Working with SDP Users

This article explains how to manage your SDP users and view their connection activity across your account.

Overview

Efficient SDP user management is a fundamental part of an identity management framework. The Users screen gives you full visibility of all SDP users and their Clients from a centralized location. You can manually add and manage SDP users and view information about how they are using the SDP Client. The filters let you drill-down into usage activity.

Use Case

Company ABC manages their Client Upgrade Policy (which defines how Clients in their account are upgraded to the latest version) using Automatic Silent Upgrades. Following the release of the latest Windows Client, the IT administrator wants to know how many SDP users have upgraded to this version. On the SDP Users Activity tab, the IT administrator adds the latest version to the Client version filter. The SDP users who have completed the Client upgrade are displayed.

Getting Started with the Users Screen

The SDP Users Activity and Users Directory tabs display the SDP users in your account and how they are connecting to the Cato Cloud.

Viewing SDP Users Activity

You can view all the SDP users in your account and their connection activity from the SDP Users Activity tab. You can sort and filter for each of the fields to quickly show the relevant data, for example: Connectivity status, Last PoP, Client version, and more.

Viewing Device and Client Details

The Devices column shows each device and operating system that is used by a SDP user to connect to the Cato Cloud. The Client version column shows the version the Client is running. This section can be helpful for security auditing purposes.

If a SDP user connects to the Cato Cloud with more than once device, a plus sign with the number of additional devices is displayed (Plus_1.png ). To view all the devices used by the SDP user, click on this number.

You can also view additional device information, for example the Name and Identifier of the device.

devices.png

To show additional device information:

  1. From the navigation menu, click Access > Users.

  2. Select a user from the list. The Access > User Monitoring screen for the user is displayed.

  3. From the navigation menu, click User Monitoring > Devices. The Devices screen displaying all currently defined devices for the user.

Viewing Associated Groups for Users

The Member of Groups section shows you the groups that a SDP user belongs to.

MemberofGroups.png

To view associated groups of users

  1. From the navigation menu, click Access > Users.

  2. Select a user from the list. The Access > User Monitoring screen for the user is displayed.

  3. Click User Configuration > Member of Groups. The General window opens. The Member of Groups window opens, showing groups that the user belongs to.

Understanding Users Directory

You can view and monitor SDP user provisioning information from the Users Directory screen. You can sort and filter for each of the fields to quickly show the relevant data, for example: Status, Source (SCIM, LDAP, or Manual), Authentication (SSO or MFA), and more.

Filtering by User Status

The Status column displays the account status of the SDP user. The following table provides an explanation of each status.

Status

Explanation

New

The SDP user is created, no Onboarding emails have been sent.

Configured

The SDP user has successfully signed into their account.

Disabled

The SDP user is disabled. They cannot connect to the Cato Cloud.

Locked

The SDP user failed six consecutive authentication attempts.

Invitation sent

An Onboarding email was sent to the SDP user, but the account has not been configured.

Requires new code

The SDP User's registration code has expired and requires a new one. For more information, see Provisioning SDP Users for Cato Clients.

MFA invitation sent

For SDP users that authenticate with MFA, an invitation email was sent, but the account has not been configured.

Viewing SDP User Monitoring and Configuration

You can view individual SDP User Monitoring and User Configuration from the SDP Users Activity screen or the Users Directory screen.

To view SDP User Monitoring:

  1. From the navigation menu, click Access > Users.

  2. On either the SDP Users Activity or Users Directory tabs, click the bar graph icon (Bar_Graph.png). The Access > User Monitoring screen is displayed with a predefined filter for the SDP User.

To view SDP User Configuration:

  1. From the navigation menu, click Access > Users.

  2. On either the SDP Users Activity or Users Directory tabs, click the cog icon (Cog.png). The Access > User Configuration screen is displayed with a predefined filter for the SDP User.

Creating and Managing SDP Users

You can administer new and existing SDP users in your account as part of your identity management framework.

Adding A User Manually

You can manually add individual SDP users to your account.

AddNewUser.png

To manually add a SDP user:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Click New. The Add SDP User panel opens.

  4. Enter the user's First Name, Last Name and E-mail.

  5. Click Apply.

    The SDP user is created and can be viewed on the Users Directory screen.

Resetting User Passwords

You can reset the password for a SDP user. After you reset the password, the user receives an email with a link to reset the password. The password reset link is valid for one hour after the email is sent. The new password must contain between 8 to 32 characters, at least one number, and a low case and upper letter.

