Introduction In some cases, Samsung Android devices may not be considered fully encrypted by the Duo Mobile app used for Multi-factor Authentication (MFA) or by mobile device management software even though encryption is enabled. This article provides information for Samsung Android device users looking to ensure their device is fully encrypted and meets encryption requirements.  Applicability This article is intended for anyone who uses a Samsung Android 8 or newer mobile device. Samsung devices running Android 7 or older are unsupported, and should be updated or replaced if they are being used to access University data or accounts. The issue addressed in this article may apply to other Android devices that aren't considered encrypted and do not require a PIN/Password/Pattern on startup, however the steps to enable it may be different for other Android device manufacturers. Other Android device owners should refer to their device manufacturer for information on how to setup a PIN/Password/Pattern on startup. Procedure In order for a Samsung Android device to be fully encrypted, it must require a PIN, password, or pattern authentication ON STARTUP. This setting is referred to as Secure Startup or Strong Protection depending on the version of Android. If Secure Startup or Strong Protection is not enabled, these devices use a default password for encryption and aren't considered fully encrypted. Enabling Secure Startup or Strong Protection on your device will ensure your device is fully encrypted using a custom encryption PIN/Password/Pattern. Note that requiring a PIN/Pattern/Password/Biometrics on the lock screen is different from requiring a PIN/Pattern/Password on startup. It is possible to have a PIN/Pattern/Password enabled for the lock screen, while not have a PIN/Pattern/Password enabled on startup.   Enable Secure Startup on Android 8/9/10 Samsung Devices On your mobile device open your Settings, tap on the magnifying glass search icon and search for Secure Startup On most Samsung devices you will find the Secure Startup setting under either the Biometrics and security or Lock Screen and Security menus Tap Secure Startup Change this setting to Require PIN when device powers on and select Apply NOTE: On some versions of Android this setting may be to require a pattern or password instead which is equivalent. Follow the on-screen instructions to set a PIN Enable Strong Protection on Android 11 Samsung Devices On your mobile device open your Settings, tap on the magnifying glass search icon and search for Strong Protection On Android 11 Samsung devices you will find Strong Protection setting under Biometrics and security > Other security settings Tap Strong Protection Toggle this setting to ON Follow the on-screen instructions to set a PIN Important! The PIN/Password/Pattern that you set will be required each time you reboot or startup your device. Make sure you do not forget this code! If further assistance is required, please contact IST.

Introduction This article provides an overview of the consent prompt that is displayed when logging in to Canadian Access Federation (CAF) affiliated websites using the UAlberta Login Single-Sign-On service.   Applicability This article applies to any U of A CCID holder that will be logging in to the CAF affiliated websites or resources.   Details The University of Alberta is a member of the Canadian Access Federation (CAF). As a CAF member, a UAlberta CCID account holder may be able to access other CAF affiliated websites using the UAlberta Login Single-Sign-On system and their CCID credentials. When authenticating to a CAF affiliated site with UAlberta Login, a CCID account holder will be presented a prompt that displays what account information will be shared with the site and require the CCID holder’s consent to sharing this data with the site. If consent is not given, the account data will not be shared with the site and access to the site will not be granted. Consent to share this data is required each time a CCID account holder logs in to a CAF affiliated website. As the University of Alberta is no way in control of or affiliated with all CAF affiliated websites, beyond being a CAF member, the consent prompt was added to ensure that UAlberta CCID account holders are aware of the data being shared with these sites. It is the responsibility of the account holder to understand the privacy and security policies of the website they are authenticating to prior to consenting to sharing their data. Some CAF affiliated websites may restrict access to their sites based on a CCID account holder's affiliation to their institution (E.g. some sites may only be accessible to students). Having a UAlberta CCID account does not guarantee access to all CAF affiliated sites. What will you see when logging in to CAF affiliated websites? The screenshot below provides an example of the consent prompt that you may see when logging in to CAF affiliated websites.   The consent prompt includes the following: A description of the consent required which will include the name or URL the website being accessed. Buttons to either agree to or decline sharing this information with the site User Information* Person’s principal name at home organization will appear as YOURCCID@ualberta.ca Display Name will appear as your first name Given Name will appear as your first name Surname will appear as as your last name Mail will appear as YOURCCID@ualberta.ca Affiliation at home organization may include values like Student/Faculty eduPersonTargetedID is a unique value that provides no specific information about you or your account but will be persistent every time you access a particular site. This allows a site to save your preferences without actually retaining any other specific information about you. *This user information is an example of what you may see, but is not inclusive. Other attributes that are not listed in this article may be requested by the website and listed in the consent prompt. If you have any questions regarding this article or it's contents, please contact IST.

