Axiad AirLock

What is Axiad AirLock?

Axiad AirLock is a desktop client that expedites and executes the rollout of multi-factor authentication (MFA) on Windows machines by ensuring users have a valid authenticator at login. It sends those without an authenticator, or those whose authenticator is about to expire, to a locked-down Unified Portal experience where they can resolve their specific condition before they can access the normal desktop environment.

How is It Useful?

Axiad AirLock empowers your Windows users to self-enroll their initial MFA device, and if they need to troubleshoot their service, it walks them through issue remediation processes to return them to normal service.

It is intended to help organizations enforce certificate-based authentication (CBA) by denying password-based logins per regulatory, auditory, or other requirements, accelerate CBA deployment by directing users into a secure certificate enrollment flow, and manage the CBA lifecycle by notifying users of expiring certificates and processing their renewals in a single location.

How Does AirLock Work?

Based on a set of rules, Axiad AirLock determines whether a user requires self-service, or whether they can access the normal desktop environment. If the rules indicate the user requires self-service, then AirLock automatically puts the user in a secure kiosk mode session and redirects them to the Axiad Unified Portal to resolve their issue.

Once in the portal, a user cannot gain access to their desktop until they enroll, renew, update, or reset their device as needed. Optionally, they can exit the portal by logging out, but that will also log them out of their Windows machine, still ensuring that access is not granted until they have a valid authentication device.

These actions are fully configurable and can be granularly fine-tuned to meet your specific needs, including messaging and branding. Some use cases include:

• Excluding groups (e.g. local Administrators) from AirLock enforcement to prevent lockout or unintended enforcement

• Creating enforcement groups for a gradual, targeted rollout of AirLock

• Connectivity checks to allow bypass or enforcement when a device is offline

  • Offline checks can be customized for either line of sight to a domain controller or reachability to the configured Axiad Unified Portal

• Fine-grained certificate renewal thresholds with warnings and mandatory renewal windows

Example Flows

This is an example of the Axiad AirLock flow when a user attempts to log in with a password, but the organization requires a CBA authenticator to log into the Windows machine.

1. User provides password on Windows Login UI

2. Axiad AirLock initiates, checking the policy

3. AirLock determines user does not follow policy, so enters the secure AirLock

4. Axiad redirects user to Unified Portal experience to enroll an authenticator

5. Once enrolled, user is redirected back to the Windows Login Screen where the authenticator appears as an option

6. Now when the user selects the CBA authenticator, they can successfully log into their Windows machine

What Axiad Conductor Packages Require It?

Axiad AirLock is an optional service for Windows machines, and is available, but not required, for all Axiad Conductor packages.

Can I Automatically Deploy the Installer? 

Yes. Deploy the installer with GPOs, script, or any third-party package deployment solution.

Axiad provides an administrative template (ADMX) during your initial configuration, and you can use it to automatically configure Axiad AirLock options.

Limitations

• Axiad AirLock supports only standard MSI configuration options.

• Axiad AirLock is only available for Windows machines.