Wednesday, January 28, 2015

… wait, what’s my password?

Yes, Passwords suck.  Two-factor authentication really helps, but we’re still using passwords for everything.  And now they have to be complex: 8-characters, mixed case, alphanumeric… pretty soon it will require Cyrillic characters and a blood test.  But what happens when one of your Super Users or Administrators forget? 

We gotcha covered…

So some of you might be under the impression that the usernames in the MAX RM dashboard only need to be in the format of an email address and not actually a real email address. While I don’t know how anyone would have ever gotten the idea that these usernames wouldn’t be used for anything else … OK. So it was me. I’m sorry. I used to say that in our Tech Walks; it was true then.  Things change, y’know?  Mea culpa.  Usernames in the RM dashboard should now all be valid email addresses for actual human beings that will log on to the dashboard.  The mechanism for resetting a user password entails sending an email message to the user, and the dashboard confirms the username prior to doing so.

You can see details about the Password Reset steps on MAXStatus release notes

A couple of items should be known about this mechanism. 
  1. This password change goes along with an Agent: version 9.8.3 has added functionality that is quite important.
  2. You can now change password of the Primary Access Key.  As such, the description of this user/password combination has been changed to Agent Key.  It isn’t really ‘primary’ anything any longer.  It is still used to build a Site Installation Package (I still can’t get them to rename these “silent installers!!”) from within the dashboard.

Agent 9.8.3 (and beyond)

This agent brings in a new way to open & edit the local device’s settings.  Instead of the “Password” prompt in the old agent –
Now any user in the dashboard with proper administrative privilege can open – “log in to” – the local agent –

Previously, the password used to install the agent was required.  This still remains, as you can log on with the Agent Key credentials, or your own credentials if they’re different.  

Changing the Agent Key Password

As the Agent Key can now be changed like any other user, you want to be aware of the Site Installation (aka Silent Installer) Packages that are built, and what they are built with.  If you were to change the Agent Key, any previously built package will no longer install agents properly.  The Site Installation (aka Silent Installer) Package uses the password compiled within the package for its initial check-in to the dashboard.  Be sure to record where you’ve deployed the agent/s via Group Policy or had Remote Client installers dispersed. They’ll need to be replaced if the Agent Key is changed.  This would be recommended in order to deploy a newer version of the agent on new devices as well. 

Putting these two items together, if you forget the Agent Key and then change it, the only way you’re going to be able to log onto an agent locally is to update it to v9.8.3 (or beyond).
This makes it possible to keep the Agent Key PRIVATE now; it is no longer needed for typical (manual) installation of the agents.  Previously, MAX “Best Recommendation” effectively treated the PAK as a product key used for installation only.  First disable the PAK Dashboard Logon and create your own Super User account, but provide the PAK to people who would need to install agents.
While it is still recommended, disabling the Agent Key Dashboard Logon settings is no longer necessary if you do change it and keep it private.

You can also force a password reset if you want from the dashboard as well:

Clicking this button will prompt the user in question for a NEW Password after they enter their old one the next time they connect to the dashboard.  This can be an effective way to enforce a password "rotation" if you have the need.