> For the complete documentation index, see [llms.txt](https://enterprise-ipi-en.hideez.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://enterprise-ipi-en.hideez.com/quick-start-guides/quick-start-guide-for-subscriptions/ipi-authenticator-guide.md). # IPI Authenticator App ## **IPI Authenticator App Solution Components** [**IPI Enterprise Server**](/ipi-enterprise-server/deployment.md) * can be deployed on both Windows and Linux server * is deployed from source or run on Docker * must be deployed on the Customer's side and entered into the domain in order to work with AD [**IPI Client**](broken://pages/gZg9qEKxqyY9r90si0iO) **(desktop application)** * can be installed centrally, .msi * is designed for Windows 10-11 only * You can register the server address on all Сlients centrally [**IPI Authenticator**](/ipi-client-app/mobile-authenticator.md) **(mobile app)** * Compatible with Android and iOS devices * Mobile sign-ins to any Windows account type (via RDP as well; passwordless TPM-based, password-based) * Single sign-in option * OTP generation If you ordered a pilot project and successfully deployed your IPI Enterprise Server, licenses will be issued for the required number of employees. ## Use scenarios You can use IPI Authenticator as only SSO method or you may try full functionality (which includes PC passwordless or password-based login). There are 2 possible use scenarios: * [**Windows login**](#using-the-full-functionality-of-ipi-authentication-service) (passwordless or password-based PC login) * [**SSO use only**](#using-ipi-authenticator-for-sso-login) ### Using IPI Authenticator for SSO login #### Step 1 In a IPI Group email, you received the server address and access. Please go to the server and add one employee. At this stage, it is enough to fill in only his or her name and leave the rest of the data blank.\ [How to add an Employee?](/ipi-enterprise-server/employees/how-to-add-an-employee.md) #### Step 2 [Enable SSO for the employee](/ipi-enterprise-server/single-sign-on-settings/nastroika-polzovatelei.md). Administrators can log into the IES service and use the SSO service by default, but employees with user accounts cannot, so they first must have an explicit permission of the administrator. #### Step 3 Install and set the IPI Authenticator for your OS: * Download the application - [App Store](https://apps.apple.com/us/app/ipi-mobile-authenticator/id1510948639), [Play Market](https://play.google.com/store/apps/details?id=com.ipi.ipimobilekey\&hl=en\&gl=US). * Primary setup guides - [iOS](https://authenticator.ipi.com/user-guide/ios-guide/mobile-app-primary-setup), [Android](https://authenticator.ipi.com/user-guide/android-guide/mobile-app-primary-setup). #### Step 4 Enroll the IPI Authenticator application on IES - [iOS](https://authenticator.ipi.com/user-guide/ios-guide/software-key-enrollment/sso-enrollment) and [Android](https://authenticator.ipi.com/user-guide/android-guide/software-key-enrollment/sso-enrollment) guides. #### Step 5 Then you can login on IES using the IPI Authenticator - [iOS](https://authenticator.ipi.com/user-guide/ios-guide/login-with-ipi-authenticator/sso-login) and [Android](https://authenticator.ipi.com/user-guide/android-guide/login-with-ipi-authenticator/sso-login) guides. Also now you can use IPI Authenticator for OTP generation - [iOS](https://authenticator.ipi.com/user-guide/ios-guide/otp-generation) and [Android](https://authenticator.ipi.com/user-guide/android-guide/otp-generation) guides. ### Using the full functionality of IPI Authentication Service (Windows login scenario) #### Step 1 Setup IPI Authenticator for SSO login as described [above](#using-ipi-authenticator-for-sso-login) (steps 1-4). #### Step 2 Now you have two options to use IPI Authenticator for PC unlock: * For AD on premises accounts is available passwordless authentication based on TPM technology (the most secure and highly recommended). For this option user does not have to know the account password. * For all account types (local, Microsoft, AD on premises and Azure AD) is available password-based authentication. For this option user has to know the account login, password and domain (for AD accounts). To enable passwordless authentication, please, follow next steps: 1. [Configure an Active Directory Certification Authority](https://authenticator.ipi.com/primary-setup-admin-guide/configuring-an-active-directory-certification-authority). 