MFA Guides

Mass Deploy RapidIdentity MFA

To mass deploy RapidIdentity MFA, first create or alter a group policy object that can target all computers meant to receive the RapidIdentity client. Then:

  1. Use the group policy object to push a Trusted Publisher certificate to the computers.

  2. Use the group policy object to alter the PowerShell Execution-Policy of the computer to AllSigned.

  3. Use the group policy object to add the install script to the startup scripts.

The script will check if RapidIdentity is installed, and install RapidIdentity if not. Then the script will delete the installer files and itself. The RapidIdentity Support team would need to sign their script with a code signing certificate generated from your environment/CA, or could use one of theirs.

Local Share Folder Setup Script

This is most common, and is quicker to move files.

<# Last updated 07/07/2020 #>
clear
Write-Output '============= Downloading Files for RapidIdentity ============='
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

$path = 'C:\2FAInstaller'
    if(Test-Path -Path $path) {
        Write-Output '1. Temporary 2FA Directory Already Created'
        }

$sharePath = "\\my.net.local\shareFolder\Identity Automation\2FAInstallerFiles\"
$destPath = "C:\2FAInstaller\"
Copy-Item -Path "$sharePath\*" -Destination "$destPath"-Recurse -force -Verbose

C:\2FAInstaller\setup.exe /s /f1C:\2FAInstaller\setup.iss
Write-Output '========================= END ================================='
Write-Output 'Please leave the machine on for at least another 15 mins while MFA installs in the background'
PAUSE
Updated Install Script
## RapidIdentity Install Powershell Script
<# Last updated 08/24/2020 #>
## Set ServiceURL for RapidIdentity
$serviceURL = 'https://mfa1.idauto.info/oneService/SyncService.asmx'
## ------------------------------------------------------------------------------

Function Get-InstalledApplication {
  [CmdletBinding()]
  Param(
    [Parameter(
      Position=0,
      ValueFromPipeline=$true,
      ValueFromPipelineByPropertyName=$true
    )]
    [String[]]$ComputerName=$ENV:COMPUTERNAME,

    [Parameter(Position=1)]
    [String[]]$Properties,

    [Parameter(Position=2)]
    [String]$IdentifyingNumber,

    [Parameter(Position=3)]
    [String]$Name,

    [Parameter(Position=4)]
    [String]$Publisher
  )
  Begin{
    Function IsCpuX86 ([Microsoft.Win32.RegistryKey]$hklmHive){
      $regPath='SYSTEM\CurrentControlSet\Control\Session Manager\Environment'
      $key=$hklmHive.OpenSubKey($regPath)

      $cpuArch=$key.GetValue('PROCESSOR_ARCHITECTURE')

      if($cpuArch -eq 'x86'){
        return $true
      }else{
        return $false
      }
    }
  }
  Process{
    foreach($computer in $computerName){
      $regPath = @(
        'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall',
        'SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall'
      )

      Try{
        $hive=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(
          [Microsoft.Win32.RegistryHive]::LocalMachine, 
          $computer
        )
        if(!$hive){
          continue
        }
        
        # if CPU is x86 do not query for Wow6432Node
        if($IsCpuX86){
          $regPath=$regPath[0]
        }

        foreach($path in $regPath){
          $key=$hive.OpenSubKey($path)
          if(!$key){
            continue
          }
          foreach($subKey in $key.GetSubKeyNames()){
            $subKeyObj=$null
            if($PSBoundParameters.ContainsKey('IdentifyingNumber')){
              if($subKey -ne $IdentifyingNumber -and 
                $subkey.TrimStart('{').TrimEnd('}') -ne $IdentifyingNumber){
                continue
              }
            }
            $subKeyObj=$key.OpenSubKey($subKey)
            if(!$subKeyObj){
              continue
            }
            $outHash=New-Object -TypeName Collections.Hashtable
            $appName=[String]::Empty
            $appName=($subKeyObj.GetValue('DisplayName'))
            if($PSBoundParameters.ContainsKey('Name')){
              if($appName -notlike $name){
                continue
              }
            }
            if($appName){
              if($PSBoundParameters.ContainsKey('Properties')){
                if($Properties -eq '*'){
                  foreach($keyName in ($hive.OpenSubKey("$path\$subKey")).GetValueNames()){
                    Try{
                      $value=$subKeyObj.GetValue($keyName)
                      if($value){
                        $outHash.$keyName=$value
                      }
                    }Catch{
                      Write-Warning "Subkey: [$subkey]: $($_.Exception.Message)"
                      continue
                    }
                  }
                }else{
                  foreach ($prop in $Properties){
                    $outHash.$prop=($hive.OpenSubKey("$path\$subKey")).GetValue($prop)
                  }
                }
              }
              $outHash.Name=$appName
              $outHash.IdentifyingNumber=$subKey
              $outHash.Publisher=$subKeyObj.GetValue('Publisher')
              if($PSBoundParameters.ContainsKey('Publisher')){
                if($outHash.Publisher -notlike $Publisher){
                  continue
                }
              }
              $outHash.ComputerName=$computer
              $outHash.Path=$subKeyObj.ToString()
              New-Object -TypeName PSObject -Property $outHash
            }
          }
        }
      }Catch{
        Write-Error $_
      }
    }
  }
  End{}
}
Write-Output ''
Write-Output '============= Listing Installed RapidId Apps =================='