Introduction This article will outline all the available attributes from UAlberta Login.   Applicability Anyone configuring a service that will use UAlberta Login for authentication.   Attributes UAlberta Login provides a number of attributes to a Service Provider (SP) when a users access the application. The attributes will only be provided when a user is redirected from the Identity Provider (IdP), UAlberta Login, to the SP they are accessing. Attributes will always be provided using the OID value rather than the friendly name for the attribute. If you would like to use the friendly name for the attribute in your application, you will need to ensure you have an appropriate attribute map so the SP software knows how to rename the OIDs. Default Attributes The default attributes will always be provided unless you request specific attributes to be sent to your SP. Attribute Name OID Example eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10 https://login.ualberta.ca/saml2/idp/metadata.php!https://sp.srv.ualberta.ca/shibboleth! b2661071653f8b9021344ddf17f9e005097edd22 This attribute is a pseudonymous identifier that is specific to each user and SP. givenName urn:oid:2.5.4.42 Jonathan This is the legal first name of the user. If you would rather use preferred name, look at the displayName attribute instead. sn urn:oid:2.5.4.4 Doe This is the legal last name of the user. There is no preferred last name available. uid urn:oid:0.9.2342.19200300.100.1.1 jdoe The Campus Computing ID. Additional Public Attributes These attributes are public data, but aren't provided by default. These attributes can be provided upon request. Attribute Name OID Example displayName urn:oid:2.16.840.1.113730.3.1.241 John Perferred name set in Bear Tracks eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 jdoe@ualberta.ca Scoped version of uid. Always CCID@ualberta.ca mail urn:oid:0.9.2342.19200300.100.1.3 jdoe@ualberta.ca The University provided email address. Always CCID@ualberta.ca Private Attributes These attributes are considered to be private data. If you require any of the following attributes, you must complete an IMS Interface Agreement. Please contact IST at ist@ualberta.ca. Attribute Name OID Example departmentNumber urn:oid:2.16.840.1.113730.3.1.2 000001 List of department numbers eduPersonAfilliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1 member;staff Afilliation to the University (not to be confused with RTI). Possible affiliations are: member, faculty, staff, student. eduPersonScopedAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 member@ualberta.ca;staff@ualberta.ca Exactly the same as eduPersonAfilliation, but with a scope of @ualberta.ca employeeNumber urn:oid:2.16.840.1.113730.3.1.3 1234567 Unique 7 digit identifier for each person. If the CCID is a department-owned secondary CCID, this will be populated with the departmentNumber the CCID is assigned to. institutionalIdentifier institutionalIdentifier UOFAB Institution of the person organizationalStatus urn:oid:0.9.2342.19200300.100.1.45 tamis;cona A list of statuses on the CCID. There are a number of possible values. uOfAAccountType urn:oid:1.3.6.1.4.1.11933.1.13 primary Indicates if a CCID is primary or secondary. uOfAOCCardID urn:oid:1.3.6.1.4.1.11933.8.3 111234567 ONECard ID uOfAOCProxID urn:oid:1.3.6.1.4.1.11933.8.6 01234 ONECard Prox ID uOfAOCSuffix urn:oid:1.3.6.1.4.1.11933.8.9 01 ONECard suffix uidNumber uidNumber 98765 5 digit unix ID tied to a CCID. Used in systems like AFS. uOfARTI uofarti EMP;SUP List of Relationships to the Institution.

