Configuring DNS Autodiscover for Better Agency Employee Onboarding

Summary

Verinote (Enterprise) offers native integration with a customer agency's Azure Active Directory (AAD) for a Single Sign On (SSO) experience and to maintain a single set of credentials for increased security and user experience. This means, customer agencies can provision and provide employees access to Verinote using their current credentials, without creating a Verinote specific account, or having to manage additional credentials. This is particularly useful for allowing large customer agencies to save time in account provisioning and also ensures a single point of truth for user particulars and credentials. Instructions for setting up AAD integration for your Verinote environment are found here.

Taking things a step further, VeriSaaS has improved the user onboarding experience for agency employees, using an Autodiscover function. In previous Verinote versions, users who wished to use the Verinote mobile application were required to scan a QR Code (from the Verinote desktop or web application) or provide configuration details to register their Verinote mobile application. This was to ensure their Verinote mobile application was configured in accordance with their agency's Verinote tenant.

Using Autodiscover, users can now simply enter their agency email address, which will now automatically obtain the configuration files as part of the normal login process. This provides a more seamless experience, but also saves time. For Autodiscover to work, an agency System Administrator with access to the agency's DNS records needs to follow these instructions.

This article provides guidance for Verinote System or Azure tenant administrators on how to configure their environment for Autodiscover.

NOTE: Verinote Mobile has a fall-over method for users in the event DNS records are not configured properly to avoid disruption of mission critical service. This includes the ability input a URL, manual configuration or the legacy QR Code scanning option.

Introduction

The Verinote mobile application can be obtained from the Apple App Store (including Apple Business Manager) or Google Play Store, and can connect to any Verinote tenant deployed on the internet, whether hosted by VeriSaaS or within a customer owned on-premises or cloud environment. The Verinote mobile application can also be distributed through Microsoft Intune, if desired.

Once a user has access to the Verinote mobile application on their device, configuration is required connect the Verinote mobile application to the correct tenant, and there are four ways to get this configuration:

1. With the users email address, using Autodiscover (new default)
2. With the URL of your Verinote tenant (fall-over)
3. By scanning a QR Code from the Verinote web or desktop application (fall-over)
4. By manually entering the configuration values (fall-over)

By default, when the user first opens the Verinote mobile application, it will show the email entry field and ask them for their email address, and attempt to self-configure using Autodiscover. If that doesn’t work, for any reason, the user can use one of the other fall-over methods above.

Agency Configuration for Autodiscover

Autodiscover in the Verinote mobile application works by requesting the user’s email address and looking for configuration at an address associated with their SMTP domain. Specifically, that address is discoververinote.<agency>.verinote.app.

For example, an email address entered as mattgoldman@verisaas.com will cause the Verinote mobile application to extract the SMTP domain (verisaas.com) and look for the Verinote Autodiscover record for that domain (discoververinote.verisaas.com).

This means, the DNS administrator for the customer agency's SMTP domain will need to create a record with the value discoververinote in that domain. This can be created as a CNAME (alias) record for your Verinote instance or an 'A record' that points to it. The CNAME approach is easier in most cases.

In all cases, you will need to add an appropriate SAN to the SSL certificate on your Verinote instance for the discoververinote record. If this is not completed, the connection will fail SSL validation, and the Verinote mobile application user will need to use one of the other fall-over configuration methods. This is particularly important if a customer agency has users with multiple SMTP domains accessing the same instance of Verinote. For example, let’s say a customer agency has an SMTP domain hierarchy set up as follows:

• userA@department1.agency.gov.au
• userB@department2.agency.gov.au

If both of these users access the same Verinote tenant, then the SSL certificate on that Verinote instance will need to have a SAN for:

• department1.agency.gov.au
• department2.agency.gov.au

Once the customer agency's DNS records and SSL certificates are configured correctly, users will be able to successfully Autodiscover their Verinote configuration.

Fall-over Configuration by URL or QR Code

If the customer agency's Verinote web deployment is up and running, no further configuration is required for the QR Code and URL configuration methods. The required configuration is exposed by the web deployment and the QR Code simply informs the Verinote mobile application where to find it.

Fall-over Configuration by Manual Entry Configuration Form

No configuration is required for the manual form entry; by definition it is manual. However, the customer agency will need to provide its users with the required information.

The configuration required by the Verinote mobile application is shown in the following table.

Table 1: Manual form entry configuration values

If you do not know where to find these values, you can obtain them at https://<CustomerAgencyURL>/api/Configuration (e.g. https://supportarticle.verinote.app). Note, no sensitive data is exposed here. You may see values listed here that are not referenced in the above table but they will not need to be provided to users for manual configuration.