$rapidApps = Get-InstalledApplication -Publisher 'Identity Automation, LP'

for ($i = 0; $i -lt $rapidApps.Length; $i++) {
    $rapidApps[$i].Name
}

#If two are installed than RI is installed, isInstalled = True
$isInstalled = $rapidApps.Count -ge 2

Write-Output ''
if ($isInstalled) {
    write-host("--> RapidIdentity Is Already Installed")
}
else {
    write-host("--> RapidIdentity Is NOT Installed")

    write-Output '============= Check if dotNet is Installed v3.5   ============='

    $dotNetInfo = get-childitem -path "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP" | Where-Object -FilterScript {$_.name -match "v3.5"}

    if ($dotNetInfo.PSChildName -eq 'v3.5') {
        Write-Output 'dotNet v3.5 is Already Downloaded'
        Start-Sleep 5
    }
    else {
        Write-Output 'dotNet v3.5 is Now Installing'
        Start-Job -Name InstallDotNet -ScriptBlock { DISM /Online /Enable-Feature /FeatureName:NetFx3 /All }
        Wait-Job -Name InstallDotNet
        Start-Sleep 5
    }

    write-Output '============= Downloading Files for RapidIdentity ============='
    [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

    $path = 'C:\2FAInstaller'
    if (Test-Path -Path $path) {
        Write-Output 'Temporary 2FA Directory Already Exists'
    }
    else {
        New-Item -Path 'C:\2FAInstaller' -ItemType Directory 
        Write-Output 'Temporary 2FA Directory Created'
        Start-Sleep 5
    }

    #    This can be used to download from a local share
    #   -------------------------------------------------------------------------------------
    #    $sharePath = "\\my.net.local\shareFolder\Identity Automation\2FAInstallerFiles\"
    #    $destPath = "C:\2FAInstaller\" 
    #    Copy-Item -Path "$sharePath\*" -Destination "$destPath"-Recurse -force -Verbose
    
    $zipFile = 'C:\2FAInstaller\rapid.zip'
    if (Test-Path -Path $zipFile) {
        Write-Output 'Installer Zip is Already Downloaded'

        Expand-Archive -LiteralPath "C:\2FAInstaller\rapid.zip" -DestinationPath "C:\2FAInstaller" -Force
        Start-Sleep 5
    }
    else {
        Start-Job -Name WebReq -ScriptBlock { Invoke-WebRequest -Uri "https://s3-us-east-1-idauto-bsalazar-dev.s3.amazonaws.com/rapid.zip" -OutFile "C:\2FAInstaller\rapid.zip" }
        Wait-Job -Name WebReq

        Expand-Archive -LiteralPath "C:\2FAInstaller\rapid.zip" -DestinationPath "C:\2FAInstaller" -Force
        Start-Sleep 5
    }

    Do
        {
            $date = date
            $msg = "Please wait while MFA installs in the background: $date"

            Write-Output $msg

            Start-Process -FilePath reg -ArgumentList 'import C:\2FAInstaller\UseStrongCrypto.reg' -NoNewWindow
            Clear-Content -Path "C:\2FAInstaller\settings.ini"

            $text1 = '[CustomSettings]'
            $text2 = 'ServiceURL=' + $serviceURL

            $text1 | Out-File 'C:\2FAInstaller\settings.ini' -Append
            $text2 | Out-File 'C:\2FAInstaller\settings.ini' -Append
        
            C:\2FAInstaller\setup.exe /s /f1C:\2FAInstaller\setup.iss

            $rapidApps = Get-InstalledApplication -Publisher 'Identity Automation, LP'
            $isInstalled = $rapidApps.Count -ge 2

            #$sleepyTime = (Start-Sleep -Seconds 60).id
            #Wait-Process -Id $sleepyTime
            Start-Sleep -Seconds 10

                  
        } While ($isInstalled -eq $false)
        Write-Output '========================= END ================================='
        Write-Output 'MFA is installed'
    #PAUSE
}