Introduction This article provides information on common questions regarding the University of Alberta’s Multi-factor Authentication service Duo MFA. Multi-factor Authentication (MFA) is a form of authentication that requires two or more verification methods to access a resource, application, online account, or a VPN. Applicability Duo MFA has been enabled for some services and some CCID holders within the University of Alberta domain. Eligible users will encounter a second authentication step to verify their identity when logging in to PeopleSoft, the Identity Management System, and other participating web based applications secured with Duo MFA, with more applications being added. This article is intended for anyone using or supporting Duo MFA. Duo MFA eligible users will receive email communications when their account is created. If you have not received any such emails, you are not eligible for Duo MFA at this time. Details Other Duo MFA Resources How to Enrol with Duo MFA How to Authenticate with Duo MFA FAQs What applications require me to authenticate with Duo MFA? Currently Duo MFA is required for PeopleSoft applications (Campus Solutions, Human Capital Management, Finance, and Bear Tracks), the Identity & Access Management (IAM) system, also known as IdentityIQ, the MyCCID website and some VPN and RDP contexts. Duo MFA will be required for Google Workspace apps (Gmail, Drive, Calendar, Docs, etc.) as of July 4th. In the future all VPN access will require Duo MFA, along with additional applications and services added over time. What kind of device can I use with Duo MFA? The University of Alberta implementation of Due MFA uses the Duo Mobile MFA app for multi factor authentication. You will need either an iOS 14.0 (or greater) or Android 10.0 (or greater) device that supports the Duo Mobile MFA app. See Installing the Duo Mobile MFA app on your mobile device for more information. Alternatively, you can request a Duo MFA fob, which will generate passcodes that allow you to log in. Please follow the instructions in your enrolment email to request a fob. I don't use my mobile phone to access Peoplesoft or for work, do I still need to install Duo Mobile MFA on my device? Your mobile device is used as an extra authentication method when you log in to a Duo MFA protected application from ANY computer or device. You will need a supported mobile device with the Duo Mobile MFA app installed on it or a Duo MFA fob to access U of A applications secured with Duo MFA. Why am I being asked to use Duo MFA to authenticate when logging in to Google Workspace Apps (Gmail, Drive, Calendar, etc), even though I've already done so within the past 14 days? When logging in to Google Workspace Apps, your security token is kept active for 14 days by default. However, you may be asked to authenticate again in certain circumstances: If you log in via a different web browser or device, you will need to authenticate again, as each browser/device keeps a separate token. If you use the top-right menu in Google to 'Sign out' of your account, your token will be cleared from the browser/device you were logged in on. Your browser/device may be configured to clear its cache automatically when you close it, which generally clears any tokens as well. This would force you to authenticate every time you reopen it. I don't have the "Send me a push" option in the Duo MFA web interface, and I don't have a passcode to log in with. This can happen if you didn't complete the Duo Mobile MFA app enrolment. For instructions on how to complete your device enrolment see How to Re-enrol Your Duo Mobile MFA App or contact IST. I temporarily don’t have access to the device I use with Duo MFA and can’t log in. Contact IST and request Duo MFA bypass codes. After verifying your identity, IST can provide you with codes that can be used to login to Duo MFA while you don't have access to your device. The device I use with Duo MFA was reset, lost, stolen, or replaced and I can’t log in, what should I do? Contact IST and request to have your device removed from your Duo account. Once your device(s) has been removed, you will be prompted to set up a device the next time you log in to a Duo MFA protected application. IST can also provide you passcodes which can be used to login until your device is replaced or fixed. I have stopped receiving push notifications in the Duo Mobile MFA app. Please follow the troubleshooting steps found here. If you are still not receiving notifications after following these steps, please refer to your devices manufacturer for support. I can’t find or I am not able to install the Duo Mobile MFA app from the App Store on my device. Duo Mobile MFA is available for iOS devices running iOS 14.0 and greater and Android devices running Android 10.0 and greater. If you do not see the app in your app store, or you get the message that your device doesn't support the app, then you can't use that device with Duo Mobile MFA. If you do not have access to a supported mobile device, we recommend that you speak with your manager about requesting a Duo MFA fob. See Installing the Duo Mobile MFA app on your mobile device for more information and direct links to the Duo Mobile MFA app in the app stores. I’m getting notifications in the Duo Mobile MFA app that my device or browser is out of date. Duo Mobile MFA helps keep your information secure by checking your software to ensure it’s up to date. In most cases Duo Mobile MFA should provide you with instructions on how to update your software, but if you have any questions or concerns please contact IST. I got locked out of Duo MFA from too many failed login attempts, what should I do? After 10 failed login attempts, your Duo MFA account will be locked for 10 minutes, after which you will be able to login again. If you continue to have issues logging in with Duo MFA, please contact IST. I thought my Samsung device was encrypted, but the Duo Mobile MFA app is saying that my device is not encrypted and I can’t use it with Duo MFA. For instructions on how to ensure your Samsung device is fully encrypted, see How to Fully Encrypt a Samsung Device.

