Overview

The purpose of this web application is to provide an easy-to-use interface for common "tier 1" support tasks, typically performed by a Help Desk within a company's IT organization.

This web application is designed for internal (corporate) use and includes several self-management features such as:

  • Activate/license users
  • View and manage account information such as email, mobile phone numbers, etc...
  • Reset LDAP password
  • Send password reset or token registration links
  • Enroll, re-synchronize and test a Software / Hardware / Yubikeys tokens and FIDO2/Passkeys devices
  • Manage user certificates
  • Manage SSH keys (SpanKey)

Administration HelpDesk web application must be installed on your WebADM server(s) and can be accessed through WAProxy or another reverse proxy configured with WebADM.

Installations

The installation of the Administration Help Desk is straightforward and only consists of running the self-installer or installing it from the RCDevs repository.

RPM Repository

On RPM based systems, you can use RCDevs repository, which simplifies updates.
Clean yum cache and install the Administration HelpDesk (HelpDesk):

dnf clean all
dnf install helpdesk

The Administration Help Desk application is now installed.

Debian Repository

On Debian based system, you can use RCDevs repository, which simplifies updates.

Clean cache and install the Administration Help Desk (HelpDesk):

apt update
apt install helpdesk

The Administration Help Desk application is now installed.

Self-Installer

Download the Administration Help Desk package from the RCDevs website, copy it on your WebADM server(s) and run the following commands:

[root@webadm1 tmp]# gunzip helpdesk-1.1.3.sh.gz
[root@webadm1 tmp]# sh helpdesk-1.1.3.sh 
HelpDesk v1.1.3 Self Installer
Copyright (c) 2010-2024 RCDevs SA, All rights reserved.
Please report software installation issues to bugs@rcdevs.com.

Verifying package update... Ok
Install HelpDesk in '/opt/webadm/webapps/helpdesk' (y/n)? y
Extracting files, please wait... Ok
Removing temporary files... Ok
HelpDesk has been successfully installed.

Administration Help Desk is now installed and can be configured under the WebADM Admin GUI.

Administration Help Desk Configuration

Once the package is installed, the web application must be enabled and configured in WebADM. Log into WebADM as Administrator and navigate to Applications Tab > Self-Service > Administration Help Desk (HelpDesk) > Register.

helpdesk

The registration action creates the configuration object inside the WebADM config container. Once the object is created, you can begin configuring the Help Desk application.

helpdesk

Click the Configure button to access the Help Desk configuration. The first section contains the default Web Application Settings, similar to other web applications provided by RCDevs. Since the Administration Help Desk application provides administrative access to the system, it is strongly advised to limit the access to it only to trusted networks and to protect the login with a second factor. With this in mind, the application can be published through the WebADM Publishing Proxy with the setting Publish on WAProxy. This setting is only available when WAProxy is configured with WebADM.

helpdesk

The next section contains the main configuration of the application.

helpdesk

The Admin Groups setting must be configured before the application can be used. This setting is specific to each deployment, so there is no default value. To configure it, click the Select button; the LDAP tree on the left will become selectable. From there, you can click on the desired group(s) you want to provide access to the Help Desk portal. In this example, integrated with Active Directory, the Domain Admins group will be used, but you can create a dedicated group or use another existing one as needed. In that section, only this setting is mandatory. All the Administrator groups must be defined at the application configuration level. The administrators trying to access the Help Desk portal must be activated in WebADM.

The User Search Scopes setting can be defined at various levels, including the default configuration, user settings, and group settings. Multiple scopes can be configured, and they follow the same hierarchical logic as policies in WebADM. If this setting is overridden at a higher level, it will take precedence over values from lower levels. For large organizations with multiple offices or companies, where user administration needs to be segregated per company or per office, it is advisable to define this setting at the group level.

The User Search Attributes setting is also mandatory, but it comes with default values. This setting defines the LDAP attributes that are searched when you perform a user search in the Administration Help Desk portal. It is important to adjust this setting to match the attributes that are most relevant for searches within your LDAP directory.

The next section named Allowed Features allow you to define which features will be available through the Help Desk portal.

helpdesk

The Allow User Activation setting enables Help Desk administrators to activate and deactivate users in terms of licensing. Deactivating a user will remove WebADM data and settings stored in the user’s account.

The Allow User Infos Management setting enables Help Desk administrators to edit certain user attributes, such as mobile number, email address, and preferred language.

The Allow OTP Management setting allows Help Desk administrators to configure an authentication method for a user account. This setting is defined at the user level in WebADM and may be overridden by settings enforced at a higher level, such as client policy levels.

The Allow SSH Management setting enables Help Desk administrators to configure private key settings, such as key format and length, when issuing an SSH key pair. If not specified, these settings will be inherited from the Spankey server configuration.

The Allow PKI Management setting enables Help Desk administrators to manage end-user certificates, including issuing and revoking certificates for users.

The Allow Webapp Access Unlock setting allows Help Desk administrators to unlock access to specific web applications, such as Secure Password Reset or the User Self-Service Desk, when access is locked by default in its configuration. This may require an unlock action from either a WebADM Administrator or a Help Desk administrator.

The Allowed OTP Methods setting is linked to the Allow OTP Management setting. When Allow OTP Management is enabled, you can specify which types of authentication methods can be configured for a user. However, if this setting is defined at the user level in Help Desk, it may be overridden by settings enforced at a higher level, such as client policy levels.

The Allowed Self-Registration setting defines which types of registrations can be performed by a Help Desk administrator:

  • Token: Refers to all software or hardware tokens.
  • LIST: Refers to OTP lists.
  • FIDO: Refers to FIDO2 security keys or PassKeys.
  • APPKEY: When a client policy is configured with the Application Password setting, a password for that specific application can be generated.
  • SSHKEY: Refers to SSH key pairs that can be issued for Spankey usage.

The Max Tokens Per User setting defines the maximum number of tokens that can be registered for a user through the Help Desk application.

We are now entering the OTP Token Management section.

helpdesk

The Allowed OTP Token Type give the possibility to limit which types of OTP tokens can be registered through the Help Desk portal. Select the token types you wish to allow.

The Default Token Type setting enforces a default view on the selected token type. For example, if QRCODE-TOTP is selected, when a Help Desk administrator attempts to add a token for a user, the focus will automatically be on QRCODE-TOTP. The administrator will need to click the Back button to register a different Token Type.

The Automatically Send PIN setting can be used when Push Token QR Codes are sent by email to end users. In this scenario, the QR code is an enrollment QR code and is protected by a PIN. The PIN must be entered after scanning the QR code with the OpenOTP Token application to complete the token enrollment.

The PIN message is the message sent with the PIN that protects the QR code. You can customize it if desired.

helpdesk

The settings under Emergency OTP Management define the availability and duration of Emergency OTPs when they are registered through the Administration Help Desk.

The settings under SSH Key Management define which types of SSH keys can be registered.

The settings under Message Templates allow you to customize the message attached to a QR code enrollment request sent by email to the end user.

The Mail Attachment setting provides the ability to attach a PDF to the email sent to the end user for enrollment requests.

In the Misc Settings section, you can configure the support email address.