QUICK GUIDE - Onboarding for Admins/Managers
Purpose
This guide provides a point-by-point checklist of the steps necessary for administrator and managers to complete their initial Tehama setup.
If you are an end-user (Staff member) - e.g.: you expect to use Tehama only to access a Desktop, so you can perform work - you are in the wrong article. See QUICK GUIDE - Onboarding for end-users.
This checklist covers the following administrator/manager Tehama setup journeys:
A. You have been invited to create an organization and a Room for your corporation in Tehama.
B. You have been invited to connect your corporation's network to an existing 'Room' owned by another corporation's Tehama organization, which may require you to create an organization for your corporation in Tehama.
C. You have been invited to join your corporation to an organization and a Room as a manager, by your own corporation, to help connect the Room or perform administration tasks in the Room.
D. You have been invited to join your corporation to an existing 'Room' owned by another corporation, which may require you to create an organization for your corporation in Tehama.
For a more detailed walk through, go through the Getting Started guides for administrators and managers, starting with the "Getting Started Overview" article, or reach out to Tehama Support.
Prerequisites
- Mobile device (Smartphone or Tablet)
Note: Optional, depending on the method of authentication selected for you/your organization. - An MFA-code generating application (currently supported app: Google Authenticator App) used to provide Multi-Factor Authentication (MFA) as part of the 'Tehama Credential with MFA' authentication method (to be installed on the mobile device).
Note: Optional, not required if you opt to use the 'Google Credential' authentication method. - Gateway Host (host for the Tehama Gateway, two if the 'Multiple Gateways' option is to be enabled)
Note: A host for the Tehama Gateway is optional. It is only required if the connected organization opts to provide access through a gateway by setting 'Network Access' for the Room to 'Tehama Gateway'. In Standard Rooms, the connected organization may instead opt to provide access through VPN IPSec connections by setting 'Network Access' to 'Multi-Path', or they may opt to provide access only to applications and services in the cloud by setting 'Network Access' to 'Internet Only', neither of which requires the installation of a Tehama Gateway. - Tehama Client Host (host for the Tehama Client - the host device from which each Tehama user connects to their Tehama Desktops)
Note: Each user for whom you provision a Tehama Desktop is going to need a host device from which to launch and connect to the Desktop. They must be able to install the Tehama Client on this host device.
Joining Tehama
- Invite Email:
- Locate the invite email. It will tell you if you are joining to:
- create a new organization, or
- join an existing organization, or
- connect a Room.
- Click on the link it contains to proceed.
- Locate the invite email. It will tell you if you are joining to:
- User Account Creation
(not required for users joining existing organizations with Corporate Single Sign On (SSO) enabled)
Create an account with one of the following two authentication methods:Note: Once you have created your account with one of the authentication methods, you will not be able to change your selection.
▸ with the Tehama credentials with MFA authentication method:- Enter personal details and choose a password
- Click Register
- Click Sign Up with Google.
- Select (or create) a Google account that uses the email address that your invitation email was sent to.
- Google Authenticator Setup (the currently supported MFA-code generating app)
(not required for users joining existing organizations with Single Sign On (SSO) enabled, nor for users who opted to create an account with the Google Credential authentication method)- Set up a Google Authenticator application on a secondary device (e.g.: tablet or phone). See the section Tehama Credentials with Multi-Factor Authentication (MFA) in the Authentication User Guide.
- Initial Log In
(users joining existing organizations with Single Sign On (SSO) enabled will see the login screen for their identity provider instead, after clicking on the link in their invitation email, instead of the following)From the LOG IN dialog, which will appear after creating your Tehama user account:Accept the latest Terms of Service (ToS), if required. (It is never required for members of organizations that have enabled custom terms of service.)- For accounts created with the "Tehama credentials with MFA" authentication method:
- Enter your username (email).
- Enter your password.
- NOTE: After entering five invalid passwords in a row, Tehama will lock your account for a period of 30 minutes. If you need to log in within that period, contact a manager in your organization or Tehama Support to reset your password. - Enter the 6-digit code from the Google Authenticator.
- NOTE: After entering five invalid MFA codes in a row, Tehama will lock your account for a period of 30 minutes. If you need to log in within that period, contact a manager in your organization or Tehama Support to reset your MFA code. - Click LOG IN.
