AirLock Enforcement Logic

When using Axiad AirLock, you can redirect your users to the Unified Portal to enroll or update authentication credentials, or you can block them entirely from access based on a set of criteria.

Default Enforcement

Below are the default criteria for when the Axiad AirLock will direct the user to the Unified Portal:

• If a user signs in via their Windows password (temporary or permanent).

• If a user signs in with a PKI-capable MFA device whose certificates expire within a mandatory renewal period.

• If a user signs in with a PKI-capable MFA device whose certificates expire within an optional renewal period.

  • In this case, the user is offered the opportunity to enter the Unified Portal to renew their certificate, but they will not be forced into it until they reach the mandatory renewal period.

While in the secured Unified Portal kiosk, the following enforcements are in place:

• No window controls.

• No desktop windowing environment.

• No Windows keyboard shortcuts (including CTRL-ALT-DEL, Windows Key, and others).

Exceptions

Some exceptions can be configured to where a user is either allowed in or blocked rather than redirected to the Unified Portal:

• If the user is an administrator (or another protected role SID to SID list).

• If the user is not one of a specific list of SIDs.

• If the user signs in with a non-domain user (local to the machine only).

• If the user signs in while the Unified Portal is unreachable.

Learn More

Learn how to configure AirLock policies and see some real examples that expand beyond the default enforcement here.