Introduction This article will describe what a Temporary Network Access ID is, when they should be requested/used, and who can create them. Applicability This article is for users/groups requiring Temporary Network Access IDs, and the CCID Authorized Approvers who can create them. Details What is a temporary network access ID and when is it used? Temporary Network Access IDs are temporary IDs in the namespace temp_ that can be used to authenticate with UWS and computer lab workstations. As these IDs are not full CCIDs, there is no email account associated with the ID, nor does it grant access to Bear Tracks, Library, eClass, etc. They are valid for a period of 1 to 8 weeks. They are used for things like events and conferences on campus where attendees may not have CCIDs but need access to work in a computer lab or to connect to UWS. How do you request a Temporary Network Access ID? Temporary Network Access IDs can only be created by Departmental Authorized Approvers. If you don't know who your departments CCID Authorized Approver is, it can be found by clicking on the List of Authorized Approvers link. If you are unable to determine who your Authorized Approver is, IST can assist you with figuring that out, but only the Authorized Approver can create the accounts. If you are a student and trying to request this for a student group event of some kind, this will generally go through your sponsoring department. (For CCID Authorized Approvers) How do you create Temporary Network Access IDs? Authorized Approvers can create Temporary Network Access IDs by logging into IAM, opening the menu in the top left and selecting CCID Management, and then Temporary Network Access IDs. The webpage will walk you through the process but for more detailed information, refer to the IAM System Training eClass Course. Related Articles Request to be added or removed as an Authorized Approver for a department (Request to be added or removed as an Authorized Approver for a department)      

Introduction This article provides information on Duo Security Multi-factor Authentication (MFA) and outlines the process for enroling devices with Duo Security. Multi-factor Authentication (MFA) is a form of authentication that requires two or more verification methods to access a resource, application, online account, or a VPN. Applicability Duo Security multi-factor authentication (MFA) has been enabled for some services and some CCID holders within the University of Alberta domain. Eligible users will encounter a second authentication step to verify their identity when logging in to PeopleSoft and other web based applications secured with Duo, with more applications being added over time. MFA is currently in a staged rollout to all staff. This article provides information and resources for setting up and using Duo Security multi-factor authentication with your CCID. Duo Security authentication is required when accessing Duo protected applications form ANY DEVICE, not just from your mobile phone. Eligible users will receive email communications when their Duo account is created. If you have not received any such emails, you are not eligible for Duo Security at this time. Procedure Other Duo MFA Resources How to Authenticate with Duo Security Duo Security Frequently Asked Questions How to Fully Encrypt a Samsung Mobile Device Before You Begin Important! You must fully complete these steps to enrol your mobile device. If you close the Duo web interface before completing all the steps, you will need to Re-Enrol your Duo Mobile app. You must have received the initial enrolment email. You need a laptop or desktop computer to complete the enrolment process. You need an iOS (14.0 and greater) or Android (10.0 and greater) smartphone or tablet on which you can install the Duo Mobile app. Need help? Contact Information Services and Technology Contents How Does Multi-Factor Authentication (MFA) work? Installing the Duo Mobile app on your Mobile Device Enroling Your Mobile Device With Duo Security for the First Time How to Re-Enrol your Duo Mobile app Troubleshooting Duo Enrolment and Device Issues Definitions How Does Multi-Factor Authentication (MFA) work? Multi-factor Authentication adds an additional layer of security to your UAlberta CCID account by requiring you to confirm login attempts with your CCID on another device you own. Using a second factor (like your mobile phone or tablet) to login in addition to your CCID and password prevents other people from logging in with your CCID if they know your password. When accessing an online service or application protected with Duo Security, you will still log in as usual from any browser or device using your CCID and Password, but will then be asked to confirm your log in either with the Duo Mobile app on your mobile device or by entering a passcode. The Enrolment Process An initial email is sent to inform you that your account has entered the 30 day enrolment period. If you haven't received this initial email, your account is not eligible to enrol with Duo Security. After the 30 day enrolment period has ended, you will be required to authenticate with Duo Security before accessing certain applications. You can enrol at any point after you've received the initial email. Installing the Duo Mobile app on your Mobile Device The Duo Mobile app is supported on the following platforms: iOS 14.0 and greater Includes both iPhones and iPads Android 10.0 and greater Includes both phones and tablets To find the app, simply search “Duo Mobile” (by Duo Security) on your device's app store or use the direct links to the Apple and Google app stores below. Apple: https://apps.apple.com/ca/app/duo-mobile/id422663827 Android: https://play.google.com/store/apps/details?id=com.duosecurity.duomobile&hl=en Enroling