- For accounts created with the "Google credentials" authentication method:
- Click SIGN IN WITH GOOGLE.
- Next:
- If you are already logged in to your Google account, then you will be automatically logged in to Tehama.
- If you are not already logged in to your Google account, log in as you normally would to your Google account.
- For accounts in organizations with "Single Sign On" authentication enabled:
- Follow the login procedure for your corporate identity provider.
- For accounts created with the "Tehama credentials with MFA" authentication method:
- Organization Setup: (only part of the process if you are creating an organization)
- Organization Support Plan
- Press Continue to confirm the support plan details.
- Organization Registration
- Enter organization details when prompted
- Press Complete Registration
- Organization Support Plan
- Profile Page Completion
(optional for some roles and methods of authentication)- Enter user details when prompted
- Press Save
Tehama Room Creation and Connection (Room create/connect/join)
Continue with this step if one of the following scenarios applies to you.
- Create Room - "I want to create a Room."
- Connect Room - "I've been invited to connect my network to a Room that was created by my service provider."
- Join Room - "I've been invited to join a Room as a third-party organization."
Create Room
Choose the Room type that best suits your needs:
- Create and connect a Standard Room: "I am creating a Room, connecting it to my network, and then (optionally) inviting another organization to join and use the Room."
- Create and connect a Domain Join Room: "I am creating a Room, connecting it to my organization's network, and then connecting my network's domain to the Room."
- Create a Service-provider Room: (special case of the Standard Room) "I'm creating a Room and requesting another organization, my service-consumer, to connect it to their network."
All three of the above workflows begin in the ROOMS tab for your organization:
Synopsis:
For Standard Rooms:
- Click NEW in the ROOMS tab.
- Select Standard Room.
- Select "Your Organization" in the Connect this room to field.
- Enable or disable the File Vault in the Room.
- Enable or disable the App Vault in the Room.
- Select the type of network access in the Room ('Multi-Path', 'Tehama Gateway' or 'Internet Only').
- Connect the Room
- if the network access type is 'Internet Only', this simply means to build the Room's infrastructure, which establishes connectivity to the cloud.
- if the network access type is 'Tehama Gateway', this means to install and connect a Tehama Gateway to the Room, which causes the Room's infrastructure to build, and establishes connectivity to the private network where the gateway is installed, as well as to the cloud.
- if the network access type is 'Multi-Path', this means to build the Room's infrastructure, which establishes connectivity to the cloud, and then, optionally, configure one or more VPN IPSec connections, which establishes connectivity to the private network(s) for the VPNs.
For Domain Join Rooms:
- Click NEW in the ROOMS tab.
- Select Domain Join Room.
- Enable or disable the File Vault in the Room.
- Enable or disable the App Vault in the Room.
- Connect the Room
- this means to install and connect a Tehama Gateway to the Room.
- Open ports for communication between the Room and the network's Domain Controller(s).
- Connect the network's Domain Controller(s) to the Room.
For Service-provider Rooms:
- Click NEW in the ROOMS tab.
- Select Standard Room. (A Service-provider Room is a special case of a Standard Room.)
- Select "Third-Party Organization (Invite)" in the Connect this room to field.
- Enable or disable the File Vault in the Room.
- Enable or disable the App Vault in the Room.
- Enter info needed to invite the Third-Party organization to connect the Room.
- Send out the invitation to connect the Room to the Third-Party organization.
Connect Room
Connect to a Service-provider Room: "I've been invited to connect my network to a Room that was created by my service provider."
Synopsis:
After having clicked on the link in the invitation email, and, if necessary, creating an organization in Tehama:
- Accept the invitation to join and connect the Room.
- Click on the Room name in the ROOMS tab.
- Select the type of network access in the Room ('Multi-Path', 'Tehama Gateway' or 'Internet Only').
- Connect the Room
- if the network access type is 'Internet Only', this simply means to build the Room's infrastructure, which establishes connectivity to the cloud.
- if the network access type is 'Tehama Gateway', this means to install and connect a Tehama Gateway to the Room, which causes the Room's infrastructure to build, and establishes connectivity to the private network where the gateway is installed, as well as to the cloud.
