Network ID-based Logon are available. When disabled, only Organization ID-based Logon is available, and Office Network ID-based Logon is not.

FAQ

Differences between an organization ID and an office network ID

When end users log on to an Alibaba Cloud Workspace terminal, they can use an office network ID or an organization ID. Logging on with an organization ID provides access to cloud computers across all office networks. The following list describes which Alibaba Cloud Workspace terminals support logon with an organization ID:

  • For convenience accounts, all Alibaba Cloud Workspace terminals support logon with an organization ID.

  • For enterprise AD accounts, the following Alibaba Cloud Workspace terminals support logon with an organization ID: Windows client and macOS client (V6.4 or later), and hardware terminals (V6.8 or later).

You can enable various logon and security verification methods for both organization IDs and office network IDs. However, the supported features differ. The following table outlines these differences, using a convenience office network as an example.

Note

The security verification methods supported for an AD office network are multi-factor authentication (MFA) and single sign-on (SSO).

Item

Organization ID

Office network ID

Concept

An organization ID is a unique identifier for your enterprise. The system automatically creates an organization ID when you activate Elastic Desktop Service (EDS).

If your primary Alibaba Cloud account has completed enterprise verification, you can customize the auto-generated organization ID.

An office network ID is the unique identifier for an office network. It is automatically generated by the system and cannot be modified.

Effective scope

Logon settings and their security configurations at the organization ID level take effect for all cloud computers.

Logon settings and their security configurations at the office network level take effect only for cloud computers within that office network.

Convenience account logon

Supported

Supported

Enterprise AD account logon

Supported

Supported

Automatic logon

Supported

Not supported

Timeout-triggered automatic logout

Supported

Not supported

Concurrent terminal limit

Supported

Not supported

SMS logon

Supported

Not supported

MFA

Supported

Supported

Client logon verification

Supported

Supported

Trusted device authentication

Supported

Supported

SSO

Supported

Supported

Configure logon verification methods

You can set logon verification methods for an organization ID and an office network separately. The settings for each are independent and do not affect each other.

  • If you log on to an Alibaba Cloud Workspace terminal with an organization ID, the verification methods configured for the organization ID are applied.

  • If you log on to an Alibaba Cloud Workspace terminal with an office network ID, the verification methods configured for the office network ID are applied.

Manage logon methods for an organization ID

If multiple logon methods are configured for an organization ID, follow these steps to set their visibility and display order on the Alibaba Cloud Workspace terminal interface.

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Logon page, on the General Configure tab, enable or disable logon methods in the Authentication Method section as needed.

Modify an organization ID

You can modify your organization ID only after your Alibaba Cloud account completes enterprise verification. The modification must be based on your enterprise verification information. For more information about enterprise verification, see Enterprise real-name verification.

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. Choose an entry point:

    Modify on the Overview page

    1. In the navigation pane on the left, click Overview.

    2. In the My Cloud Computer section of the Overview page, click Modify to the right of the current organization ID.

    Modify on the Logon Settings page

    1. In the left-side navigation pane, choose Users > Logon Settings.

    2. On the General tab of the Logon page, click Settings to the right of Organization ID.

  3. In the Organization ID dialog box, enter an organization ID that meets the requirements, and then click OK.

    Note

    • The ID must be 5 to 15 characters in length. It can contain letters (case-insensitive), digits, and the following special characters: ~#$%&:'_-+=|(){}[]<>. The ID cannot start with a special character.

    • You can modify the ID only once every 15 days.

Logon policies

Elastic Desktop Service (EDS) Enterprise offers a range of logon policies and security settings to help you build a secure and reliable access system for your cloud computers.

Create a policy

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Logon page, click the Logon Policy tab, and then click Create Policy.

Immersive mode

When you enable immersive mode for the Windows client, the local device running the Windows client shows only the client interface. This provides an immersive cloud computer experience for your end users and removes distractions from the local device.

Usage notes

  • Supported clients

    This feature is supported only on the Windows client.

  • How it works

    • After you enable or disable immersive mode, the end user receives a prompt to restart the local device upon their next successful logon to the terminal. The end user must click Restart for the device to restart and enter immersive mode.

      Note

      The end user must click Restart in the client pop-up window for the change to take effect. Restarting the device using the local device's restart function will not work.

    • This feature modifies the Windows registry information on the end user's local device. If the feature does not take effect, it may be blocked by security software on the local device.

  • Impact and scope

    • After immersive mode is enabled, the end user cannot return to the local operating system from the client interface. They also cannot use local operating system features, such as opening the Control Panel, Task Manager, browser, or network settings.

    • This setting affects all users in your organization.