With Duo Security Important! You must fully complete these steps to enrol your mobile device. If you close the Duo web interface before completing all the steps, you will need to Re-Enrol your Duo Mobile app. Mobile Device: Ensure you have the Duo Mobile app installed on your mobile device. If not, see Installing the Duo Mobile app on your smartphone or tablet Computer: Navigate to https://mfa.srv.ualberta.ca/ on a supported web browser and log in with your CCID Computer: Click Next on the first three screens (1) (2) (3) Computer: Select Duo Mobile as your login option. Computer: Select your country code and enter your phone number (1). Next, select Continue (2). Computer: On the summary screen, confirm the information you entered is correct and select Yes, it's correct. Computer: Ensure you have downloaded the Duo Mobile app on your mobile device as previously instructed, and then select Next Computer: The next page should present you a QR code similar to the screenshot below (without the blacked out portion) Mobile Device: Open the Duo Mobile app and select Set Up Account (Image 1). Next select Use a QR Code (Image 2). If prompted allow the app access to your camera. Scan the QR code displayed in the Duo web interface on your computer. Mobile Device: When the QR code is scanned, your mobile device will advance to the Name account page, and the website on your computer will add a green checkmark over the QR code. Mobile Device: Press the Save button on the Name account page to save the University of Alberta account. You will be brought to the Accounts page, which will display the new University of Alberta account on the app. Your mobile device is no longer necessary for any of the remaining steps. Computer: Once you have scanned the QR code and saved the account, the webpage will automatically advance. Note: You will not be able to progress until you have successfully scanned the QR code with the Duo Mobile app. Computer: Select 'Log in with Duo' to get started How to Re-Enrol your Duo Mobile app If you started enroling your mobile device in Duo, but did not activate the Duo Mobile app or if you have a new phone but still have the same phone number you can re-enroll your Duo mobile app at https://mfa.srv.ualberta.ca using the following instruction: Mobile Device: Ensure you have the Duo Mobile app installed on your mobile device. If not, see Installing the Duo Mobile app on your smartphone or tablet Computer: Navigate to https://mfa.srv.ualberta.ca and log in with your CCID and Password. NOTE: If you are not prompted to log in with Duo, you will need to start over in a Private or Incognito browser window. Computer: You will automatically be sent to a text passcode login page. Do not select Send a passcode yet. Instead, select Other options. Computer: Select Manage devices. Computer: Select the Text message passcode option Computer: Enter the code sent to your mobile device in the Passcode text field (1) then click Verify (2). Computer: On the Manage Devices page you will see a Generic Smartphone with your number, select the Add a device option to the right Computer: Select the Duo Mobile option Computer: Select your country code and enter your phone number (1). Next, select Continue (2). Computer: On the summary screen, confirm the information you entered is correct and select Yes, it's correct. Computer: Ensure you have downloaded the Duo Mobile app on your mobile device as previously instructed, and then select Next Computer: The next page should present you a QR code similar to the screenshot below (without the blacked out portion) Mobile Device: Open the Duo Mobile app and select Set Up Account (Image 1). Next select Use a QR Code (Image 2). If prompted allow the app access to your camera. Scan the QR code displayed in the Duo web interface on your computer. Mobile Device: When the QR code is scanned, your mobile device will advance to the Name account page, and the website will add a green checkmark over the QR code. Mobile Device: Press the Save button on the Name account page to save the University of Alberta account. You will be brought to the Accounts page, which will display the new University of Alberta account on the app. Your mobile device is no longer necessary for any of the remaining steps. Computer: Once you have scanned the QR code and saved the account, the dialog will automatically close, and your Generic Smartphone icon will update to your model of phone. Note: You will not be able to progress until you have successfully scanned the QR code with the Duo Mobile app. Computer: Your device is now fully enrolled, and you can log in at your leisure. Troubleshooting Duo Enrolment and Device Issues Mobile Device or Duo Mobile App Common Problems Tip: Check the Duo MFA Frequently Asked Questions article for information on commonly asked questions. Re-enrolling your mobile device will resolve most Duo MFA enrolment and mobile device issues and is the first step to resolving issues such as: You don't have the "Duo Push" option in the Duo MFA web interface Pass codes are not displayed in the Duo mobile app or the codes generated are not working You don't have a QR code to scan from your mobile device when you are enrolling the Duo Mobile app You are not receiving push notifications on your mobile device when attempting to authenticate using Duo MFA after enrolment Your Duo Mobile app didn't restore or is not working after you got a new device using the same phone number You can re-enrol your device on your own by following the instructions provided in the Re-enrol your Duo Device section above. Be sure to read and follow the instructions exactly or your re-enrolment may not work. If you continue to have issues after re-enrolment, please contact the IT Service Desk. Other Common Problems: Problem: The Duo MFA page or Mobile apps presents the following error message: “Your organization requires your phone to have a screen lock setup with a PIN, passcode, or other secure option to unlock it.” Solution: You must enable a lock screen passcode or pin on your mobile device. In some cases you may also have to enable local encryption on your mobile device. Problem: You are unable to download the Duo Mobile app from your app store or you are seeing an error message indicating your device operating system is not allowed. Solution: You can try updating your device following your device manufacturers instructions. If your device is running the latest version of software available to it, it may not be compatible with Duo and you will need to get a fob to use with Duo. Problem: I’m traveling and Duo MFA is not working or I’m getting a message saying access is denied in my current location. Solution: Due to regulatory reasons, Duo will not work in countries or regions subject to economic and trade sanctions, such as Cuba or Iran. Otherwise, Duo should work internationally as long as your mobile device has an internet/data connection. If your device will not maintain a data connection while traveling or you are traveling without your mobile device, you should get a fob to use while traveling as they do not require an internet connection to generate a code. Duo Fob Common Problems Problem: The codes generated by my Duo fob stopped working Solution: In some cases your Duo fob may become unsynced with your account. You can attempt to resolve this problem yourself by generating 3 different passcodes, and then entering each passcode and pressing the 'Log In' button on the Duo panel one after the other within a 5 minute time span. If this does not resolve the issue, you must contact the IT Service Desk to have your fob re-synced. Definitions Duo Security: This is the service used to provide multi-factor authentication with your CCID. Duo Prompt or Duo Web Interface: This is referring to the main user interface of Duo. You will see the Duo prompt after logging in to UAlberta Log In (Single Sign On) when accessing an application secured with Duo Multi-factor Authentication (MFA): This refers to using an additional step to authenticate a user’s login attempt prior to granting access to an application. This is in addition to a user providing their username and password. Duo Mobile: This refers to the app that you install on your mobile device to authenticate with Duo Security. Duo Push: This refers to a way of authenticating using notifications on your mobile device with the Duo Mobile app. Passcode: A 6 digit code entered in the Duo Prompt to authenticate with Duo.

Introduction This article outlines the process for authenticating with the University of Alberta’s Multi-factor Authentication service, Duo. Multi-factor Authentication (MFA) is a form of authentication that requires one or more verification methods in addition to your CCID and password to access a resource, application, online account, or a VPN. Applicability Duo Security multi-factor authentication (MFA) has been enabled for some services and some CCID holders within the University of Alberta domain. Eligible users will encounter a second authentication step to verify their identity when logging in to certain applications, such as Google Workspace Apps, Peoplesoft, or the IAM system (Also knows as IIQ). This article provides information on using Duo Security multi-factor authentication with your CCID. Duo Security authentication is required when accessing Duo protected applications from ANY COMPUTER OR DEVICE, not just from your mobile phone. Eligible users will receive email communications when their Duo account is created. If you have not received any such emails, you are not eligible for Duo Security at this time. Procedure Before you begin: You must have a mobile device enroled with Duo Security, see How to Enrol with Duo Security If you don't find what you are looking for here, see Duo Security Frequently Asked Questions (FAQ) If you have temporarily lost access to your device enroled in Duo, you can contact IST to request passcodes that can be used to login with Duo Need help? Contact Information Services and Technology Contents Default Authentication Method Switching Authentication Methods How to Authenticate With Duo Using Duo Push How to Authenticate With Duo Using a Passcode Default Authentication Method When accessing a resource or service which requires Multi-factor Authentication you will be presented with the Duo web interface. The web interface will default to your most recently used authentication method. If you haven't used it before, it will default to a push notification if you have the Duo Mobile app installed (1), or a passcode if you do not (2). Switching Authentication Methods If you would like to use a different method than the default, select 'Other options' near the bottom of the panel. Then, select the alternative authentication option you'd like to use from the available list How to Authenticate With Duo Using Duo Push If your default authentication method or selected alternative authentication method is Duo Push, a push notification will automatically be sent to your mobile device via the Duo Mobile app. NOTE: If you don’t see the option to Send Me a Push in the Duo Web interface, you will need to re-enrol your device - see How to Re-enrol Your Device. On your mobile device, tap on the Duo Mobile notification, and select Approve. IMPORTANT: If you ever receive a push notification when you aren’t trying to log in with your CCID, select Deny then select It seemed fraudulent. After you approve the login from the app, you will automatically be logged in to the application you are accessing. How to Authenticate With Duo Using a Passcode If your default authentication method or selected alternative authentication method is Duo Mobile passcode or Hardware token, a screen will appear to allow you to enter your passcode. Open the Duo Mobile app on your mobile device and tap University of Alberta. This will display a 6 digit number. Alternatively, press the button on your MFA key fob to generate a new passcode. Enter the 6 digit passcode in the text field (1), then click Verify (2)

