top of page
Zoeken

Omnissa Pass: The New Member of the Omnissa MFA Fellowship

  • Foto van schrijver: Edwin de Bruin
    Edwin de Bruin
  • 8 uur geleden
  • 3 minuten om te lezen

A few years back, VMware Verify reached end of life (2022). Since then, we basically had two options left from the Omnissa perspective: a TOTP authenticator app based on RFC 6238 or Intelligent Hub MFA with push notifications.


The TOTP option works well, especially for Bring Your Own Devices (BYOD) , but users still end up typing in codes constantly.


Intelligent Hub MFA solves that with push, but the downside is that it requires some level of device management or registration and therefore a license. Over time I saw more and more requests for push MFA on devices that are not managed.


Many organizations also wanted number matching, to prevent "push bombing", similar to what Microsoft Authenticator offers. In some environments, this even led to choosing Entra ID as the Identity Provider purely to get that functionality, which ultimately added even more complexity.

That is a perfectly valid choice, and I am neutral in that discussion, but it clearly showed that the demand for simple and secure push MFA was growing.


We also noticed that Intelligent Hub became more and more feature rich. Great in terms of capabilities, but it also made the app heavier. In some cases, it took noticeably longer before a push notification arrived.


This is exactly why the introduction of the new Omnissa Pass is so welcome.


ree


Omnissa Pass is available in two bundles.


Omnissa Pass Basic Includes TOTP passcodes, push notifications and checks for device compromise such as jailbreak detection.


Omnissa Pass Advanced Includes everything in Basic and adds phishing resistant authentication, future device health reporting and support for FIDO2 passkeys.


With these two bundles, Omnissa finally delivers what many organisations have been asking for. In this blog I focus on the Basic bundle.


The biggest improvement in my view is that we now have a single lightweight app that supports both OTP and push MFA with number matching. Even better, it does not require any UEM enrollment or registration.


This makes it ideal for users who need MFA but do not need Intelligent Hub or device management.


Enabling Omnissa Pass


Enable "Pass App" in Omnissa Access in the Authentication Methods


ree

Click Configure


ree

There are a few configurations settings worth paying close attention to.


  1. Make sure User Identifier format matches your environment or authentication will fail

  2. Enable push authentication and configure the timeout. If you prefer OTP only, simply turn off push.

  3. Enable number matching. I strongly recommend this because it prevents push bombing and reduces the risk of accidental approvals.

  4. Consider carefully whether you allow registration during login. If a user enters correct credentials but has not registered Omnissa Pass yet, they will be prompted to register immediately. Think this scenario trough tough, if some knows the users credential and no Pass is registered yet, someone could enroll MFA. This is a security consideration, not a flaw in Omnissa Pass. You could create a specific Access Policy for this.

ree

You could also disable registration during login and let the user register from the self-service portal


ree


Access Policies


As mentioned before, it is possible to create a specific access rule for Omnissa Pass registration.


An example is allowing registration using only cloud password but limited to a compliant device.

After that you can include Omnissa Pass in your regular Access Policies.


ree

Next embed Omnissa pass in your authentication policies. In this example the user will authenticate with Password (Cloud Deployment) combined with Omnissa Pass.


ree

There is also a more interesting option if it fits your security policy. You can decide to authenticate with Omnissa Pass only. In that case the user enters a username and immediately receives an authentication request through Omnissa Pass, without using a password. Again, validate your security policy.


End User Experience


A short demo of the user experience (recorded by Omnissa, video borrowed for reference).

Conclusion


With the introduction of Omnissa Pass, we finally have a clean and modern MFA solution that fits both managed and non-managed scenarios without adding unnecessary complexity. It brings together OTP, push notifications and number matching in one lightweight app, and it removes the dependency on Intelligent Hub for users who only need MFA. The configuration options are flexible enough to fit strict security policies while keeping the user experience smooth.


For environments that previously struggled with push delays, BYOD limitations or the lack of number matching, Omnissa Pass Basic already does the job. And with the upcoming Advanced bundle offering phishing resistant authentication and future support for passkeys, to me it's clear that Omnissa is moving in the right direction.


Omnissa Pass finally delivers the simplicity and reliability many organizations have been asking for, without compromising on security


I suggest you give it a try when you get the chance, let me know what you think!

 
 
 
Post: Blog2_Post
bottom of page