Procedure

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Logon page, click the General tab. To the right of Logon Settings, click Modify Logon Configurations.

  4. In the Modify Logon Configurations panel, go to the Immersive Mode section and turn on the Use Immersive Mode After Client Logon switch.

Automatic logon

This setting controls whether end users can enable automatic logon on the Alibaba Cloud Workspace terminal logon screen. If enabled, it also controls how long end users can go without re-entering their logon credentials after a successful logon. You can set this to Configure by End User. You can also follow the steps below to set it to Configure by Administrator and specify the automatic logon validity period.

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Logon page, click the General tab. To the right of Logon Settings, click Modify Logon Configurations.

  4. In the Modify Logon Configurations panel, complete the following configurations and click OK.

    Parameter

    Description

    Automatic logon

    Options include:

    • Customized by End User: End users can enable or disable automatic logon on the Alibaba Cloud Workspace terminal and set the duration for automatic logon.

    • Managed by Administrator: The administrator configures the automatic logon feature in the EDS console. End users cannot modify this setting on the Alibaba Cloud Workspace terminal.

    Automatic logon settings

    This option is visible when Automatic Logon is set to Managed by Administrator. You can enable or disable this option.

    Automatic logon validity period

    When Automatic Logon is set to Managed by Administrator and Automatic Logon is enabled, you can set the duration for automatic logon.

    Important

    If you set a limited password validity period (30 to 365 days) for a convenience account instead of setting it to permanent, and the automatic logon validity period set here is longer than the remaining password validity period for that account, the convenience account may fail to log on automatically. For more information about how to set the password validity period for a convenience account, see Create a convenience account.

Timeout-triggered automatic logout

This feature is disabled by default. If you enable it, when an end user logs on to a specified type of Alibaba Cloud Workspace terminal but does not connect to any cloud resources (such as cloud computers, cloud apps, cloud phones, or enterprise drives), the terminal automatically logs out after the timeout period you set. This helps protect the data security of your cloud resources.

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Logon page, click the General tab. To the right of Logon Settings, click Modify Logon Configurations.

  4. In the Modify Logon Configurations panel, complete the following configurations and click OK.

    Parameter

    Description

    Timeout-triggered automatic logout

    You can enable or disable this.

    Timeout period

    The duration for which an end user is not connected to any cloud resources on the Alibaba Cloud Workspace terminal. This option is visible when Timeout-triggered Automatic Logout is enabled.

    Applicable terminals

    The Alibaba Cloud Workspace terminals to which this feature applies.

    Note

    If you select Alibaba Cloud Workspace Hardware Terminal, note that this feature only takes effect on hardware terminals of V7.5 and later. If the hardware terminal is configured for password-free logon, timeout-triggered automatic logout does not take effect.

    Note

    • After you configure timeout-triggered automatic logout for the client, the setting takes effect the next time the end user logs on.

    • Before the timeout period is reached, the end user receives a reminder. The user can choose to stop the process. If the user takes no action, the client automatically logs out.

Concurrent terminal limit

By default, an end user can log on to any number of Alibaba Cloud Workspace terminals simultaneously. You can configure a limit on the number of concurrent terminal logons. If this limit is exceeded, the user's earliest logon session on an Alibaba Cloud Workspace terminal is automatically logged out.

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Logon page, click the General tab. To the right of Logon Settings, click Modify Logon Configurations.

  4. In the Modify Logon Configurations panel, complete the following configurations and click OK.

    Parameter

    Description

    Concurrent terminal limit

    You can enable or disable this.

    Number of terminals/clients a user can log on to

    The maximum number of Alibaba Cloud Workspace terminals (1 to 10) that an end user can log on to simultaneously. This option is visible when Max. Terminals is enabled.

SMS logon

This setting is disabled by default. After you enable it, end users can obtain a verification code on their bound mobile phone and enter the code to log on to the Alibaba Cloud Workspace terminal.

Note

SMS logon is supported only when logging on with an organization ID.

Prerequisites

This feature requires a mobile phone number to receive a verification code. Before using this feature, you must bind a mobile phone number to the corresponding convenience account. To ensure that end users can receive verification codes, make sure the bound mobile phone number is correct. You can bind a mobile phone number in one of the following two ways:

  • Bind a mobile phone number when you create a convenience account. For more information, see Create a convenience account.

  • If you have already created a convenience account, find the target user on the User tab of the User Management page. Then, set or modify the phone number in the Mobile Number column.

Procedure to enable

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Logon page, click the General tab. To the right of Logon Settings, click Modify Logon Configurations.

  4. In the Logon Settings panel, set SMS Logon to Enabled.

Previous:Manage logon authentication methodsNext:Configure SAML-based SSO