Setting user authentication

The User Authentication option will allow admins to control how users are prompted to login to the agent for applying policy controls.

Auto-login uses the User-SID mapping available from Active Directory (AD) sync to login the user automatically. To use the Auto-login options with Microsoft Entra ID users, you first need to update the ObjectSID for the users. Refer to SmartEdge Agent with non-English Entra ID users.





Note: The Auto-login options are currently only supported for Windows 10 and Windows 11 devices and Mac OS being worked on.

There are 4 options available

  • Auto-login, Anonymous: Upon installation, the SmartEdge agent immediately attempts to match the logged-in Windows user's SID with a user in the Forcepoint ONE SSE's IAM database.
    • If there is a match between the Forcepoint ONE SSE user's SID and the Windows user's SID, the Windows user is automatically logged into the agent.
    • Conversely, if there is no match, the Windows user is logged in as an anonymous user.

    Once authenticated by either method, the Windows user becomes permanently linked with the Forcepoint ONE SSE user for all subsequent Windows logins.

  • Auto-login, Login prompt: Upon installation, the SmartEdge agent immediately attempts to match the logged-in Windows user's SID with a user in the Forcepoint ONE SSE's IAM database.
    • If there is a match between the Forcepoint ONE SSE user's SID and the Windows user's SID, the Windows user is automatically logged into the agent.
    • Conversely, if there is no match, the SmartEdge agent prompts the Windows user to login and to authenticate before the agent can apply appropriate policy controls.

    Once authenticated by either method, the Windows user becomes permanently linked with the Forcepoint ONE SSE user for all subsequent Windows logins.

  • Anonymous only: The agent will always just see the user as anonymous in order to apply appropriate policies. This can be used when controlling access by the specific user doesn't matter (they will just be applied whatever general policy line instead of a unique one per user/group).
  • Login prompt only: Upon installation, the SmartEdge agent prompts the Windows user to login. Once authenticated, the Windows user becomes permanently linked with the Forcepoint ONE SSE user for all subsequent Windows logins by the same Windows user. Each new Windows user login follows the same process—the user is prompted and then permanently associated.

Login Groups

When using one of the Auto-login options, you can denote specific groups (such as IT) who will always be prompted with a login window even if an auto-login option is selected. You will see the option appear in the top right corner and you can select/add any number of configured groups to exclude from auto-login.



Updating ObjectSID for Entra ID users

SmartEdge Agent's Auto-login options use the User's ObjectSID mapping to login the user automatically. However, ObjectSID is not available for users created directly in Entra ID.

Follow the steps below to update ObjectSID for Entra ID users synced to Forcepoint ONE SSE:

  1. Download the script from the https://github.com/okieselbach/Intune/blob/master/Convert-AzureAdObjectIdToSid.ps1 link.
  2. Open the script in notepad++ and update the $objectId = "XXXXXXXXXXXXXXXXX" with your Entra Object ID.

    To find the Entra Object ID for your account, refer to Microsoft Documentation.

  3. Open PowerShell from Windows and change the directory to where script is saved.
  4. Run the script. For example, .\raz.ps1

    The SID for the entered Object ID gets generated.

  5. Copy the SID and paste it in IAM > Users and Groups > Users > User Details > ObjectSID field of Forcepoint ONE SSE.