Before you can enable 2-step verification for individual Organizational Units or Smart Teams, you will need to make sure that it is enabled for your domain.
To do so, as an administrator, navigate to Settings > Global Login Controls and scroll down to the 2-Factor Verification section. Now, simply check the Enabled checkbox to enable 2-Factor Verification for the domain.
2-Step Verification (also known as 2FA or 2 Factor Authentication) is a security feature that requires a user to complete 2 steps in order to login. The user must provide a valid password and then use another personal contact method (such as a mobile phone) to verify that they requested access.
Therefore, if a user's password is compromised, anyone else looking to access the account would be blocked (regardless of whether they entered the correct password or not).
Navigate to Administrate > Security, select an Organizational Unit or Smart Team, and then select the Passwords tab. Scroll down until you see the 2-Step Verification section that allows you to set verification options for the selected Organizational Unit or Smart Team.
2-Step Verification can be:
- Organizational Units - Set for the root OU and inherited, or explicitly set for each OU.
- Smart Teams - Set to Enable to apply the policy to all users in the Smart Team, or to Disable to force the user's verification options to be set by the next Smart Team (set to Enable) they are part of, or the Organizational Unit if the user isn't part of any enabled Smart Team.
You can set the following options:
- Active - Set whether 2-Step Verification is always required (Mandatory), optionally required (Optional), or never required (No) in order for a user to login.
- Re-challenge User - Set how often the user will be challenged with 2-Step Verification when accessing CloudM Manage. The options are On each login, Every day, Every week or Every Month.
- Mandatory Enforced From - Set the date from which 2-Step Verification will be mandatory for all users within the Organizational Unit or Smart Team.
- New User Grace Period - Set the amount of time that a new user will not be challenged. The options range from 1 day to 7 days.