The following topics are covered:
- Preparation for the Silo Installation and Deployment
- Authentication Settings for Users
- Admin Console - Users and Organization Management
- Admin Console - Web Apps and Provisioning Toolbox
- Admin Console - Policies
- Auditing and Oversight
The following preparation checklist should be completed before installing Silo:
- System Requirements
Review network settings to ensure Silo traffic is permitted
Authentic8 Silo operates through port 443; however, we use a proprietary cert configuration which does not interoperate with SSL Inspection. Authentic8 interprets conventional SSL inspection as a man in the middle attack and shuts down the connection.
- SSL Inspection Verify that devices on which Silo is to be installed are whitelisted for SSL inspection on port 443 to the URLS listed on Details About Firewall Rules Needed for Silo Access.
Network Requirements Please review the article on network requirements What are the minimum network requirements to use Silo and Toolbox?
Decide How to Distribute Silo
- You can either install Silo on machines individually or administer Silo installations centrally. The standard installer (available at https://www.authentic8.com/get/), installs Silo directly in the users’ AppData directory (c:\Users\<username>\AppData\ in Windows or /Applications on a Macintosh). The standard installer lets users install Silo without administrator privileges. Once Silo is installed, Authentic8 can automatically push updates to end users.
- If your organization requires a more centralized software distribution mechanism, follow the instructions at Instructions for Enterprise Install.
Silo provides various authentication options for users. Most federal organizations use the: PIN Login Only (Users can only access Silo by entering a PIN. This is the default configuration)
However, other authentication options are available:
- Deferred PIN Login Users can access limited Silo browser functionality without entering a PIN. To save a website credential, bookmark, or access apps, users must authenticate using their PIN. See Deferred PIN for details.
- Two factor Auth Users will be required to enter a one-time code sent to their phone during login. Two Factor Auth is enabled in the Admin Console - Access & Authentication - Policy.
- SAML-based SSO Authentication is performed using the customer’s SAML enabled IdP infrastructure. See SAML SSO for Silo Access for details.
Manage your organizational structure: Silo manages policies, web apps and users in a hierarchy of client managed organizations. The structure you chose should be based on how you want to manage your users (e.g. region, roles and responsibilities, etc.). To create and manage organizations, from the Admin Console select "Manage" under Users & Orgs then "Edit Orgs" in the upper right corner.
Define Administrators: Decide who in your organization will have Administrator privileges and what levels they will have. Admin Status can also be granted for only a subset of admin privileges. For example, you create an admin to manage users that can not change policies. Discussed in Granular Admin Controls.
Adding Users: Depending on your network topology and the size of your organization, you can administer users using any of the following means:
- Manually, using Silo’s Admin Console. See How to Manually Add Users for details.
- Template-driven CSV upload (upload only) (Download Template, Instructional Video)
- Programmatically, using Authentic8’s Active Directory Sync utility. This synchronizes select parts of your AD with Authentic8 enabling you to manage user accounts in Silo based on AD OU structure, Group membership, or any other parameter desired. See Active Directory Sync Tool for details
Web Apps allow Silo users to securely log into websites without manually entering their credentials each time. These web apps appear on the users left sidebar. There are three ways Web Apps can be provisioned. See Web App Shortcuts for more details.
- Admin Controlled Web App Shortcuts Admin provides unique credentials for each user to access the web app shortcut.
- Shared Web App Shortcuts Admin provides a group of users with a single set of credentials to access a web app shortcut. Any new users to an org that has a Shared Web App Shortcut assigned will automatically inherit the shortcut.
- User Controlled Web App Shortcuts Admin provides the user with a web app shortcut, but the user will provide the credentials for the app which will not be revealed to the admin.
Toolbox launchers are created for users in the Admin Console. The admin must have the Resource Provisioning permission set and the Org must be enabled for the Toolbox App. This toolbox instance will then be available for all users in the selected organization and its sub organizations. For step by step instructions to Provision a toolbox app for users.
Silo allows an administrator to define rules to manage access and limit browser functionality. These policies can be set at the organization or at sub-organization level managing different groups of users. While there are many policies to consider, here are the recommended ones to consider during your Silo deployment:
- Navigation Controls Locked down will restrict web access through web apps only. The user will not be able to type a website into the URL address bar.
- URL Category Filtering Allows the admin to restrict websites based on the website category assigned by BrightCloud. Categories include: Offensive , Adult, Security, Social Networking etc. You can read more about URL filtering here.
- Domain Filtering Allows domain specific filtering by blacklist or whitelist to explicitly allow or block access to websites.
- Password Saving Allows users to create and save web application (shortcuts)
Access and Authentication:
- Password Saving Allows the secure saving of website credentials. This policy enables the creation of web apps in Silo. Learn more about Password Saving at Password Saving Control
Encrypted Cloud Storage:
- Cloud Storage Options Temporary, User and Shared secure storage available within Silo and Toolbox. For more information click here.
Data Transfer Policies
- File Upload/Download Control whether users can upload and/or download files to their local desktop
- Printing Control whether to allow users to print. Print From Silo
- Clipboard Controls Control whether to allow users to copy content from Silo to the local clipboard and/or from the local clipboard to Silo. Clipboard Controls
- Log Encryption Enables the upload of clients public key to encrypt organizational data. Strongly recommended by Authentic8. You can read more here.
- Session Timeout Duration of inactivity before Silo closes down
Machine Lock: Administrators can control or lock specific workstations to Silo organizations using Machine Lock Control. This is useful for organizations which allow Silo on their organization controlled workstations, but do not want their users to log into their personal Silo accounts from those same workstations. Learn more about the Machine Lock Control feature on the Machine Lock Control page. Authentic8 highly recommends all organizations implement this policy; please contact firstname.lastname@example.org to enable.
Smart Card Support (CAC) - supports the use of CAC for applications which require the PKI cert contained in the CACs. This is enabled by Authentic8 personnel. Send an email to email@example.com to enable this feature. Available for an additional cost.
Virtual Egress Node (VEN) - Allows you to place an egress node anywhere in world which will register securely to our infrastructure and be available exclusively to your organization. Available for an additional cost.
Authorized administrators get comprehensive oversight of all session and browser activity.
By default, Authentic8 logs information from user sessions, and makes summary information available to administrators through the Admin Console. Summary data available includes:
- Number of Users
- Top 5 sites accessed
- Total number of sites
- Top Users
Enhanced Reporting Using the Log API
In addition to the summary data available through the Admin Console, a rich data set is available via the Authentic8 Log API. You can access your data programmatically for use in other tools at your discretion. Learn more about the Authentic8 API Reference Guide and the details on the fields available in the Authentic8 API Log Reference Guide.
Authentic8 retains logged data for 90 days. Authentic8 can assist with analysis and can offer support for querying logged data.
You may elect to encrypt user session logging. This provides considerably greater fidelity of activity in logged data and provided added security to your end users' activities. Log Encryption
Note: Some customers choose to encrypt logs and not save the private key. This has the net effect of making your users’ browsing activities completely private since not even Authentic8 employees would be able to view the log data.
The Feature Information page includes a list of Silo features, with links to documentation and screencasts.
The A8 Project Plan Template can assist in deploying your Silo project and configuring Silo policies.
If you need further assistance, please set up a meeting with one of our deployment specialists here: Schedule an Appointment
If you need technical support, please submit a ticket to the support team here: Customer Support