Introduction Secondary CCIDs (Campus Computing Identifications) are CCIDs that are owned by departments, student clubs, or groups, rather than individuals.  They represent people, rather than an individual person. These CCIDs can be used for a variety of purposes and since they are not personal, can be used by multiple people. This sharing should be done via Gmail inbox delegation where possible. However, secondary CCIDs should never be used by an individual as their primary CCID.     Applicability  This article is for use by anyone at the University of Alberta desiring more information about secondary CCIDs.     Procedure   Departmental Secondary CCIDs Secondary CCIDs for departmental use must be either created or requested by one of that department's CCID Authorized Approvers. If the requesting individual is not an Authorized Approver, he/she should be referred to their department's Authorizer Approver.      Student Group Secondary CCIDs  Please refer to this Knowledge Base article for more information on how to request a Student Group Secondary CCID.   Additional Considerations (Notes) A CCID can be a minimum of 3 characters and a maximum of 8 characters (no special characters allowed). The first two characters may not be numbers.     Please contact Service Desk, or Identity and Application Support, if you need to identify an Authorized Approver for your department, as the official link to the Authorized Approvers list changes weekly.

Introduction This article is intended to answer common questions about the upcoming changes to University of Alberta accounts, also referred to as CCIDs. Applicability This article applies to all U of A account holders. FAQ Q: Which Google services are reduced or removed after my relationship with the U of A changes? A: All Google services, including but not limited to those listed on the Core App and Consumer Apps site, will be removed. Please note that the removal of access to Google Play and YouTube includes paid purchases and subscriptions to apps, movies, music, and more. If you have graduated with a degree from the U of A, your U of A Alumni account is reduced to Gmail only (with 100MB of email storage) and no other Google services. Q: Can I get an exemption or extension? A: Due to pressing external timelines on this change, extensions are not possible. It is important that you download all your required data prior to your access expiry date to prevent the loss of your data. You will receive an automated email 30 days prior to changes taking place on your account, informing you of your deadline. Q: How will I know when my account will expire or change? A: You can refer to the CCID Changes website for information on what will happen to your account based on your relationship with the University. If you are currently not eligible to retain your account, you will lose access to it once your access expiry date has passed. Automated email notifications will be sent to an account’s ualberta.ca email address approximately 30 days prior to any changes being applied. Once you receive the system notice, it’s important that your data is exported from your account before the 30 days is up as the data will be permanently deleted after that time. Q: Can I pay to get more storage or more access to Google Workspace apps? A: We do not have the option for paid account services. Q: As a student or alumni, how do I move my personal data out of my account before it expires? A: If you decide to use a personal Google account with adequate storage to hold your data, you may be able to use Google Takeout Transfer to migrate all your UAlberta Google account data directly to your other Google account. Please note however that Takeout Transfer DOES NOT TRANSFER PHOTOS and Takeout is not a core Google service that we can support. If you have any issues or questions regarding it, you can refer to the Google Help article for help with using Google Takeout, or ask the Google Help community forums if you can’t find what you need on the help article. You can then set up your UAlberta account to forward emails to your personal Gmail address. Step by step instructions on how to do this are provided in this Google help article Automatically forward Gmail messages to another account. Note that if you don’t want to continually manage your storage in your UAlberta account, you can choose to “delete University of Alberta Mail’s copy” when you set up email forwarding. If you choose to keep a copy of the email in your University of Alberta inbox, each email that is forwarded will still count toward your 100 MB of storage. Q: How can I best use a Gmail account with 100 MB of storage? A: Given the limited storage, it is ideal to use them as email forwarding accounts. You can easily set up your UAlberta email to forward all emails to another email address. You can find step by step instructions in this Google help article Automatically forward Gmail messages to another account. Note that if you don’t want to continually manage your storage in your UAlberta account, you can choose to “delete University of Alberta Mail’s copy” when you set up email forwarding. If you choose to keep a copy of the email in your University of Alberta inbox, each email that is forwarded will still count toward your 100 MB of storage. Q: I have an Adjunct or Clinical Academic