Duo integrates with Epic Hyperspace to add two-factor authentication to Epic client logins.
No, Duo Authentication for Epic may only be used for workflows that require re-authentication after completing Hyperspace client logon, like EPCS workflows.
The "fail mode" determines whether users may or may not log into a protected application when the Duo cloud service is unreachable. Duo Authentication for Epic will always "fail closed" if it is unable to contact the Duo service. This means that users can not log on to Epic without successful Duo two-factor authentication. This setting is not configurable.
The user attempting to authentication with Duo for Epic is not enrolled in Duo with a two-factor device. Duo Authentication for Epic doesn't support inline self-enrollment. Enroll your users in Duo ahead of time using directory synchronization, CSV import, or another enrollment method.
Additionally, Duo Authentication for Epic sends the Epic application username as the Duo username by default. If your users are enrolled in Duo under their Windows usernames (and these do not match the Epic usernames) you can either add your Epic usernames to existing Duo users as username aliases, or use Group Policy to change the "Client: Duo Username Source" setting from the Epic username to the Windows username.
Yes, after downloading the msi install file enter the following command into PowerShell or add to a script to silently install Duo for Epic.
cmd.exe /c DuoEpic.msi DUO_IKEY=Integration Key DUO_SKEY=Secret Key DUO_HOST=API Hostname
Perform the following steps on the system where the Epic Hyperspace client and Duo Authentication for Epic are installed.
Yes, the Duo Authentication for Epic client may be deployed via a Group Policy software installation package.
First, create a transform for the installer file by using a table editor tool like Orca. Open the DuoEpic.msi in the editor, click on the Property table, and add these new rows using your Epic application's information from the Duo Admin Panel:
|DUO_IKEY||Your Duo integration key|
|DUO_SKEY||Your Duo secret key|
Save the transform as an MST file and copy that transform along with the DuoEpic.msi installer to your application deployment repository.
In the Group Policy Management console, create a new GPO for Duo Epic publishing. Navigate to Computer Configuration\Policies\Software Setings\Software installation then right-click and select New > Package.
Select the network accessible DuoEpic.msi installer package and choose Advanced as the deployment method. In the properties window go to the Modifications tab. Click the Add button and select the MST transform you created earlier. Click OK to finish, and the Duo Authentication for Epic software package is created.
Here's a sample software publishing policy for Duo Authentication for Epic.
Learn more about installing software using Group Policy at Microsoft Support.