Skip to content

Best Practices

Introduction

Afrilas was designed to accomodate the Employee Life Cycle model.

The employee life cycle begins at the moment a candidate accepts a job offer and continues until that person leaves your organization.

For IT departments, this means creating new user credentials and connecting the new employee to authorized applications and network resources.

In this document, we focus on the best practices to keep your organization secure and optimize Afrilas for your employee life cycle.

We'll break down these practices one by one and explain why they are important, so you can leverage them to better protect your users, applications, sensitive data and ultimately your entire organization.

How does Afrilas accomodate the Employee Life Cycle?

New employees are typically added to an organization's user database such as Active Directory, FreeIPA or Azure AD.

LDAP servers, Active Directory and Azure AD Domain Services consolidate certain types of information within your organization, simplify access rights management and provide centralized control over computers, applications, groups and users.

With the Afrilas User Sync component and its auto-enrollment feature, users are instantly synchronized with on-premise or cloud directories to provision new Afrilas user accounts for secure access to commonly-used applications like Google Workspace, Office 365 and Salesforce.

Afrilas User Lifecycle!

Employee Life Cycle

Onboarding

An important stage of the employee life cycle is onboarding. This is when a new employee joins your organization. New hires must be added to your organization's Active Directory, LDAP or Azure AD domain before they can be automatically enrolled.

Afrilas User!

Automatic Enrollment

Afrilas users can be enrolled or disenrolled either manually - one by one - or automatically through user synchronization.

Enrolling your users manually is not recommended. However, manual enrollment is useful to configure and test your Afrilas environment before deploying to production or for small organizations which don't have an LDAP server or Azure AD domain at their disposal.

Prerequisites for automatic user enrollment:

  • A user source must be available for your user directory, e.g. Active Directory.
  • Auto-enrollment must be enabled for this user source.
  • User synchronization must be correctly configured.

For an optimal experience:

  1. Create a dedicated Afrilas group on your LDAP server or in your Azure AD domain.
  2. Add the appropriate user accounts to this group.

Afrilas Group!

Important

  • Simply add new and existing users to the Afrilas group to provide access to any application secured by Afrilas.
  • When users are added to the Afrilas group, they will automatically receive an email with further instructions.

Automatic Disenrollment

It is the responsibility of management and the IT department to ensure that any employee who is leaving, exits in a way that doesn’t cause a major operational disruption or security incident, which could potentially ruin the reputation of your organization.

Afrilas users are automatically disenrolled when:

  • they are removed from the Afrilas group, i.e. when their group membership is revoked or
  • their LDAP or Azure AD account is disabled or
  • their LDAP or Azure AD account is deleted.

Any corporate account secured by Afrilas will automatically be deleted from the employee's app. Note that the app itself will remain present on the employee's phone. However, it is not required to uninstall the app to protect access to your organization's applications.

Afrilas Revoke Group Membership!

General Security Guidelines

About

In this section, we cover some general cybersecurity practices, techniques and solutions to better protect your systems, networks and applications against cyberattacks.

Enable Automated Updates

It is recommended that users enable automated updates on their Android and iPhone devices. Keeping apps and operating systems up-to-date gives users access to the latest app features and improves security and stability.

Limit Session Lifetimes

The session lifetime determines the maximum amount of time end users can remain inactive within an application before they are automatically logged out.

By enforcing limited session lifetimes, system administrators can greatly reduce the window of time wherein a malicious third party could attempt to highjack active user sessions.

This is especially important in a world where employees are no longer strictly confined to an office, but mostly work from home or other remote locations, such as coffee shops and airports.

Block Suspicious IP Addresses

It is recommended to protect your applications with a firewall to identify and block automated login attempts from suspicious IP addresses.

Monitoring your authentications helps you to detect potential security risks - that could otherwise go unnoticed - more easily.

When detecting attacks such as DoS or high rates of login failures, you can use certain firewall features such as GeoIP filtering, which is an effective method to stop cybercriminals from attacking your business and hinder your daily operations.

Restrict Admin Privileges

System administrators have the highest access privileges within an organization.

They can create other administrative accounts, assign or remove access permissions and have access to sensitive information within your organization.

By limiting the number of administrators and implementing appropriate audit strategies, organizations can greatly reduce the odds of bad actors wreaking havoc from within.