Prisma Access Agent
Enable Users to Disable Prisma Access Agent Using a One-Time Password
Table of Contents
Enable Users to Disable Prisma Access Agent Using a One-Time Password
One-time password (OTP) support enhances security for disabling the Prisma Access
Agent, providing a secure, admin-approved method for end users to disable the agent when
needed.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
If your users need to disable the Prisma Access Agent, you can configure the agent
with a one-time password (OTP) that they need to enter before disabling the
agent.
The OTP feature introduces a new level of security and control for disabling the
Prisma Access Agent. This feature enables Prisma Access Agent to generate unique
single-use passwords for disabling the agent. In certain situations where a user
needs to disable the Prisma Access Agent, you can share the OTP with the user, who
will then enter the OTP when they disable the Prisma Access Agent.
The OTP is specific for a user's agent or device. Once a user successfully enters the
OTP, it can’t be reused. If the user needs to disable the agent again, you must
access another OTP and send it to the user. Any activity associated with the OTP is
logged in the Prisma Access Agent logs, enabling you to track which users have
disabled the agent. By implementing OTP support, you can enhance their security
posture, improve auditing capabilities, and provide more flexible management options
for their Prisma Access Agent deployments.
- Enable the option to disable the agent with a one-time password for a user.
- In Strata Cloud Manager, select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.Add an agent setting or edit an existing agent setting.Select the criteria (OS and User Entities) that match the user to which you authorize to disable the agent.Select Disable AgentAllow with One Time Password.Configure other agent settings if needed and Save the settings.Push the configuration.When the user tries to disable the agent using either the Prisma Access Agent app or the pacli disable command, they will need to enter the OTP when prompted. If they don't have the OTP, they need to request the OTP from you.Access the OTP and share it with the user.
- In Strata Cloud Manager, select ManagePrisma Access Agent.In the Devices section of the Inventory page, select the device Hostname of the agent for which you want to obtain the OTP.In the agent details page, scroll to the OTPs section and click on the Disable OTP field to obtain the OTP. The OTP appears as a masked password. Click the eye icon to show the OTP.Copy the OTP and share it with the end user using your preferred communication channel, typically via email.Once the user disables the agent with the OTP, they can no longer use the OTP again. If the user forgets the password, repeat step 2 to obtain the same OTP since the OTP has not been used. When the user successfully disabled the agent and needs to disable the agent again in the future, they will need to request another OTP since the OTP can’t be reused. Repeat step 2 to obtain a new OTP.(Optional) Prisma Access Agent keeps track of the OTP codes generated for an agent, and will include the OTP generation events in the logs. You can use the Strata Logging Service to monitor the codes used by an agent.