Before you reset the password for SDP users, make sure that they log out of the Client for all of their devices. Otherwise, the user can be locked out of the Client.

Once a password has been updated, users may have to wait up to 4 minutes before they can sign into the Client again. In Windows Clients on the Users page, users must be deleted and re-added before they can sign in with the new password.   

Note

Note: After you reset the password, users can no longer authenticate with the current password. They must create a new one from the link in the email. 

To reset a SDP user's password:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the SDP user.

  4. From the Actions drop-down menu, select Reset Password.

  5. In the Reset Password window, click Confirm.

    The password is reset for the users and they receive an email with a link to create a new password.

Resending Activation Emails

After a new user is added to the Cato Management Application , you can choose to send them an activation e-mail. For more information, see Activating SDP Users for Cato Clients. If needed, the activation email can be resent.

To resend an invitation to a SDP User:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the SDP user.

  4. From the Actions drop-down menu, select Resend Invitation.

  5. In the Resend Invitation window, click Confirm.

    The activation email is sent to the SDP user.

Deleting Users

If you no longer want an SDP user to access your network, they can be permanently deleted from the directory.

Note

Note:

You cannot undo the delete user action.

Ensure Always-On is disabled for the user before they are deleted.

To delete a SDP user:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the SDP user.

  4. From the Actions drop-down menu, select Delete.

  5. In the Delete window, click Delete.

    The SDP user is deleted.

Restricting User Access

This section explains how to manage users that are disabled or locked.

Disabling/Enabling Users

If required, you can temporarily disable user accounts, or enable accounts that have been disabled.

A disabled user cannot connect to the Cato Cloud and is not counted as using an SDP user license. However, they will still appear in its relevant references and entries in the Cato Management Application, such as security rules.

To disable a user account:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the SDP user.

  4. From the Actions drop-down menu, select Disable.

  5. In the Disable window, click Confirm.

    The SDP user is disabled.

To enable a user account:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the SDP user.

  4. From the Actions drop-down menu, select Enable.

  5. In the Enable window, click Confirm.

    The SDP user is enabled.

Unlocking SDP Users

Following security best practices, after six consecutive authentication failures, Cato automatically locks SDP users for 30 minutes (unless you unlock the user earlier).

These six consecutive failures are counted separately for password and MFA authentication failures (meaning the lock will be triggered only after six consecutive MFA or six consecutive password failures).

You can view where the failure occurred (when the SDP user accessed the Cato User Portal or when authenticating via the Cato Client, and whether the failure was MFA or password related.

Note

Note: Unlocking an SDP user doesn't reset the user's password.

To unlock a locked SDP user:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the SDP user.

  4. From the Actions drop-down menu, select Unlock.

  5. In the confirmation window, click OK.

    The SDP user is unlocked.

Enabling All Users after an Active Directory Sync

For accounts that use LDAP to synchronize users between Active Directory (AD) and the Cato Cloud, this feature lets you enable all the users that are currently disabled. Sometimes, an admin discovers that many users were disabled by mistake in the AD and then synced to Cato Cloud. When you select this option in the Users window, all users that were disabled in the most recent sync are enabled.

To enable all the disabled users after an LDAP sync:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the SDP user.

  4. From the Actions drop-down menu, select Re-enable LDAP Disabled Users.

  5. In the Re-enable disabled LDAP users window, click Confirm.

    The SDP user that was disabled in the most recent LDAP sync is now enabled.

Revoking the MFA Token for a Device

You can revoke the Cato MFA authentication token on a specific device for an SDP user. After the MFA token is revoked the user must re-authenticate and enter a new MFA code in the Client.

To revoke the MFA token for a device:

  1. From the navigation menu, click Access > Users.

  2. Select a user from the list.

  3. From the navigation menu, click User Monitoring > Devices.

    The devices for that user are displayed.

  4. At the end of the row for the device, click the More button More_icon.png.

  5. Click Revoke Device.

  6. In the pop-up window, click Revoke.

    The MFA token for that device is no longer valid.

Was this article helpful?

2 comments

Date Votes
  • Comment author
    Sarah Schulefand

    Added a section about revoking the MFA token for a device.

  • Comment author
    Michael Goldberg

    Updated to include the new Users screen

Add your comment