KnowBe4 implementation with Active Directory Sync
Know Be4 can ingest and provision users by way of a sync agent stored on a server in the domain. This agent connects to a KnowBe4 api endpoint and synchronizes users daily.
Preparation Steps:
In Active Directory, add a user account with read and delegate control, this account does not need to be an administrator. I recommend restricting access for this user, it does not need interactive sign in rights etc.
Deny logon locally is a Group Policy Object (GPO) setting that should be used for all service accounts.
Clean up active directory, make sure intended users have an email address. Here’s a handy PowerShell one liner:
get-aduser -filter * -properties * | where {!$_.emailaddress} | select-object samaccountname | export-csv noemailusers.csv
Login to the Know Be4 Portal:
In the KnowBe4 portal, you will need to manage several settings under the account settings area. Make sure your address information is correct.
Adjust your contact information and hours of operation here. Upload custom branding and adjust your company colors as desired. These settings carry over into notifications and certificates.
In the KnowBe4 portal, collect the token from the ADI Sync page under Account Settings / User Management / User Provisioning section
Here you can choose to sync in test mode until your settings are correct.
On your server:
Download the Knowbe4 ADI Sync agent from the account settings page and start the install. Following the agent setup prompts will help you generate a config file located in C:\Program Files (x86)\KnowBe4\ADISync\
Add your AD Hostname
Do not enable SSL
Leave the default port (389) unless you know it must be changed
Enter your KnowBe4 username and password
Look for Success messages if everything worked correctly
More info here: https://support.knowbe4.com/hc/en-us/articles/228373888-Active-Directory-Integration-ADI-Configuration-Guide
The setup generates several config files.
The ADISync.conf file contails service attributes and can be left alone most of the time.
The Domain.name.dat file contains the encryped password for the service. Delete this and restart the service to update.
To manage sync, edit the domain.name.conf file.
In the Know Be4 Portal:
Check results by visiting the users > provisioning tab
Setting up Phishing and Training Campaigns:
Know be4 recommends a training /testing path like this:
Blind phishing campaign to set company baseline
Company announcement
Skills assessment
Initial company training 15 minutes
Phishing test
Remedial training if you click on links after completing the other training 45 minutes
Phishing test
Remedial training if you click on links after completing the other training 30min + 15 minutes
Repeat…
To achieve this, we created several KnowBe4 groups. These groups are separate from the Active Directory groups and exist only in KnowBe4.
Need Security Assessment
Completed Security Assessment
Needs baseline training
Completed Baseline training
Clicked Link
Completed Clicked Link Training
Clicker X1
Completed Clicker X1
Clicker X2
Completed Clicker X2
Each campaign is setup to enroll users into the training if they arrive in the respective groups and then move them out once they complete the assigned training. This creates an operational flow that makes it easier to keep track of progress through the system.
Baseline phishing campaign to set company baseline – Sent to all users.
Skills assessment – sent to all users. Completed users go into the Completed Security Assessment.
Initial company training – sent to all users in the Need baseline training or New Users groups. Completed users go into the Completed Baseline training.
Phishing test – sent to all users in the to the Completed Baseline training group.
Remedial training if you click on links after completing the other training – sent to all users in the Clicked Link group. Completed users go into the Completed Clicked Link Training.
Each training campaign should be setup with notifications.
Welcome
Reminder – after 3 days, resend again in 5 days.
Completion
KnowBe4 provides reporting and progress management for the organization as well as each individual user.
