Hi,
I am trialing a cloud enterprise account and I want to make sure that employees can only log into the password manager from work computers, but not from home. Ideally, admins should be able to login from anywhere without using a VPN.
I tried setting up Yubikeys that are only used at initial log in by an admin at computer setup, but they can be bypassed with backup codes, which are available to the users.
What do you think would be the ideal setup in this case? I would prefer to keep it cloud hosted if possible.
You likely would SSO authenticate and then leverage your SAML provider’s conditional access policies.
I do question, though why one would apply lesser controls on admin accounts, which inherently pose a greater risk impact. I personally “never” use my privileged accounts directly on my individual laptop, even when in the office. Instead I remote into a protected on-premise “jump box” that is reserved for privileged activities and is never used for general-purpose web browsing.
Is the concern about “physical location” or “device ownership/management”? For example, if a domain joined work laptop is taken home so one can work remotely, should it have access? One thing Covid taught my company is that we care much more about the computer being domain joined (and therefore subject to our policies) than we do about the physical work location. Therefore, we adjusted our conditional access policies to focus much more on domain membership than on source-IP.