# Guide for Hideez Enterprise Server on Cloud
### Step 0. Sign in to your Admin account using your email and password.
Make sure to use the credentials of your **Administrator** account:
### Step 1. Enable multi-factor authentication for your Administrator account
We advocate for the adoption of additional security measures and are actively transitioning away from the reliance on login credentials for authentication. To enhance the security of your Administrator account, consider implementing the following authentication methods:
Go to **Profile** and set up an additional authentication method for the Admin's account:
* [**OTP Authenticator (Login+Password+One Time Password)** ](https://enterprise.hideez.com/hideez-enterprise-server/administration/how-to-enable-two-factor-authentication-at-hideez-enterprise-server#enabling-for-admin-account)
* [**FIDO2 Authenticators (platform/cross-platform authentication by physical security keys, Passkey)**](https://enterprise.hideez.com/hideez-enterprise-server/administration/authorization-on-the-hes-server-via-a-fido-key)
* [**Hideez Authenticator (Android/IOS mobile app)**](https://enterprise.hideez.com/use-cases/hideez-authenticator-mobile-app)
### Step 2. User Enrollment
#### [**1. Manual Enrollment**](https://enterprise.hideez.com/hideez-enterprise-server/employees/how-to-add-an-employee)
Send email invitations to employees, allowing them to self-enroll. You will need to **enable Single Sign-On (SSO)** for each employee and decide whether you want them to sign in without having to enter usernames and passwords at all, or simply add passwordless MFA to the traditional password-based authentication.
{% hint style="info" %}
**Please ensure that you use a valid email address for new employees. They must accept the invitation within 24 hours, as the link will expire otherwise.**
{% endhint %}
{% hint style="success" %}
At this stage, the Administrator should choose one of the two SSO options :
1. **Passwordless Authentication:** This method eliminates the need for a traditional username and password. Employees will utilize one of the following options for authentication:
* FIDO Security Key (e.g. Hideez Key, YubiKey)
* Passkey or platform authenticator (e.g. native biometric authentication on Android devices, Touch ID / Face ID on iOS devices, Windows Hello)
* Hideez Authenticator App
2. **Two-Factor Authentication:** In this case, the user will have to enter their username and password as usual, and then use one of the passwordless methods to complete the two-factor verification:
* FIDO Security Key
* Hideez Authenticator App
* OTP Authenticator App (e.g. Microsoft Authenticator)
{% endhint %}
#### [**2. Importing employees from Active Directory**](https://enterprise.hideez.com/hideez-server-integration/microsoft-entra-id/import)
You can import up to users from your Active Directory, saving time and effort. Additionally, you can choose to change the domain password.
{% hint style="warning" %}
Ensure that you provide the correct data while syncing your Active Directory.
{% endhint %}
### Step 3. Configuring SAML and OIDC
Hideez Server allows you to enable passwordless Single Sign-On (SSO) based on the SAML and OpenID Connect (OIDC) protocols. These protocols are utilized to verify a user’s identity when an employee tries to access web or mobile applications.
To configure Hideez Server as an Identity Provider for passwordless SSO, go to **Settings → Parameters → SAML / OIDC**, and proceed with SAML or OIDC configuration:
* [**Configuring your server as an Identity Provider**](https://enterprise.hideez.com/hideez-enterprise-server/configuring-saml-protocol)
* [**Configuring OpenID Connect**](https://enterprise.hideez.com/hideez-enterprise-server/configuration-oidc-openid-connect)
### Step 4: Enable Passwordless Single Sign-On on the server using Passkeys or the Hideez Authenticator App.
After employees have received the invitation letter, they are prompted to finish self-enrollment by choosing one of the available passwordless authentication methods:
#### [Method 1. ](https://enterprise.hideez.com/hideez-enterprise-server/administration/authorization-on-the-hes-server-via-a-fido-key)[FIDO2 Authenticator: Cross-platform or platform authenticators (Passkeys).](https://enterprise.hideez.com/hideez-enterprise-server/administration/authorization-on-the-hes-server-via-a-fido-key)
They may include:
* Biometric authentication using Android devices;
* Touch ID / Face ID using iOS devices;
* Windows Hello;
* External security keys (like [**Hideez Key**](https://hideez.com/products/hideez-key-4) or YubiKey).
{% hint style="success" %}
**Cross-platform authenticators** can be used across different operating systems (Windows, macOS, Android, iOS, etc.). Examples include FIDO security keys (Passkey) and biometric methods like fingerprint or facial recognition, which are supported on a wide range of devices.
**Platform authenticators** are unique to a specific platform. For example, Windows Hello facial recognition for Windows-based devices and Touch ID for Apple devices.
{% endhint %}
#### To create a Passkey on a smartphone or tablet, your employees will be prompted to scan the QR code on their PC:
Add a device
Scan QR code
#### [**Method 2**. **Hideez Authenticator app** ](https://app.gitbook.com/o/QqXoDzMCs5VyqgkjQYei/s/rcJTz3sbpSYYCf28s7qm/~/changes/33/quick-start-guides/guide-for-pilot-projects/hideez-authenticator-guide)
You can find our mobile app on [Google Play ](https://play.google.com/store/apps/details?id=com.hideez.hideezmobilekey\&hl=en\&gl=US)and the [App Store](https://apps.apple.com/tt/app/hideez-authenticator/id1510948639).
