Jump to content

NathanB

Members
  • Posts

    11
  • Joined

  • Last visited

Everything posted by NathanB

  1. Not being able to spot simple data for offline systems is a huge pain the backside. I cannot fathom why this is such a hard change to make, just have offline systems display the same data as the online ones and put an alert or notification icon on it/make it red/fade out the details. How is this fairly rudimentary option not already working? OP was near 3 years back now.
  2. It seems as though, if I onboard a system that takes my total over my existing Pulseway license count, the new system does not appear anywhere in Pulseway. The new system will only appear if we upgrade the license count. There is no notification that there are systems pending a license. No alert, or error message to tell a user what they need to do. The Pulseway Manager indicates the new system is registered correctly and, again, gives no indication that anything is wrong or that a license is needed. Is this working as intended? If not, what am I doing wrong? If so, could you fix it? It's completely daft.
  3. That's more or less right. We'd still need transparency, and some kept record for posterity and investigation, but we'd rather not be awoken middle of the night by production server alerts that aren't actually an issue :P
  4. Hoping someone can help me find the right config option! When a server goes offline, Pulseway generates an "Offline" notification for the server being in an offline status. I need that alert to automatically clear if the server now online. Our Admin team is getting really frustrated with a constant bombard of app notifications when nothing is wrong, or has self-resolved
  5. Have we had any action on the 2FA front?
  6. Also keen to see and use this feature!
  7. Super helpful, but these kinds of basic function should be available as a default in the Pulseway portal.
  8. To clarify see the below excerpts from the PCI Security Standards Council Documentation: PCI DSS requires MFA to be implemented as defined in Requirement 8.3 and its sub-requirements. Guidance on the intent of these requirements is provided in the Guidance column of the standard, which includes; “Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication (as described in Requirement 8.2), before access is granted.” Further to this: The overall authentication process for MFA requires at least two of the three authentication methods described in PCI DSS Requirement 8.2: a) Something you know, such as a password or passphrase. This method involves verification of information that a user provides, such as a password/passphrase, PIN, or the answers to secret questions (challenge-response). b) Something you have,such as a token device or smartcard. This method involves verification of a specific item a user has in their possession, such as a physical or logical security token, a one-timepassword (OTP) token, a key fob, an employee access card, or a phone’s SIM card. For mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP app or a cryptographic material (i.e. certificate or a key) residing on the device. c) Something you are, such as a biometric. This method involves verification of characteristics inherent to the individual, such as via retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry, and even earlobe geometry. And finally: Independence of Authentication Mechanisms The authentication mechanisms used for MFA should be independent of one another such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor. For example, if the same set of credentials (e.g.username/password) is used as an authentication factor and also for gaining access to an e-mail account where a secondary factor (e.g.one-time password) is sent, these factors are not independent. Similarly, a software certificate stored on a laptop (something you have) that is protected by the same set of credentials used to log in to the laptop (something you know) may not provide independence. Pulseway's current solution does not meet the IAM requirement. The Pulseway password reset and "2FA" provided are both manageable from a single email sign in. 2FA require snot just a password to a system, but a physical device - the easiest of which is a smartphone with an authenticator.
  9. Because it's not true 2FA. It's a single email, which at best is a very average solution, for access to only a small portion of the RMM site functionality. Compliance requires that we secure the data on the machines behind 2FA, which this implementation ignores entirely.
  10. Is there any word on when we might get genuine two factor auth of any kind? I have 22+ servers I want to bring into Pulseway RMM but cannot as it is doesn't meet PCI or GDPR complaiance to be without two factor auth.
  11. I've been hunting for how I simply open up all systems to each user account, but the solution has evaded me. Thus far all I can find is the "Share Systems" which requires that I go in and change it every time a new system or user is added, which is obviously extremely inefficient and awkward to maintain. Any help guiding this PW newbie appreciated!
×
×
  • Create New...