The management console provides enhanced authentication capabilities, including local multi-factor authentication and more granular authentication policies and policy assignments. You can configure the environment to specify the types of authentication that administrators must complete to sign in to the Endpoint Defense console and users must complete before they can activate the Aurora Protect Mobile app and Gateway agent. By default, administrators use the Endpoint Defense console password to access the management console. Users will use their directory credentials (username only) or their BlackBerry Online Account credentials (full email address) to activate the Aurora Protect Mobile app and Gateway agent based on how the depending on how the Gateway agent was activated. For tenants created in March 2024 or later, by default, administrators will be required to enter a one-time password to access the Endpoint Defense console after they set up their console password.

You can create authentication policies for your tenant that specify the types of authentication that must be completed by all administrators and users on the tenant. Only one tenant policy can be created for Endpoint Defense console sign-in, the Aurora Protect Mobile app, and Gateway agent. You can create authentication policies for users that specify the types of authentication administrators and users on the tenant must complete. The type of authentication added to the tenant policy and authentication policy must be completed in the order that they are specified in the policy. As a failsafe, you may configure one administrator to access the Endpoint Defense console using their username and a strong password.