Hideez Authenticator enables passwordless Single Sign-On (SSO) through the use of one-time QR codes. This is particularly valuable for users with smartphones lacking biometric capabilities. The app serves as a substitute for biometric login methods while ensuring a secure passwordless experience.
#### To activate Hideez Authenticator as an SSO method, an employee will have to follow the onscreen steps in the application:
{% hint style="success" %}
In addition to passwordless SSO, **Hideez Authenticator** allows users to enable **passwordless desktop login to Windows PCs**. This feature is described in [**Step 5.**](#step-5.-desktop-login-for-windows-pcs.)
{% endhint %}
After creating the user profile, employees can enhance security by adding more authentication methods. They can enroll additional devices (smartphones/tablets/laptops) as FIDO2 authenticators or register the Hideez Authenticator app.
### Step 5. Desktop login for Windows PCs.
You can utilize the Hideez Authenticator mobile app to unlock your PCs running on Windows 10/11. To do this, ensure the following three conditions are met:
1. [**Install the Hideez Client on your workstation.**](#1.-installation-hideez-client)
2. [**Authorize your workstation on your Hideez Server.**](#2.-authorize-your-workstation-on-your-trial-hideez-server.)
3. [**Enroll in Hideez Authenticator by scanning the QR code on your workstation.**](#3.-enroll-in-hideez-authenticator-by-scanning-the-qr-code-on-your-workstation.)
#### 1. Hideez Client Installation
* Download [**.exe**](https://enterprise.hideez.com/product-updates/hideez-client-updates) or **.msi** ([**x86**](https://update.hideez.com/update/hideezclient/x86/clientsetup.msi), [**x64**](https://update.hideez.com/update/hideezclient/x64/clientsetup.msi)) installation file
* Open and proceed with all steps, then click **Install:**
* Configure your Hideez Client in Wizard:
{% hint style="warning" %}
crucialThis step is very important to configure the Hideez Client on your Workstation
{% endhint %}
Configure Hideez Client
#### 2. Authorize your workstation on your Hideez Server.
* Go to the section **Workstation** on your server, select Workstation, and click **Approve:**
* **Restart** your PC or click **Reconnect** on Hideez Authenticator:
The indicator of connection of your server will have a green color:
#### 3. Enroll Hideez Authenticator by scanning the QR code on your workstation.
There are two methods for unlocking your PC using the Authenticator. Depending on the method, you'll need to use your Hideez Authenticator mobile app with the Hideez Client desktop program.
* [**Passwordless PC Authorization**](#enrollment-for-passwordless-pc-authorization)
* [**Password-based PC Authorization**](#enrollment-for-password-based-pc-authorization)
#### [**Enrollment for Passwordless PC Authorization**](https://authenticator.hideez.com/user-guide/android-guide/software-key-enrollment/pc-authorization-enrollment/enrollment-for-passwordless-pc-authorization)
{% hint style="warning" %}
That method requires config:
* [Certification Authority (Microsoft Virtual Smart Card technology)](https://authenticator.hideez.com/primary-setup-admin-guide/configuring-an-active-directory-certification-authority)
* [Server setup for passwordless login](https://authenticator.hideez.com/primary-setup-admin-guide/hes-setup-for-passwordless-login)
The workstation should have:
* Domain user account
* TPM 2.0 module
{% endhint %}
1. Open **Hideez Client→Mobile Authenticator→ Passwordless Authorization-> Setup**
2. Open **Hideez Authenticator** and select the QR scanner.
3. Scan the QR code on the computer by smartphone.
4. Confirm action on **Hideez Authenticator** and wait until the account is created. The account will appear in the section **Accounts→ Workstation**.
{% hint style="success" %}
#### **Passwordless PC Authorization a**llows you to unlock the Workstation when it is offline using codes. Learn more about this feature at [this link](https://authenticator.hideez.com/user-guide/android-guide/login-with-hideez-authenticator/pc-login/passwordless-pc-login/offline-passwordless-login).
{% endhint %}
#### [**Enrollment for Password-based PC Authorization**](https://authenticator.hideez.com/user-guide/android-guide/software-key-enrollment/pc-authorization-enrollment/enrollment-for-password-based-pc-authorization)
1. Open **Hideez Client→Mobile Authenticator→ Password-bassed Authorization→ Setup**
2. Open **Hideez Authenticator** and select the QR scanner.
3. Scan the QR code on the computer using a smartphone.
4. Confirm action on **Hideez Authenticator**
5. Choose **Account type** and put **User name**, **Domain**, **Password, and** click **Safe.**The account will appear in the section **Accounts→ Workstation**.
{% hint style="info" %}
The process of enrolling Hideez Authenticator for unlocking the Workstation is the same for both the Android and IOS platforms.
{% endhint %}
#### Unlock Workstation by Hideez Authenticator
1. Open **Hideez Authenticator.**
2. Scan the QR code on the log screen.
3. Select an account on the **Hideez Authenticator app.**
{% hint style="warning" %}
Please, make sure that you enable to display QR code on the log on screen of your Workstation.
In the Hideez Client, open **Settings -> Logon** section -> **Always shows authorization QR on logon screen:**
{% endhint %}
{% hint style="info" %}
**If you have any questions on the deployment or configuring HES, please contact our Customer Care team at** [**support@hideez.com**](mailto:support@hideez.com)**. We’ll be happy to help!**
{% endhint %}
.jpg)