2. [Setup the IES for passwordless login](https://authenticator.ipi.com/primary-setup-admin-guide/hes-setup-for-passwordless-login). #### Step 3 Install the IPI Client on your workstation. If IPI staff didn't give you any special version, then use the latest stable version, which can be downloaded [here](/product-updates/ipi-client-updates.md). Installation instructions are [here](/ipi-client-app/windows-deployment/set-up-ipi-client-app.md). {% hint style="warning" %} Note! You can install the IPI Client version to work with internal Bluetooth **or** with an external IPI Dongle. If you will not use IPI Keys, it does not matter which option to choose. {% endhint %} #### Step 4 Enter the IES address in the IPI Client.\ Approve the workstation on the server.\ [How to add and approve Workstations?](/ipi-enterprise-server/workstations/how-to-add-and-approve-workstations.md) #### Step 5 To enroll the IPI Authenticator for passwordless authentication follow this guides - [iOS](https://authenticator.ipi.com/user-guide/ios-guide/software-key-enrollment/pc-authorization-enrollment/enrollment-for-passwordless-pc-authorization), [Android](https://authenticator.ipi.com/user-guide/android-guide/software-key-enrollment/pc-authorization-enrollment/enrollment-for-passwordless-pc-authorization). {% hint style="info" %} Before setting up the application, please, ensure that: * You are signed into the Windows domain account. * Workstation has TPM 2.0 module. {% endhint %} To enroll the IPI Authenticator for password-based authentication (enable for local, Microsoft, AD on premises and Azure AD account types) follow this guides - [iOS](https://authenticator.ipi.com/user-guide/ios-guide/software-key-enrollment/pc-authorization-enrollment/enrollment-for-password-based-pc-authorization), [Android](https://authenticator.ipi.com/user-guide/android-guide/software-key-enrollment/pc-authorization-enrollment/enrollment-for-password-based-pc-authorization). {% hint style="info" %} For password-based accounts roaming feature is available. It means that you can enroll the IPI Authenticator on one PC and then use this account on any other computer that has the same account.\ \ Read more - [iOS](https://authenticator.ipi.com/user-guide/ios-guide/software-key-enrollment/pc-authorization-enrollment/enrollment-for-password-based-pc-authorization/account-roaming), [Android](https://authenticator.ipi.com/user-guide/android-guide/software-key-enrollment/pc-authorization-enrollment/enrollment-for-password-based-pc-authorization/account-roaming). {% endhint %} #### Step 6 Then you can login to your PC using the IPI Authenticator - [iOS](https://authenticator.ipi.com/user-guide/ios-guide/login-with-ipi-authenticator/pc-login) and [Android](https://authenticator.ipi.com/user-guide/android-guide/login-with-ipi-authenticator/pc-login) guides. For passwordless unlock account also is available offline login via text code. You have to perform online login once and then 50 offline codes will be generated for you.\ Read more about this option - [iOS](https://authenticator.ipi.com/user-guide/ios-guide/login-with-ipi-authenticator/pc-login/passwordless-pc-login/offline-passwordless-login), [Android](https://authenticator.ipi.com/user-guide/android-guide/login-with-ipi-authenticator/pc-login/passwordless-pc-login/offline-passwordless-login). #### Step 7 Also there is available PC lock option, read more about it via the links - [iOS](https://authenticator.ipi.com/user-guide/ios-guide/pc-lock), [Android](https://authenticator.ipi.com/user-guide/android-guide/pc-lock). Read more about IPI Authenticator features in [official guide](https://authenticator.ipi.com/). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://enterprise-ipi-en.hideez.com/quick-start-guides/quick-start-guide-for-subscriptions/ipi-authenticator-guide.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.