or Guest relationship with the University. What will happen with my account/data when I leave? A: Adjunct Academic and Clinical Academic: When your relationship with the University expires, your account will be treated the same as an outgoing employee. This means that you will lose access to the account and all data within it at the end of your relationship with the University. If you need access to BearTracks after you leave, you may be issued an account that can be used exclusively for accessing Bear Tracks and will be active for 18 months. Guest: Guest accounts will be deactivated 2 weeks after your Guest relationship ends in our system, unless you have other active relationships at that time (eg: employee or student). If there is anything you need from your account, you should work with your supervisor or University contact to get what you need out of the account prior to the end of your guest relationship. Q: I’m an Emeritus, will anything happen to my account? A: Emeritus accounts are currently unaffected by this change. Your account will continue to have the same functionality as an employee account at this time. Q: I’m a student that is no longer taking any courses, however, I’m not an alumni. When will my account expire? A: The amount of time you have before your account expires depends on which semester your last course was in. Your CCID will remain active long enough for you to get your tax forms from Bear Tracks when they are made available to you at the end of the year and you will get an automated email 30 days prior to your account expiring. Please be sure to download your tax forms as soon as they become available to you to avoid losing access. Q: How can I access my data once I’ve downloaded it with Takeout? A: You will need to use an external application/service that supports the format in which you chose to download your data. As the applications/services vary greatly, you will need to contact the support team for the application/service that you will be using to store or access your data. Q: Can you help me backup my data or do it for me? A: Google Takeout is only accessible to the logged in account holder. We cannot export your data for you. Q: I'm getting errors when I use Google Takeout and Takeout Transfer. A: You can refer to the Google Help article for help with using Google Takeout, or ask the Google Help community forums if you can’t find what you need on the help article. If you are encountering errors on the page when attempting to use Google Takeout, please provide a screenshot of the errors and we will do what we can to help resolve the error. If you are trying to use Google Takeout Transfer and getting an error stating you need administrator access, please try the following: Open a Private or Incognito browsing session in your browser. Visit the Takeout Transfer site. You will be prompted to log in, ensure you are logging in with your @ualberta.ca or @ualberta.net email account credentials. Follow the steps to start the transfer. Please note that Google Takeout Transfer DOES NOT TRANSFER ALL ACCOUNT DATA and Takeout is not a core Google service that we can support. If you have any issues or questions regarding it, you can refer to the Google Help article for help with using Google Takeout, or ask the Google Help community forums if you can’t find what you need on the help article. Q: A former student, faculty, or staff member created files for me in Google Drive that I still access and need. What will happen when their U of A email account changes? A: Depending on their relationship to the university, their U of A account access, storage and features may be reduced and, in some circumstances, deactivated, and associated data deleted. Please review and create a copy of the necessary files shared with you from the former student, faculty, or staff. Alternatively, you can contact the individual to request they transfer ownership of the files to you. To find files in Google Drive shared with you from a specific account, click into the Google Drive search box and type owner: followed by the email address (e.g., owner:ccid@ualberta.ca). You can copy or download the files if the student or staff has provided the proper permissions.

Introduction Department Staff and Departmental Secondary CCID passwords can be reset by the respective Authorized Approvers (AAs) for the department. This is done using the IdentityIQ administration tool. This article will provide instructions for performing these types of password resets.   Applicability This article was written for use by all Authorized Approvers at the UofA and for the information of IST Analysts.   Procedure   1. Navigate and log in to the main page of the IdentityIQ tool. 2. In the left dropdown menu, click on Password Manager, and then Force Password. 3. In the Select an Account to Force Password box, enter the target account's CCID, name, or ID number to search for it, and then click on the matching account in the dropdown menu to select it. Then click on Next. Note: The dropdown menu is filtered to only the CCIDs that the Authorized Approver has the authority to reset. Furthermore, the dropdown menu must be used to select an account before clicking on Next, simply typing in a CCID and pressing Next immediately will not work. 4. On the ensuing page, enter the reason for the reset in the Purpose box, for auditing purposes. In the Email Address box, specify a different email address to send a temporary password to. Then click on Next. 5. On the ensuing page, confirm that the details are correct, and click on the Force Password button. As an Authorized Approver, if you are unable to find the account that you would like to reset, please contact the Shared Services Staff Service Center.   Related Knowledge Reset a CCID password