We have implemented Kofax AP with IFS Cloud and have been live with it since 21R2 (currently 23R1). What information are you looking for?
Hi Chris,Essentially we have 4 scripts:Install Script Runs the MSI installer with arguments for each environment (runs the MSI 3 times just to auto-populate the allowed_hosts.txt) Modifies some registry keys to ensure it is detected (old problem that stopped the agent being detected by IFS, might no longer be relevant) Uninstall Script Uninstalls the software Detection Script Reads the allowed_hosts.txt text and checks is the Hash value is old. If it is flags for remediation Remediation Script If above is true replaces the old Hash with new hash in text file Essentially every year we find get new cert hash and update our remediation / detection scripts to update all computers. We use the install and uninstall for new deployments / automating software updates.At the same time we then update our IFS Print Agents as they also fall over with cert changes. All scripts are powershell.
I think looking at the above suggetion seems to be a good approach if looking for an IFS native solution.If your using Entra ID as your IDP for IFS you could also manage this through Azure’s Log Analytics Workspace. The benefit here is you can use the same design for all SSO apps managed by that IDP if they fall under the same compliance scope.Hope that provides some ideas.
Hi jnagati,From my experience this is one of two things:Directory ID is incorrect UPN / Directory ID don’t matchOn the second one this is more if something has changed on the Azure side. Please note I am not 100% on this so take this with a pinch of salt.As far as I could tell the first time a user connects via SSO the GUID of the user is mapped to their UPN and stored in IFS. For future SSO IFS uses sees that it has this matched email for this Azure GUID and matches the cached email value to match with the directory ID.Therefore if a UPN has changed after the first login it can cause a mismatch. We got around this by using the email attribute mapping instead but I believe you can now clear this cached value in IFS somewhere (not sure as never had to do it).Hopefully this is of some help!
Hi Jnagati,There is no easy response to this question as there are too many variables. This advice should be coming from your internal IT Security Ops team and consider the following areasHow accessible is the environment (frontend / backend)? What security standards are you trying to meet? How are you managing access to the environment? Administrator Access vs Standard Users From your message I get the impression that your looking for a vulnerability checking tool. You can use products like Tenable, Rapid7 or Qualys for this type of check (separate product).However a this will only check for vulnerabilities in the platform and your security strategy should more broad than this. For example:User Account Protection Are users protected by just a username and password. If the environment is publicly accessible you should consider having 2 factor authentication. Users vs Admins Admins shouldn't be using the generic system accounts for daily use even in testing environments (IFSAPP etc).
Hi Jnagati,For the native IAM in IFS Cloud this can be done via this screen: “Solution Manager\Users and Permissions\Identity and Access Manager\Password Policies”However if your IFS Cloud is publicly available I would recommend using an external identity provider that can provide MFA (Such as Azure AD).
We let the users decide if they want it or not but as many users need to use local printers they install it for this. We decided to automate it completely. Things to note:Software should always be installed under the “user context”. I.e. install it using the username for each user who wants to use the program. It doesn't require Admin to install. The HTTPS Certs will rotate (usually yearly). This will be hashed and stored in %LOCALAPPDATA%\IFS\IFSAurenaAgent\allowed_hosts.txt with the connection infoWe use “Intune” to manage our devices. We have created a install/uninstall script that does the install for all our environments on any given device. The user can request the software via our company app store “Company Portal”We have then put in a check that will automatically update the values in allowed_hosts.txt when the certificates rotate (we have a detection and remediation script).Message me if you need more info.
This question is a bit open-ended. You can request/setup read-access to the back-end database and this could be used to pull data through. Alternatively you could pull the data via APIs.There are pro’s and con’s to each approach to consider (performance & security mainly). Personally I would use the REST APIs as a best practice.
Hi,Can’t speak to the specifics. It should be permanent until the cache is cleared for that website’s browser. However we have experienced machines getting kicked out periodically on our site at random (usually after a browser update).
MASTER ARTICLE What is The Update Release Schedule and Release Details? | IFS Community
Hi Neil,This might not be your issue. But maybe it helps.If your using SAML authentication. This can happen if the correct SAML login was used however IFS was unable to match it to an IFS User.This results in an authenticated user with no permissions. If using SAML try enabling the default IDP for this user and testing that way. If it then works the problem is not permissions but linking the IFS user and SAML user.
Just a additional note. We did experience issues when a “support.ifs.com” email was assigned assigned IFS Cloud Build Place roles. We used different emails for Build Place and the portal as a workaround.
Already have an account? Login
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.