- if the network access type is 'Multi-Path', this means to build the Room's infrastructure, which establishes connectivity to the cloud, and then, optionally, configure one or more VPN IPSec connections, which establishes connectivity to the private network(s) for the VPNs.
Join Room
Join a Standard or Service-provider Room: "I've been invited to join a Room as a third-party organization."
Synopsis:
After having clicked on the link in the invitation email, and, if necessary, creating an organization in Tehama:
- Click on the Room name in the ROOMS tab.
- Accept, if necessary any policy set for your organization.
Proceed to propose members in the Room from your organization.
Install the Tehama Gateway
Only necessary if the Room's 'Network Access' is set to 'Tehama Gateway'.
- Install a Tehama Gateway instance on your selected Gateway host following the instructions in Tehama Gateway - Installation and Management. (Repeat on your other selected Gateway host, if your Room has the 'Multiple Gateways' option enabled.)
NOTE: Due to a limitation in the authentication framework used by Tehama, the Tehama Gateway cannot be installed on the 172.31.x.x network.
In addition, Tehama cannot connect to resources that are on the 172.31.x.x network directly.
If you have the following situation:
- the Tehama Gateway is on a supported network; and
- a resource is on the 172.31.x.x network
then a workaround would be to create a NAT on the network to NAT the address of the resource to an address that Tehama can see, like 10.x.x.x or something similar. - Verify Connectivity with your Room
Once Tehama has reported a connection with your Room, confirm the connection to your network, and its associated IP address by navigating to your Room's CONNECTION tab's STATUS sidebar item (when 'Network Access' is set to 'Tehama Gateway'): - A green dot will indicate a connection was established.
- IP addresses will be displayed (referring to the Tehama routers assigned to the Tehama Gateway instance(s) for your Room, two per instance). (You may have two Tehama Gateway instances running if your Room has the 'Multiple Gateways' option enabled.)
- For each entry in the table of Tehama Gateways for the Room, a Room connected icon will appear.
For more detailed information about the installation of the Tehama Gateway, please see Tehama Gateway - Installation and Management.
Configure Multi-Path Room Connections
Only necessary if the Room's 'Network Access' is set to 'Multi-Path', and you wish to connect to private network(s).
- Configure one or more IPSec VPN connections in your Multi-Path Room (a Room with 'Network Access' set to 'Multi-Path') to your private network(s) following the instructions in Configure a Connection in a Multi-Path Room.
- Verify Connectivity with your Room
Once Tehama has reported a connection with your Room, confirm the connection to your network, and its associated IP address by navigating to your Room's CONNECTION tab's STATUS sidebar item (when 'Network Access' is set to 'Multi-Path'):- A green checkmark beside the connection will indicate a healthy connection was established.
For more detailed information about adding and managing connections in a Multi-Path Room, please see Multi-Path Room - Add and Manage Connections.
Optionally, you may consider adding DNS Resolvers for your private network(s). See Multi-Path Room - Add and Manage DNS Resolvers.
Tehama Administration (Org/Room setup)
Having create and connected a Room, you can now carry out basic and necessary organization and Room setup.
See the Getting Started with Tehama Administration guide for help with the following:
As the organization that created and connected a Standard Room:
- Add members to your organization.
- Add (user) organizations to the Room (optional).
- Add members to the Room.
- Approve/reject proposed members to the Room from other organizations in the Room.
- Configure Firewall Rules (and optionally add DNS Filtering) in the Room.
- Add Secrets to the Room.
- Create Desktop templates in the Room.
As the organization that created and connected a Domain Join Room:
- Add members to your organization.
- Add members to the Room.
- Configure Firewall Rules in the Room.
- Add Secrets to the Room.
- Create Desktop templates in the Room.
As the organization that created a Service-provider Room:
- Add members to your organization.
- Propose members in the Room.
- Create Desktop templates in the Room.
As the organization that connected a Service-provider Room:
- Add members to your organization.
- Add (user) organizations to the Room (if desired).
- Add members to the Room (from your organization).
- Approve/reject proposed members to the Room from other organizations in the Room.
- Configure Firewall Rules (and optionally add DNS Filtering) in the Room.
- Add Secrets to the Room.
As the organization that joined a Standard or a Service-provider Room: