Context:

Recent changes made by DUO have made it so that their Universal Prompt cannot be rendered in an iframe. The main UI of the MSP Process platform is not affected by this change, but our PSA-embedded Pod (ConnectWise and Halo PSA) and Insight (Autotask) are affected, as they are iframes within the UI of those PSA platforms.

This KB article guides you through how to change your DUO configuration for MSP Process to use DUO's "traditional" prompt, which will allow you to continue to securely login to the MSP Process Pod/Insight when you've chosen to use DUO as your MFA provider.

Instructions:

1. Login to your DUO admin panel (the URL will be something like https://admin-<GUID>.duosecurity.com/ )
2. Click on the Applications menu
   1. 
3. Find the Web SDK entry for MSP Process, and edit it
   1. 
4. Under the Universal Prompt section, choose the Show traditional prompt option
   1. 
5. At the bottom of the page, click the Save button

Conclusion:

You've now successfully configured your DUO tenant to use their traditional promp for the MSP Process platform. You'll find that your login experience does look different, as DUO's traditional prompt has a different look and feel:

Introduction:

When you send a verification request to someone's Microsoft Authenticator app, you may see an error message in MSP Process saying that the user has a different "Preferred Auth Method" specified. In this situation, the user will not receive your verification request.

The goal of this KB article is to show you where in M365 you can go to modify a user's preferred authentication method.

Example of the Error:

Steps to resolving the Error:

1. Login to the Microsoft Entra admin center (https://entra.microsoft.com/?l=en.en-us) as a user who has the rights need to modify someone's identity in Entra
2. Navigate to Protection -> Authentication methods
   • 
     
3. Under the Monitoring section, click on User Registration Details
   • 
     
4. Click on the user who's preferred authentication method you want to modify
5. In the MFA Status card, click on Manage MFA Authentication methods
   • 
     
6. Click on the pencil icon that allows you do edit the Default sign-in method
   • 
7. Choose Microsoft Authenticator from the drop-down menu
   • 
8. Click the Save button, and you're done!

Introduction

Configuring the MSP Process platform to work with your Kaseya BMS server is a two-step process; first you need to create an API user in Kaseya BMS, and then you need to provide the API User's credentials to the MSP Process platform. This KB article will cover the first step; the second KB article is available here.

Creating a Custom Role for the API User

1. Navigate to Admin -> Security -> Roles
2. Click the New () button to create a new Security Role
   1. Name the role something that's easily understood, such as "MSP Process API User"
   2. Ensure that the Role Type is set to Internal, and the Status is set to Active
   3. Click the Save () button to save the Security Role
   4. In the Service Desk category, click the Allow View All and Allow Modify All buttons
   5. In the CRM category, enable the View permission for Accounts and both View and Modify for Contacts
   6. Click the Save () button to save your changes

Creating an API User in Kaseya BMS

Note: these instructions were sourced from this Kaseya BMS KB article.

1. Login to your Kaseya BMS server
2. Navgiate to Admin -> HR -> Employees
3. Click the New () button to create a new user, and specify the following values:
   1. User Name: MSPProcessAPIUser
   2. First Name: MSP Process
   3. Emp ID: Whatever number makes sense for your organization
   4. Email Address: mspprocessAPIUser@.com (note that you'll need this to be a valid e-mail whose inbox you can access)
   5. Job Title: Administrator
   6. Department: Administration
   7. Manager: Pick an appropriate Manager within your organization
   8. Employment Type: Full Time
   9. Employee Roles: Administration
   10. Security Roles: Choose the Security Role that you created (i.e. MSP Process API User)
   11. Location: Pick an appropriate location
   12. User Type: Api Employee
4. 
   
5. Click the Save ()button to save the new user
6. Edit the user account, and click the Reset and Send Instructions button; when you receive that e-mail, change the password and save it, as we'll need the e-mail address of the user and the password in the second KB article.

Conclusion

Congratulations! You've now created a custom Security Role and an API user in Kaseya BMS, and you're ready to following the instructions in our second KB article, available here.

Introduction:

This is the second (of two) KB articles that guides you through configuring the integration between Kaseya BMS and the MSP Process platform. The first KB article is available here; the steps in that article must be completed before following the instructions in this KB article.

Providing MSP Process with the API User Credentials from Kaseya BMS

1. Login to the MSP Process UI (https://app.mspprocess.com)
2. Navigate to Integrations -> PSA Integrations
3. Click the Add new PSA button
4. 
5. Click the Kaseya button
6. 
7. On the first step of the wizard (Select PSA) enter the required information - specify the e-mail address and the password for the user that you created in Kaseya BMS
8. 
9. Click Submit; this will validate that the MSP Process platform can communicate with your Kaseya BMS instance
10. On the second step of the wizard (Input base settings), specify the properties for any new tickets that get created through MSP Process
11. Click the Validation button, and then the Submit button

Congratulations! You've now configured the integration between MSP Process and your Kaseya BMS instance.

Introduction

Configuring MSP Process and HaloPSA to work with one another is a quick and easy process that is composed of a few steps:

• Creating an Agent in HaloPSA that has the appropriate roles and permissions.
• Creating an Application within the HaloPSA API
• Providing MSP Process with the appropriate URL and tokens to communicate with HaloPSA.
• Creating a custom tab in HaloPSA that will display the MSP Process Pod

Once you've completed the steps in this KB article, you'll have MSP Process and HaloPSA communicating with one another, and you'll be ready to move on to the next KB article:  Step 2: Setup the MSP Process "Custom Tab" in Halo.

Creating an Agent in HaloPSA

1. Sign into your HaloPSA system
2. Navigate to Configuration -> Teams and Agents -> Agents
3. Click the New button to add a new agent
4. Provide a name for the agent; we recommend MSP Process Agent
5. Specify a password that meets your organizations security rules
6. Assign the agent a Role; we recommend the default Role called 1st Line Support (or your equivalent if you’re modified the Roles in your Halo PSA instance)
7. Enable the Is an API-only agent option
8. Fill out any other mandatory fields (such as the Team and Working Hours fields)
9. Click Save

Creating an Application within the HaloPSA API

1. From the Halo PSA UI, navigate to Configuration -> Integrations -> HaloPSA API
2. Take note of the Resource Server URL; you'll need it (including the https:// prefix, but without the /api at the end) during one of the configuration steps with MSP Process
3. Within the Applications portion of the page, click the View Applications button
4. Click the New button to add a new application
5. Specify a name for the application; we recommend MSP Process
6. Within the Authorization Method section, select Client ID and Secret (Services)
7. Copy the ClientID and Client Secret; you'll need it during one of the configuration steps with MSP Process
8. Ensure that the Login Type drop-down menu is set to Agent
9. Open the Agent to log in as drop-down menu, and choose the Agent you configured in the Creating an Agent in HaloPSA section
10. Click the Save button
11. Dismiss any permissions-related messages that appear; we'll be configuring those next
12. On the Permissions tab, click the Edit button and enable the following permissions:
1. read:tickets
2. edit:tickets
3. read:customers
4. edit:customers
5. read:crm
6. edit:crm
7. read:items
8. edit:items
9. 
13. Click the Save button

Providing MSP Process with the appropriate URL and tokens to communicate with HaloPSA

1. Login to the MSP Process UI (https://app.mspprocess.com) 
2. Navigate to Integrations -> PSA Integrations
3. Click on the Add new PSA icon
4. Click the HaloPSA icon
5. Specify the ClientID and Secret that you obtained in step 7 of the Creating an Application within the HaloPSA API section
6. Specify the Resource Server URL (remove the /api at the end) that you obtained in step 2 of the Creating an Application within the HaloPSA API section. Note that the URL must start with https://
7. Click Submit to save the HaloPSA configuration settings
8. Finally, fill in the ticketing default fields; these values will be used when leveraging MSP Process to create tickets
9. Click Submit to finish setting up the HaloPSA module in MSP Process

Introduction

Microsoft's Authenticator app is a great tool to use when verifying someone's identity through the MSP Process platform - it's more secure than just sending an SMS message, it can leverage additional biometric security mechanisms like Apple's FaceID, and it's convenient - your end-users likely already have the Microsoft Authenticator app on their phone.

In order for the MSP Process platform to send a push notification to your end-users, there are configuration steps that must be taken within that end-user's M365 tenant. This KB article will guide you through those steps.

Prerequisites

• Your end-user's M365 tenant must have an Entra P1 license (or higher) assigned to it
• You must have a set of credentials for your customer's M365 tenant that have Cloud Application Administrator permissions.

Configuring an M365 Tenant

The following steps must be done for each M365 tenant.

1. Login to the MSP Process UI (https://app.mspprocess.com)
2. Navigate to Integrations -> Security Integrations
3. Click the Add New Integration button
   1. 
4. Click on Microsoft Authenticator
   
   1. 
      
5. In the Microsoft window that appears, sign-in to your customer's M365 tenant
6. Follow the prompts to provide MSP Process with the required permissions; when that's completed, you'll be brought to the following page:
   1. 
7. Click the Tap to finish onboarding button
8. You'll be brought back to the MSP Process UI

At this point, you've setup MSP Process to use Microsoft Authenticator to verify the end-users in that M365 tenant with their Microsoft Authenticator app. You'll now see Microsoft Authenticator available as an option within your PSA:

ConnectWise/Halo PSA:

Autotask:

Login to Autotask and create your API username and password: 

Under Admin -> Resources (Users) click on New and select "API User", Select MSP Process as your integration partner, and generate a username and password. These two fields will be the username and password you will use to connect Alert Manager to Autotask. 

Select Security Level "API User" (system)

In MSP Process click on Integrations -> PSA Integrations and click on Plus sign on Add as shown below: 

Click on Autotask and then input the username and password from the steps above: 

NOTE: This is the second (of two) steps needed to configure the Autotask integration. If you haven't already done so, please complete the first step, which is available here:

Setup the API User in Autotask and Configure the Autotask Integration in MSP Process

Configuring the MSP Process Insight in Autotask

In the menu select Admin → Extensions & Integrations

At the Vendors tab, find ‘MSP Process’ in the Vendor Name column and click ‘Edit’

The ‘Active’ checkbox must be checked.

Enable  the two options in the "Vendor Insights" section, and press ‘Save & Close’

Then go to Admin ->  Features & Settings

Select the Ticket Category which you use as Default - in most cases that's the one called "Standard", and Edit this default ticket category.

Open the Insights tab

This page is divided into two sections - Visible Insights and Hidden Insights. You'll find the MSP Process insight in the Hidden section; drag it up to the Visible section, and place it in the apporpriate order with the other Visible insights. Insights in the "Hidden Insights" section will not display on the Ticket. The "Always Display" checkbox should be checked.

After pressing ‘Save & Close’ you will be able to see the MSP Process insight in the Insights section of your Tickets.

Introduction

The Client Portal feature within the MSP Process platform is feature-rich and intuitive to use, but did you also know that it's available as a mobile app? We've built two different apps for the Client Portal - one for your Technicians, and another for your End-Users. Let's take a look!

Technician App

The Technician app is available for both iOS and Android, from the following URLs:

iOS: https://apps.apple.com/us/app/msp-process/id6447599630 

Android: https://play.google.com/store/apps/details?id=vn.starlingtech.likemagic 

The app allows your Technicians to chat with end-users, view their tickets, add ticket notes, and more!

End-User App

The End-User app allows your customers to create and update tickets, chat with your Technicians, request a Technician Verification, and get notifications. The app is branded with your MSP's logo and colors, enhancing the visibility of your brand to your customers.

iOS: https://apps.apple.com/us/app/msp-client-portal/id6469681233 

Android: https://play.google.com/store/apps/details?id=com.app.mspclient 

Login to Autotask and create your API username and password: 

Under Admin -> Resources (Users) click on New and select "API User", Select MSP Process as your integration partner, and generate a username and password. These two fields will be the username and password you will use to connect Alert Manager to Datto Autotask. 

Select Security Level "API User" (system)

In MSP Process click on Integrations -> PSA Integrations and click on Plus sign on Add as shown below: 

Click on Autotask and then input the username and password from the steps above: 

The following is the setup process for the Autotask Ticket Insight. This must be completed after setting up the API and putting it API keys into app.mspprocess.com.

Configuring the MSP Process Insight in Autotask

In the menu select Admin → Extensions & Integrations

At the Vendors tab, find ‘MSP Process’ in the Vendor Name column and click ‘Edit’

‘Active’ checkbox should be checked.

Enable Vendor Insights and press ‘Save & Close’

Then go to Admin ->  Features & Settings

Select ‘Ticket Categories’

Select ‘Ticket Category’ which you use as Default and Edit this default ticket category.

Open ‘Insights’ tab

Drag and drop the insights within the "Visible Insights" section to control their order of appearance on the Insights tab. Insights in the "Hidden Insights" section will not display on the Ticket. The "Always Display" checkbox should be checked.

After pressing ‘Save & Close’ you will be able to see POD in Ticket window.

The first thing that you be required is the create the HaloPSA API keys.

1) Choose the configuration gear,

2 Choose HaloPSA API.

3) Now grab the URL for your Halo instance under Resource Server - copy this and have it available to put into the app.mspprocess.com configuration. Only the first component until the end of the domain name is required.

4) Finally, click on the View Applications button.

Save the Resource Server to a notepad or another place for retrieval later.

Click on New on the top, right-hand side to create a new API

Follow these steps:

1) name the Application (MSP Process, in this case or something similar), 

2) Choose Authentication Method (Client ID and Secret - these will be provided to the integration step in app.mspprocess.com from above)

3) Copy and Paste the Client Id  for later retrieval  onto a clipboard or other for later retrieval to put in app.mspprocess.com

4) Copy and Paste the Client Secret onto a clipboard or other for later retrieval to put in app.mspprocess.com

5) "Agent to log in as" should choose an Agent with admin privileges and

6) Save

Click on Permission Tab. Edit the permissions. And click on the ones identified below. Make sure the final step is the Save the permission Changes.

At this point, you are ready for onboarding with your specialist. Make sure you have your Resource Server, Client Secret and Secret ID obtained earlier. These will be required  for input  into app.mspprocess.com integration page.

Once you have done the integration with you have completed the API integration with your onboarding specialist, you will have to complete the HaloPSA configuration:

Now we are going to create a Custom Tab in Halo. So go to Halo and under Configurations -> Custom Tabs, with the Entity set to "Ticket", click on "New" to create a new Custom Tab.

Enter the name of the custom tab to something like: "MSP Process",  Sequence "2" (or wherever you want it to appear), Type "Iframe", and finally, paste the URL that you copied from the app.mspprocess.com integration page, and hit Save.

For each ticket type that you would like for the MSP Process functionality to appear as a Custom Tab, you have to follow the following process:

Under the Halo Configuration-> Ticket -> Ticket Types, choose the ticket type that you would like to configure. Incident in this example.

Edit the Ticket Type, in this case, Incident, under the item Custom Tabs, make sure the box "All all Custom Tabs" is turned on. Save the configuration.

At this point, please contact your MSP Process account manager or onboarding specialist. You will be required to put the Resource Server, Client ID and Secret into the MSP Process application please have this data ready for the onboarding session.

Once the previous step is completed,  you will have access to the MSP Process custom tab when you access a ticket (on an Incident ticket in this case) on your HaloPSA!

Login to ConnectWise as an Admin and select System -> Members -> API Members as shown below: 

Click on + as shown below: 

Fill out all required fields and click Save button: Be sure to set the permission to "Admin". If you have a role ID other than Admin, please see the bottom of this documentation for setting permissions for a custom role ID.

Click on API Keys and then click on the + sign to add a new key: 

Give it a description and click Save: 

The keys will disappear after you click save and close so copy both now to a document or directly into MSP Process before you save and close in ConnectWise. 

After you have saved the Public and Private keys to a clipboard or anywhere else for retrieval, the next step will be to enter this information into the MSP Process admin app. On your Onboarding session, please make sure to have these available.

Once instructed by your onboarding specialist, please perform the following tasks:

Now login to MSP Process and click on Integrations and click Integrations -> PSA Integrations. Click + to Add PSA and select ConnectWise. 

Select ConnectWise

Enter your PSA Connection Details: 

ConnectWise Permission Details

Introduction

At MSP Process we believe in only setting the minimum permissions required to leverage our application for your business needs. Please find the outline below along with a more granular review of the permissions. 

Adding a Security Role for MSP Process

1. Login to your ConnectWise Manager account
2. Navigate to System -> Security Roles
3. Add a new role, name it MSP Process, and give it the permissions listed below: 

Area	Permission
Companies	Company Maintenance: Inquire (All) Company/Contact Group Maintenance: Inquire (All) Contacts: Add/Edit/Inquire (All) CRM/Sales Activities: Inquire (All) Manage Attachments: Add/Inquire (All) Notes: Add/Edit/Inquire (All) Team Members: Inquire (All)
Finance*	Invoicing: Inquire (All)
Project	Project Tickets: Inquire (All)
Service Desk	Close Service Tickets: Add/Edit/Inquire (All) Resource Scheduling: Add/Inquire (All) Service Ticket - Dependancies: Add/Edit/Inquire (All) Service Tickets: Add/Edit/Inquire (All) Service Tickets - Finance: Inquire (All) SLA Dashboard: Inquire (All) Ticket Templates: Inquire (All)
System	Member Maintenance: Inquire (All) Table Setup: Inquire (All)

* only required if using the Invoices tab within the MSP Process Client Portal

       4. Within the System area, click the customize link beside the Table Setup permission (screeshot below):

       5. Make sure that all of the entries are "allowed access" as shown below. You may then save and close the MSP Process Security Role.

 

API Endpoints Used by MSP Process

This is a list of all APIs we get information from or post using the API connections. Please adjust your permissions based on the details below. Please note that some of these API requests are part of other functions of our app and are not needed for End User and SMS utilization. 

Type	API (resource)	Description
GET	/company/companies/count	Check is connection is valid
GET	/company/companies/statuses	Get statuses (company filters)
GET	/company/companies/types	Get types (company filters)
GET	/company/configurations/statuses	Get statuses (configuration filters)
GET	/company/configurations/types	Get types (configuration filters)
GET	/company/configurations	Get configurations
GET POST	/company/companies	Get all companies
GET	/company/communicationTypes/info	For contact creation
GET POST	/company/contacts	For contact creation
GET	/company/noteTypes	note types
GET	/company/contacts/{contactId}/notes	contact notes
GET	/company/contacts/{contactId}	contact
GET	/company/contacts/count	contacts count
GET	/company/contacts/validatePortalCredentials	valiadate client portal credentials
POST	/company/contacts/requestPassword	request reset password

 

System

Finance

Service

Ticket Notes

Time Entries / Schedule entries

The final step to take in setting up the MSP Process -> Halo PSA integration is to configure a Custom Tab within Halo PSA that'll contain the MSP Process pod.

The first step is to obtain the URL for your MSP Process pod; to do that, go to Integrations -> PSA Integrations -> Halo

Click on the Get Link to v2 Pod as shown below: 

Login to Halo PSA and click on Settings -> Custom Objects:

Click on Custom Tabs: 

Create a new custom tab, and specify the details as outlined below:

Setup new ConnectWise Pod v2

If you are not utilizing our new version of the pod it is very simple to update to the new one. You can also run them concurrently until you are sure v2 is working properly for you. 

Login to MSP Process and go to Integrations -> PSA Integrations -> ConnectWise. 

Once you click ConnectWise you will see v2 link as shown below and you can click the copy button next to it. 

Now login to Connectwise and go to System -> Setup Tables and Search for Manage Hosted API. 

Once you select it you can update your existing POD or create a new one and utilize both side by side until you are sure v2 meets all of your needs. The naming of your pods may be slightly different than mine below but we recommend updating both Contact and Service Ticket pods. 

Select one of the existing ones to update it: 

Update the origin link to:

https://pod.mspprocess.com

To note if you want to create a new pod then the pod should look like the one above. The only setting to consider is whether you want the pod to be 600 or 800 in size. We generally recommend 800 if you have larger screens. If on a laptop you may want 600. 

Disclaimer: This is not a substitute for Legal advice. Pleas consult with your attorney on local, state and federal guidelines before including this in any legal agreements. This document is intended for educational purposes.

Risks of Not Implementing End User Verification with Company Signature

Introduction

In the digital age, verifying the identity of end users has become a crucial aspect of managing security and maintaining trust in business operations. End User Verification (EUV) processes, particularly those that include a company signature (either digital or physical), play a critical role in ensuring that services and information are accessed only by authorized individuals. This document outlines the potential risks associated with the refusal or failure to implement an EUV system that includes a company signature, emphasizing the importance of such measures for safeguarding business integrity, customer trust, and legal compliance.

Risks Associated with Non-Implementation

1. **Increased Vulnerability to Fraud and Identity Theft**

Without a robust EUV process, businesses are more susceptible to fraudulent activities. Fraudsters can easily impersonate users or create fake accounts, leading to identity theft and unauthorized access to sensitive information. This not only results in financial losses but can also damage the company's reputation.

2. **Legal and Compliance Risks**

Many industries are governed by strict regulatory requirements that mandate the verification of customer identities (e.g., GDPR in Europe, KYC regulations in the banking sector). Failure to implement an EUV system with a company signature can result in non-compliance, leading to hefty fines, legal sanctions, and remediation costs.

3. **Data Breaches and Security Incidents**

Lack of end user verification weakens the overall security posture of a company. It becomes easier for attackers to gain unauthorized access to the system, potentially leading to data breaches. Such incidents not only have financial repercussions but also erode customer trust and loyalty.

4. **Loss of Customer Trust and Reputation Damage**

Customers expect businesses to protect their personal information and ensure secure transactions. A company's refusal to implement adequate EUV measures can lead to a perception of negligence, undermining customer trust. Rebuilding reputation after such damage is often costly and time-consuming.

5. **Operational Disruptions and Financial Losses**

Fraudulent activities facilitated by inadequate EUV processes can disrupt operations, requiring significant resources to address security breaches, investigate fraud, and implement corrective measures. These disruptions often lead to direct financial losses and increased operational costs.

6. **Decreased Market Competitiveness**

In a market where competitors are enhancing their security measures and trustworthiness through robust EUV processes, companies that fail to do so may find themselves at a competitive disadvantage. Customers and partners are more likely to engage with businesses that demonstrate a commitment to security and privacy.

7. **Increased Risk of Insider Threats**

Without effective EUV, it's challenging to track and monitor user activities accurately. This increases the risk of insider threats, as malicious or negligent actions by employees, contractors, or partners can go undetected. Insider threats are particularly dangerous because they can cause extensive damage due to their access to sensitive information.

Conclusion

Implementing End User Verification with a company signature is not just about adhering to regulatory requirements; it's a fundamental component of a comprehensive security strategy that protects against a wide range of risks. The refusal to implement such measures can expose businesses to significant vulnerabilities, including financial losses, legal penalties, operational disruptions, and reputational damage. To safeguard their interests, assets, and stakeholders, companies should prioritize the implementation of robust EUV processes that include company signatures as a standard practice for verifying and authenticating user identities.

Recommendations

1. Assess Current Security Posture: Conduct a comprehensive security assessment to understand the existing vulnerabilities and identify the need for enhanced EUV processes.
2. Implement Robust EUV Solutions: Invest in and implement advanced EUV technologies that include company signatures, leveraging biometrics, digital signatures, and other authentication methods.
3. Regular Training and Awareness: Educate employees, partners, and customers about the importance of security and the role of EUV in protecting their information.
4. Continuous Monitoring and Improvement: Regularly review and update the EUV processes to adapt to emerging threats and changing regulatory requirements.
5. Legal and Compliance Consultation: Work with legal and compliance experts to ensure that the EUV processes meet all relevant regulatory requirements and industry standards.

Waiver of Liability for Non-Acceptance of Zero Trust Policy

I, [Your Name], hereby acknowledge that I have been informed of the zero trust policy implemented by [Organization/Company Name], herein referred to as "the Company." I understand that the zero trust policy is designed to enhance security measures within the Company's network and systems.

I further acknowledge that despite being informed of the zero trust policy, I have chosen not to accept or adhere to its principles and guidelines.

By not accepting the zero trust policy, I acknowledge and agree to the following:

1. Assumption of Risk: I understand that by not adhering to the zero trust policy, I may be exposing myself and the Company to increased cybersecurity risks, including but not limited to unauthorized access, data breaches, and other security incidents.

2. Release of Liability: I hereby release, waive, discharge, and covenant not to sue the Company, its officers, directors, employees, agents, and affiliates from any and all liabilities, claims, demands, actions, or damages of any kind arising out of or related to my decision not to accept the zero trust policy.

3. Indemnification: I agree to indemnify and hold harmless the Company, its officers, directors, employees, agents, and affiliates from any and all liabilities, damages, losses, costs, or expenses (including reasonable attorneys' fees) arising out of or related to any security incidents or breaches resulting from my non-acceptance of the zero trust policy.

4. Acknowledgment of Consequences: I acknowledge that the Company has provided me with ample opportunity to review and understand the implications of not accepting the zero trust policy. I understand that my decision may impact my access to certain resources, systems, and privileges within the Company.

5. Voluntary Agreement: I certify that my decision not to accept the zero trust policy is voluntary and made of my own free will, without coercion or undue influence from any party.

I have read this waiver of liability and fully understand its terms and implications. I acknowledge that I am voluntarily waiving certain rights by not accepting the zero trust policy.

Signed this [Date] day of [Month, Year].

[Your Signature]

[Your Printed Name]

Please note that this waiver is a template and may need to be reviewed and adjusted by legal professionals to ensure compliance with relevant laws and regulations in your jurisdiction and to tailor it to the specific circumstances of your organization.

End-user verification with a secure, single-click link can be achieved with either an email or SMS to transmit the secure data link to the client. The follow step is for the secure like via email:

Make sure that the client is expecting to see an email from noreply@mspprocess.com and that they click the secure link within the configured time the link is valid (by default, it is set for 5 minutes). The logo, text, signature, and footer are all configurable.

This is what the client will see when they click on the secure link in the previous email. The colors, color gradient and logo are configurable. Once they click on "Validate" the end-user verification process will be complete.

This is what the result will look like from the technician's perspective. Note that the duration that the shields will stay green after successful verification is configurable.

The following is the secure link via SMS:

If you click on the Verification History down arrow, you will see the history of verifications for this contact. The number of history entries is configurable:

To close the Verification history, click on the "up" arrow.

Adhering to our Zero-Trust Policy, your staff should treat every incoming call from us with skepticism and initiate the Technician Verification process without hesitation. With a clearly defined and easily accessible procedure, you attain peace of mind in mere moments. 

{yourMSP} has a dedicated verification number to which you can direct all Technician Verification requests to. It is {VerificationNumber}.

For all purported requests from {yourMSP}'s service desk, please send a #verify message to {VerificationNumber}:

In a few seconds, you will be provided with a code, as above and in this case 870421, that should also be the code that your service desk technician should be provide to you. If it matches what you have been provided, you can be assured that the current call is from a legitimate technician from the {yourMSP} service desk. 

With your satisfaction that the code matches, please respond with a #confirm to the same phone number and SMS conversation. This will close the Tech Verification process and will log this interaction with our service desk software and tied to the service ticket that your technician is calling about:

  What is End-User and Tech Verification? 

End-User and Tech Verification are identity verification techniques that confirm the identity of the respective person. Identity verification, in the context of cybersecurity and access control, refers to the process of confirming and validating the identity of individuals who are trying to access a system, application, or network. The goal is to ensure that only authorized users gain access to specific resources, while unauthorized or malicious actors are prevented from doing so. 

Why does an {MSP} make use of Identity Verification? 

{put MSP Name here}  has adopted a Zero Trust Policy (ZTP). A ZTP is an approach to cybersecurity that assumes no entity, whether inside or outside the organization, can be trusted by default. This security model requires strict verification of anyone trying to access resources in the network, regardless of their location or the device they are using. There are several reasons why we have adopted a zero-trust policy: 

• Changing Perimeter: Traditional security models rely on a secure perimeter, assuming that once someone is inside the network, they can be trusted. However, with the rise of remote work, cloud computing, and mobile devices, the concept of a secure perimeter has become less relevant. Zero trust acknowledges that threats can come from both inside and outside the network. 
• Advanced Threats: Traditional security measures are not always effective against advanced persistent threats and sophisticated cyber-attacks such as AI-induced Voice Phishing Attacks. A ZTP approach helps to mitigate the risk of these threats by continuously verifying and authenticating users. 
• Data Security: As organizations increasingly store sensitive data in the cloud and allow remote access to their networks, protecting data becomes paramount. ZTP ensures that only authorized users have access to specific data and resources, reducing the risk of data breaches. 
• Mobile Workforce: With more employees working remotely or using mobile devices to access corporate resources, the traditional model of trusting devices based on their location becomes impractical. Zero trust considers every access attempt as potentially untrusted, regardless of the user's location. 
• Privileged Access: Zero trust is particularly important for managing privileged access. Even employees with higher levels of access must continuously authenticate and prove their identity, reducing the risk of misuse of privileged credentials. 
• Insider Threats: While the majority of employees are trustworthy, insider threats can still pose a significant risk. Zero trust helps organizations minimize the potential damage from insider threats by enforcing the principle of least privilege and continuous monitoring. 
• Compliance Requirements: In many industries, there are regulatory requirements that mandate a high level of security and data protection. Adopting a ZTP can help organizations meet these compliance standards and demonstrate a commitment to securing sensitive information. 

By adopting a ZTP, {MSP} aims to enhance our client’s overall security posture, adapt to the evolving threat landscape, and protect critical assets from both internal and external threats. 

What are typical ways to Authenticate an Identity? 

The goal of identity verification is to ensure that the person claiming a particular identity is, indeed, who they say they are. Verification, to be effective, relies on Multi-Factor Authentication (MFA). He is a list of factors that we rely on: 

• Something You Know: This involves knowledge-based factors such as passwords, PINs, or security questions. Often these are not available at the time of authentication because of forgotten information. They can often be compromised because they are often shared or based upon easily generated information (birth dates, addresses or less.) 
• Something You Have: This includes possession-based factors such as security tokens, smart cards, or mobile devices. In the case of a mobile device, this usually means the phone number and possession of the device as forms of authentication because you can reference them via a phone call, SMS or an application notification push. 
• Something You Are: This involves biometric factors like fingerprints, facial recognition, or retina scans. With access to your mobile devices your biometric information authenticated and stored on the device is proof of something that is unique to the end user. 

So how does End-User Verification make use of the Authentication Factors listed above? 

End-User Verification is a 30-second process and because of our ZTP, it is required on every service desk call from our clients. 

SMS send – EUV pushes a 6-digit code or a single-click link to a mobile device (Something you Have). Since the end-user has supplied the phone number (Something you Know) of the mobile device that relies on a PIN, Password (Something you know) or a biometric (Something you Are) to access the device, you have three levels of authentication in place.  

Email send – as above, EUV pushes the 6-digit code or single-click link to a known email address. The email box would be authenticated by the physical access to the mobile or desktop device AND to the email client. 

Client Portal or Client App – in the event that you don’t have access SMS or email or it is more convenient to do so, the user can access either the Client Portal with a password (Something You Know) or the Client App with a biometric login (Something you Are). Once the End-User has accessed the Portal or App, the technician can push a code or a confirmation request for the End-User to complete the Verification. 

What is the purpose of Tech Verification? 

Often threat actors will pose as a technician from a service desk in an attempt to gain access to your network, servers, or other network applications. They often sound credible because they may have obtained some pertinent or meaningful information that can be used to fool you into believing that you are speaking with a technician from the {MSP} service desk. 

With ZTP, all End-Users should verify any solicited or unsolicited call purporting to be from {MSP} or our service desk. 

Tech Verification is a simple, 30 second process.  The End-User sends #verify using SMS on their mobile (Something you have) number to our published Verification phone number (Something you know).  In response to this, you will be provided with aa unique 6-digit code that only you and a valid service technician from our service desk will know. When the technician provides this code to you, and you are satisfied that it is correct, you send #confirm on SMS back to the Verification phone number.  

Here are some tips to help you prevent phishing attacks:  

Don’t trust caller ID: Caller ID can be easily spoofed, so just because a call appears to be from your {MSP} or other Service Provider doesn’t mean it’s legitimate. Always be suspicious of unsolicited calls asking for personal, network, applications or computer information. 

Verify the caller: If someone calls claiming to be from your {MSP} provider or another organization, initiate the Tech Verification procedure or hang up and call them back using a phone number you know to be genuine. Don’t use the number they give you, as it may be fake. 

Don’t give out personal information: Never give out personal or corporate information, such as passwords, PINs, or credit card numbers, to someone who calls you, until you have confirmed that they belong to a trusted organization. 

Introduction

Enterprises or individuals (collectively referred to as End-Users or “EU)” recently have been burned by Threat Actors (“TA”) who pose as authority representatives from a government, bank, telecom provider, IT service provider, or any other service provider (collectively referred to as Service Providers or “SP”). They try, through what is colloquially called voice phishing, to pry information from the EU which might enable them to compromise the EU’s enterprise systems, data, bank accounts, etc. In an attempt to thwart the threat attempts, we have developed a Verification System (“VS”) which allows the EU to verify that any voice call requests can be verified as legitimate or a threat. 

How is it achieved? 

This is accomplished by training the EU to have no trust for any incoming phone call from any SP seeking proprietary information. They are instructed to initiate a verification sequence to validate that the request is from a legitimate entity at the SP. 

This provides confidence because it is achieved through multi-factors, all of which are only known by the two participating and valid entities – the SP and the EU. 

There is always an a priori information known only by each entity. In the case of the SP, they would know the EU’s phone number, email address or that the EU is a valid registered user of the Customer Portal (“CP”). The EU would know of the SP-provided phone number, email address, or CP. The CP is protected by a UserID/Password sequence. 

No matter what medium is used for verification – SMS, email, CPl – the process for the verification follows a very similar procedure. There is always something that is known between the two parties that is not generally published for public consumption such as an SP-provided SMS phone number (“SPN”), Private email address (“PEA”), or a customer portal (“CP”) with a UserID/Password (“UIP”) login sequence. 

The sequence would be as follows: 

1. The SP has reason to contact the EU, and this is done through a voice call to the EU. The SP may be a IT SP responding to a service request ticket, or a bank looking for confirmation on a potentially fraudulent transaction. 
2. The agreed upon policy between the SP and the EU is that the verification procedure will be initiated for any voice call initiated by the SP to the EU 
3. The EU, using the agreed upon medium (SMS on a mobile device, an email on mobile, laptop or other computing device, or a web-based customer portal accessed by any of the above devices, the EU starts the verification request (“VR”) by sending a Verify Code (“VC”),  #verify for example, to a pre-agreed but private SPN, or a pre-agreed PEA. In these cases, the VC must be initiated from an EU email address or phone number known by the SP. In the case of the CP, the EU logs into the CP with their specific UIP, and clicks on a Verify button within the CP. 
4. Any of the above Verify commands initiate a sequence of events within our VS that will be completed when the EU has been satisfied that the SP been verified or can reject the verification. In the event that the VR comes from an unknown phone number or email address, the VR process will not be started. However, all VR will be logged for compliance and historical recall. 
   • The VS will generate a random number (usually 6 digits, but could be any number) that will be:  

1. 1. • Sent back to the EU through the medium (SMS, email, or CP) from where the VR originated and to the respective phone number (SMS) or email address (email) that originated the VR. In the case of CP-originated VR, the code will be pushed to a banner on the CP.  In all cases the code will be sent with an appropriate message indicating its use. The message will read something thing like “The verification code ‘012345’ should be provided BY your service provider. If the code matches the one previously provided to you, you may initiate the confirmation response”. 

• • • Provided to the SP in a SP console with a message that will read something like “ Please provide code ‘012345’ to the EU. 

1. • The SP will provide the code to the EU via the phone call. 

• •  If the EU is satisfied that the SP has provided the corresponding matching code: 

1. 1. •  the EU may give a verbal confirmation to the SP that they are satisfied with the legitimacy of the SP and continue the phone call in which case the SP must manually log this response, 

• • • the EU may send a Confirmation Code (“CC”), #confirm for example, to the SPN or the PEA. In the case of the CP, the EU would click on the “Confirm” button within the CP. 

1. • If the EU is not satisfied that the SP has provided the matching code the EU may: 

1. 1. • Hang-up the phone  

• • • Re-initiate the VR 

          5. There are some ancillary functions of the VR that can be considered in specific applications. In the event that the SP has a service or help desk platform, the entire sequence of events ( VR, and corresponding response) can be logged within a service ticket for posterity when the Verification Sequence has been completed. This could be automatic or at the approval of the SP personnel. 

Subject: End-User Verification: Ensuring Mutual Security with {Your MSP Name}! 

Body:

In today's digital landscape, cyber security threats loom large, fueled by the rapid advancements in Artificial Intelligence. At {Your MSP Name}, we're dedicated to staying ahead of these threats and fortifying our service desk against potential breaches. 

Think about the routine verification processes you encounter when contacting your bank, government agency, or mobile phone provider. Shouldn't the same level of scrutiny be applied when safeguarding your business? 

That's why {Your MSP Name} is implementing a Zero-Trust Policy for End-User Verification. Every interaction with our service desk involves a simple identity verification process, ensuring that only authorized personnel access your sensitive information or provide support instructions. 

While we understand that this additional step may seem like a minor inconvenience, it's a critical measure to uphold the security of your business. Our End-User verification process is designed to be seamless, non-intrusive, and efficient, eliminating the need for memorization of information or PINs and typically completed in seconds. 

With {Your MSP Name}, rest assured that your security is our priority. Together, let's reinforce our defenses and create a safer digital environment for your business.

Subject: Technician Verification: Elevating Your Security with {Your MSP Name}!  

Body:

At {Your MSP Name}, our team is highly trained to detect security threats. However, as the landscape of voice-phishing attempts evolves with increasing sophistication, we've bolstered our Zero-Trust security policy by introducing End-User Verification. Through our proactive security measures, we enhance your overall security. 

Yet, many businesses lack the necessary tools to combat similar attacks within their own environments. That's why {Your MSP Name} offers a swift Technician Verification process, enabling you to promptly and accurately confirm the identity of any caller claiming to be from our team. Adhering to our Zero-Trust Policy, your staff should treat every incoming call from us with skepticism and initiate the Technician Verification process without hesitation. With a clearly defined and easily accessible procedure, you attain peace of mind in mere moments. 

Seeking evidence of our commitment to the Zero-Trust Policy? Rest assured, all verification interactions between {Your MSP Name} and your organization are meticulously logged for compliance and historical reference. 

Together, we're dedicated to ensuring robust security measures. 

End-User Verification

{yourMSP} takes security seriously. As part of that, we will be verifying your identity on each call to our Service Desk.

The End-User Verification will take one of 7 forms depending on what information we have available and the available configurations (Duo, Client Portal) :

1) If we have a valid email in our system verification can take one of two forms:

• • email one-click Secure Link. Note that his email will come from noreply@mspprocess.com. Please click on the link as indicated below within the specified period of time:
  • 

The final step is to click on the "Validate":

If the Validate completed successfully, you will see the following:

 2) If Duo has been configured, please go to your Duo Mobile app on your mobile phone and "Approve" the verification push:

3) If we have a valid mobile phone number on file we can do the End-User Verification via SMS. The published phone number for all Verification requests for {yourMSp} will come from {YourVerificationNumber}:

• Six-Digit Code - Please repeat the six-digit code back to your service desk technician within the specified period of time:

4) Single-Click Secure Link - when you receive the text via SMS, please click on the validation link as specified below:

Click on "Validate" to complete the verification process:

If verification is successful, you will get the following screen. The verification is now complete:

5)  If a client portal has been configured, verification can proceed via the client portal. Please go to http://{your Msp}.mspprocess.net and log in to the portal with your credential information. 

When you are logged in and ready, your service technician will verify you in one of two ways:

• • Confirmation from the Client Portal. Click on the "CONFIRM" button before expiration:

6) Confirmation from the Client Portal with a six-digit code sent via SMS to your mobile phone:

Take the six-digit code that you receive from your mobile phone via SMS to put in the client portal dialog box and click "CONFIRM":

7) If no email or mobile phone is available, you can be verified with a voice phone call to the specified landline phone that we may have on file. The automated system will read you a six-digit phone number so be prepared to write this single-use number down. The six-digit will be repeated a second time if you happen to miss the first time. Provide this six-digit code to your service technician. Your technician will confirm the sucessful completion of the verification.

This is using Connectwise Manage Pod integration for Illustrative Purposes but can be done from any PSA using the integrated POD or through the MSP Process Admin portal.

On the Pod, make sure the appropriate phone number is selected for the chosen contact. If you choose a PSA Contact other than the default one, you will be required to provide a note, eg Manager Approval. That note is can be enforced through configuration. One the "Send Code" has been clicked, the six-digit code will be sent via SMS to client and the technician must receive, verbally, the code sent to them.

Once the code is received verbally from the client, it must be placed in the "Enter Code Here" box, as below.

Now the shield for the phone number verified should turn green for the configured amount of time.

Introduction

DUO (https://duo.com) is a popular identity verification platform. You can use it in MSP Process to acheive two goals:

• To secure the login process of anyone looking to access your MSP Process account at https://app.mspprocess.com
• During the end-user verification process; DUO can be used instead of sending the user a verification code via e-mail or SMS

This guide will take you through all of the steps required to link MSP Process to your DUO environment, which includes setting up 3 entities in DUO (their Web SDK, Auth API, and Admin entities) and configuring the appropriate settings within MSP Process.

Step 1: Configuring the Web SDK Entity in DUO

What is the DUO Web SDK? The Duo Web SDK adds the two-factor authentication screens and workflow to the MSP Process login flow.

1. Login to the DUO Admin portal (https://admin.duosecurity.com/)
2. From the left-hand menu, navigate to Application -> Protect an Application
3. Search for "Web SDK" in the Search field
4. Click on the Protect button beside Web SDK
5. In the Details section, copy the Client ID, Client Secret and API Hostname; you'll need them later
6. In the Settings section, change Name field to say "MSP Process"
7. Click Save

Step 2: Configuring the Auth API Entity in DUO

What is the DUO Auth API? The DUO Auth API is a low-level, RESTful API for adding strong two-factor authentication to the MSP Process website.

1. If you're already logged into the DUO Admin portal, proceed to step #2. Otherwise, please login to the DUO Admin portal (https://admin.duosecurity.com/)
2. From the left-hand menu, navigate to Application -> Protect an Application
3. Search for "Auth API" in the Search field
4. Click on the Protect button beside DUO Auth API
5. In the Details section, copy the Integration Key, Secret Key and API Hostname; you'll need them later
6. In the Settings section, change Name field to say "Auth API for MSP Process"
7. Click Save

Step 3: Configuring the Admin API Entity in DUO

What is the DUO Admin API? The DUO Admin API is a low-level, RESTful API for querying DUO for information about objects, such as end users.

1. If you're already logged into the DUO Admin portal, proceed to step #2. Otherwise, please login to the DUO Admin portal (https://admin.duosecurity.com/)
2. From the left-hand menu, navigate to Application -> Protect an Application
3. Search for "Admin API" in the Search field
4. Click on the Protect button beside DUO Admin API
5. In the Details section, copy the Integration Key, Secret Key and API Hostname; you'll need them later
6. In the Settings section, change Name field to say "Admin API for MSP Process"
7. In the Permissions section, assign the Grant read resource permission
8. Click Save

Step 4: Configuring MSP Process to Use DUO

1. Login to the MSP Process portal (https://app.mspprocess.com)
2. Navigate to Integrations -> Security Integrations
3. Click the Add new integration button

     4. Click the DUO Auth API button; specify a name, and then enter the Integration Key, Secret Key and API Hostname from Step #2. Click Submit when             you're done.

     5. Repeat steps 3 and 4 for the DUO Admin and DUO Web SDK feature 

Congratulations! You're Done!

You've now setup the required entities in DUO, and configured MSP Process with the information it needs to start using DUO to secure the login process to your MSP Process UI, and to perform end-user verification.

To initiate an SMS Conversation from within MSP Process portal following the instructions below: 

Go to Ticketing -> PSA Ticketing as shown below and click the three dots next to any open ticket at the far right and choose Add SMS Channel. 

Introduction:

Configuring the integration between MSP Process and SuperOps is quick and easy, and consists of just a few steps:

• Creating a custom field in SuperOps to store your client's mobile/cell numbers
• Creating an API token in SuperOps
• Configuring the SuperOps integration module in MSP Process
• Configuring Ticket Defaults in MSP Process

Step 1: Creating a custom field in SuperOps to store your client's mobile/cell numbers

First lets configure a custom field in SuperOps that will store your customer's mobile/cell number. MSP Process will use that field when you verify your users via SMS.

1. Login to SuperOps
2. Navigate to Settings -> Advanced Configuration -> Manage Fields
3. Click on the Requesters tab
4. Click the Create button, and choose the Short Text data type
5. Enter a name for the field; MSP Process will recognize any of the following names (case insensitive):
   1. mobile phone
   2. mobile number
   3. cell phone
   4. cell number
   5. cell
   6. mobile
6. Now that you've created the custom field, you'll need to populate it for each of the Requester users that you have in SuperOps. To do this, navigate to Client Management -> Clients, and click on Clients -> Requesters from the left-hand nav bar. From this screen you'll be able to edit each Requester and populate the custom field accordingly.

Step 2: Creating an API token in SuperOps

Now lets generate an API token from SuperOps. In addition to the API token you will need the web address of your SuperOps site.

Generate the token and click the copy button next to the token. 

Step 3: Configuring the SuperOps integration module in MSP Process

To setup SuperOps AI Integration in MSP Process go to Integrations -> PSA Integrations and click on Add PSA. 

Select SuperOps from the list of Integrations:

Input your web address you gathered from SuperOps URL and your API key as shown below: 

Step 4: Configuring Ticket Defaults in MSP Process

The last step is to configure your ticket defaults based on your SuperOps settings: 

Once you have setup your PSA and ticketing defaults you can now use End User Verification and other components of the integration. For end user verification follow the instructions below: 

Verifying End Users within MSP Process Portal

To Enable Notifications for Client Portal chat there are two components to it. The first is to enable notifications on your MSP Process account. You can do this by going to the profile icon in the top right next to your name as shown below: 

Turn on and set your email or SMS notification preferences: 

Then go to Client Portal -> Configurations and edit your configuration as shown below: 

Enable Notifications and set it to 1 min for the fastest notification. Then click one or more users who will get notified on inbound client portal chat requests. 

Click Submit. If you select more than 1 user the system will round robin notifications. 

To Access Secure Data Send Settings go to: Portal Settings -> Secure Data Settings. These settings can be configured for your technicians and locked down as well. 

Single - This makes the link a single use link. 

Save Logs to Ticket/Contact - This will save the actions of the tech and the user regarding the link. When the tech sent it, when the user opened it. 

Save logs to internal note - This will save logs of all actions to the internal note on your PSA instead of public discussion note section. 

Save data to internal note - Whatever password or text is sent to the user would be logged as an internal note. 

Lock user input - This allows you to lock the settings above so your users cannot change them. 

SMS Template - Messaging that is sent with the SMS link to the user. You can put text before and/or after the link. Do note remove the ${link} as this will break the functionality. 

Email Template - Same as above, you can add text before and/or after the link. 

Page Header Text - This is the header displayed to the user above the link when they receive the message and click the link. 

Message on Reveal Secure Data - This is a message is revealed once the user shows the data from the link. 

Now that you have created a Client Portal using the "Client Portal Creation" KB article, it is time to invite your clients to use the CIient Portal. This can be done singularly or in bulk. Both will be described in this article.

To access the list of your clients who may be invited to the Client Portal: choose Ticketing -> PSA Contacts.

Singular Client Invite

First, find the user that you would like to invite. You can narrow down the options by putting search terms in the appropriate search box of the appropriate column. Next, click on the "monitor" icon on the appropriate user that you wish to send an invitation to.

Finally, when the dialog box appears, choose the appropriate Client Portal. If you set a password, this will be the password that the user uses in combination with their email address. If you leave the Password box blank, the user will be requested to update/create their password on the first login. 

The email will be sent out using the default Client Portal Invite template. If you wish to change this template, please review KB article "Customize Client Portal Invite Email".

Bulk Client Invite

First, choose the clients that you would like to invite to the Client Portal. They can be filtered by Company or any of the other searchable criteria. Once they invitees have been selected, click on "Send Invites" on the far, top, right side.

Finally, choose the appropriate Client Portal and then "Submit"

The email will be sent out using the default Client Portal Invite template. If you wish to change this template, please review KB article "Customize Client Portal Invite Email".

Click on Client Portal -> Ticket Defaults ->  Create Default.  This will create the default action taken when tickets are received through the Client Portal.

Some of the choices for some of the items may not appear as shown as they are configurable items in your PSA.

Client Portal -> Configurations -> Create Configuration. This will allow you to create as many Client Portals as you would with unique companies and users.

This configuration page allows the creation and customization of a client portal. Please note that the domain name needs to include "https://{nameofyourportal}.mspprocess.net" where "nameofyourportal" is substituted with your custom name. Hit "Submit" when complete. You may edit the resulting configuration to make changes.

Note, to add a Logo to the Client Portal, you have to complete the "Create Configuration" first and then you can go back and edit the Configuration.

Click on Client  -> Invite Email Template

Then click the checkbox as shown below to customize the default email template. Be careful not to remove links that are in use. You can also use the + to the left of the email body to add in any links needed. 

This support article will help you setup Schedule Notifications for ConnectWise Manage using our Automation Bots. 

Go to Data Sources -> App Bots

Click on Create at the top right corner as shown below: 

Click Enable and Select Process Identity and Non-Idenity fields as shown below:

Give it a name and select ConnectWise Scheduled Entry Observer

Click Integration and select ConnectWise and it will fill in all the integration fields. 

Then choose dataLastDays field and set it to a minimum of 3 days but we recommend 7 days. This will sync up scheduled data from the last 7 days so the system has a baseline for existing scheduled entries.

Click Submit. 

Once this is submitted the system will create a Data View for this App Bot. You can review the data by clicking Data and selecting the view. 

You can then setup notification rules to target this data:

Ex: When you want to send out a notification on a new scheduled entry for a tech, when an appointment is coming up or past due. 

Ex 2: Notify clients based on technician being scheduled on their ticket. 

Below is a sample notification where we are sending the tech a reminder notification 45 minutes before the call is due. Notice the last option should be turned on to skip the initial notification (ie when the resource was first scheduled). This prevents duplication on the notiifcations. 

If we did not use the repeat notification, then the system would just sent notifications when resources are scheduled on a ticket. 

To post updates from an email that was parsed to a ConnectWise PO you can enable this on the Notification level as shown below: 

Click Integration and select your integration PSA name and it will autopopulate the fields as shown below. 

The next screen you can right click in each of the fields and add the variables to it. 

Customize Opt In Templates

You can customize your Opt In Templates when sending them to clients. 

Do NOT remove the $url or any formating as it pertains to the url. Please only change the wording as removing the URL will remove the link the user will receive. 

SMS Template: is the Opt In Template language that is sent to the user via SMS if you choose to send an Opt In form to a mobile/cell number. 

PSA Ticket Note Template: This is the note logged to the PSA when an Opt In form is sent to the user. 

Email Subject Template: This is the subject of the Opt In Email. 

Email Header Template: This a header template if you would like to use a header at the top of the Email. 

Email Body Template: This is the body of the email and you can use HTML as well to design it. 

Be sure to add your logo to your tenant and turn it on for Email as shown below: 

Go to Portal Settings -> Settings to verify it is setup properly. 

Under Teams go to Notification Groups as shown below and click on Add New Group. 

Give your on call group a name and click Create. Disregard teams integration for now, that will be available in a future update for more automated on call settings.

Click on the edit button next to the Schedule Group you just created. 

Add in your users from your CRM/PSA by clicking From CRM users. You can also add users from MSP Process or add them manually using the new group button. 

Search and select all users. 

Click submit once you've added them all in. 

Now go to Teams -> Scheduling and click on the team via the first drop down shown in blue below. Once it is selected click New Schedule. 

Below is an example of an on call schedule creation with notes on the screen. 

You can choose to repeat every (x) number of weeks or days. Weeks it he most common use. The starting day will be the day the schedule starts so if you want it to start on a monday, be sure to select the first monday date you would like the schedule to start. 

Period Lengh I will update the doc on later with an explanation, please use 1 for now. 

The rule range can only be set 1 year out for now but we will adjust this in the future. 

Technician Verification via SMS

Social engineering attacks by bad actors at an MSPs clients are increasing. Bad actors are imitating the MSP / IT Service Provider attempting to gain access to a computer, server or network. CDK Networks was breached recently and they leveraged that breach to immitate the MSPs/Service Providers by calling on the dealerships in attempts to gain access to client computers and networks. 

The purpose for Technician verification is for the client of the IT company or service provider to verify the support company is legitimate before allowing access to their computer systems or providing sensitive information without verifying the caller. Typically, the systems available today provide a mechanism for the IT company verifying the end user calling in for IT support. This would be providing that same capability but in reverse.

The process could not be more simple. When you signup you receive a Verification Phone number. You simply provide this to all of your existing clients and let them know they can request a verification via SMS to it. 

1. The user sends a #verify message to the number you have provided to them. 

2. Each party is sent a randomly generated 6-digit code.

3. The Technician provides the code to the end user and assigns the verification to the ticket in progress for tracking. 

4. The end user types #confirm to the same number to confirm the verification was successful.

5. The user receives back an automated message showing the verification was completed successfully. 

To test it out send #verify to the phone number you selected above in the first step from your mobile phone. You will receive back a code automatically. 

The technician will also get a copy of this code in his PSA portal or inside our MSP Process webapp. ConnectWise is shown below for reference. 

Once the technician reads the code back to the user, the user can type in #confirm and send to complete the confirmation process. 

To setup Technician Verification: 

First go to Verification Settings -> Select Verification Phone Number. If one is not already selected, please select one to use. This number will be used for both End User Verification and Technician Verification purposes. So your users will only need to use the one number and they will receive codes for end user verification over the same phone number. 

Verification Policies

MSP Process enables MSPs to set individual Verification Policies on a per client basis. Within the policy a user can set a banner as well as shown below:

Show Verification on Load means it will load and display on the pod the first time the user creates or opens a ticket.

Open any support ticket or a new one for that client and the banner should show once the ticket loads. 

If you need to whitelist our IP or domains they are shown below: 

https://pod.mspprocess.com

https://app.mspprocess.com

https://api.mspprocess.com

Create a POD on Connectwise dashboard

In MSP Process, Click on Integrations -> PSA Integrations and then select your ConnectWise Integration. 

Then select the copy button as shown below to get the link needed for the CW Pod Setup. 

Then go into ConnectWise and select System -> Setup Tables. Once in setup tables search for the word manage and click into Managed Hosted API as shown below: 

Click the Plus sign to add a new Integration: 

You can then fill in the information below as shown. The link you copied will be pasted into the URL field. Once you fill in the info click Save and Close. 

We will then create one more by clicking the Plus again and setting up this one as a Service selection as shown below. All the settings are the same except for the name and the Screen should be set to "Service". Save and close once finsihed. 

Open your contact under Comapnies -> Contacts and then click the Plus or Configuration Gear box as shown to add the new Pod to your Contact Screen. Once you do you will need to login with your MSP Process credentials. 

Create a service ticket using your contact and add the Service pod to the service ticket as shown below. 

Please note that each of your users may need to add these pods to their layout (the last two steps above) but they should already be there for them to add to their view. 

NOTE: Before completing the steps in this KB article, please setup a Security Role in ConnectWise that has the permissions outlined in this KB article.

Login to ConnectWise as an Admin and select System -> Members -> API Members as shown below: 

Click on + as shown below: 

Fill out all required fields - including specifying the Role as the one you created earlier - and click the Save button.

Click on API Keys and then click on the + sign to add a new key: 

Give it a description and click Save: 

The keys will disappear after you click save and close so copy both now to a document or directly into MSP Process before you save and close in ConnectWise. 

Now login to MSP Process and click on Integrations and click Integrations -> PSA Integrations. Click + to Add CRM and select ConnectWise. 

Select ConnectWise

Enter your PSA Connection Details: 

The next screen will have you select all your ticket settings. You will need to click Validation after selection and then submit. All fields I show below are required. The other fields are optional. 

This article is for  verification using MSP Process portal. Some of our integration vendors do not support an embed capability where we can embed our End User verification in their app. In that case you can use the instructions below: 

Login to https://app.mspprocess.com

Go to -> Ticketing -> PSA Ticketing

Then search for the ticket number/contact etc and click on the lock to the right to initiate a verification. 

Click on the lock button to the right of the ticket you'd like to verify the user on. 

Then select the shield next to the Email or Phone Number you wish to use to verify your end user. Make sure the contact on the ticket has a mobile phone number on it if you are attempting to use SMS verification. 

Once verified you'll be returned to the verification screen and the contact will show in green for verified as shown below: 

The configuration is under Teams -> Live Chats. You create a chat profile and then there is a copy option to copy the configuration.

MSP Process (direct link inside app to Live Chat Configurations)

Once you get to this page you can Create a Configuration by clicking Create Configuration: 

Then fill out the pop up box with the info: 

Give your bot a configuration name (MSP Process Bot),

Select your PSA configuration. 

Give your bot a Widget Title (this name will be shown at the top of your chat window ie Your Company Name Chat Bot)

Leave Chat Sequences blank unless you have created a chat sequence. If you have you can select it here. If not, you can always add one and select it later. 

Put in your greeting message that will welcome users to your chat when they click it. 

Select Responsible Admins (The admins responsible for receiving Chats and responding). 

Choose an Accent Color for your website

Decide if you'd like to allow Website visitors to re-open a previous chat or not.

Then click Submit. 

Once you submit the chat you can go to Chat Sequences and add any sequences you'd like. 

Then you can go back to edit the Chat Configuration and add those to it as well as a logo/widget icon from your company. 

Then just click on the Copy URL button next to your newly added Chat and add this to the pages on your website you would like to the chat to appear: 

Once you've added it to your website you can then go to Live Chats button, Select your Live chat profile and see any incoming live chats on this screen as shown below: 

Click on the Eye next to any chat to view the chat and respond: 

To Turn on notifications when a user initiates a chat Click the profile icon to the top right, then turn on email and/or phone options to be contacted via email or SMS when a user initiates a chat. 

Live chats can be seen from the mobile MSP Process Tech App: 

From the MSP Process Portal you can also see incoming notifications about chat requests and manage all chats here as well: 

If you wish to turn a live chat into a ticket you can do so from this screen after clicking the Eye icon next to the chat. 

You can then see the options to select from quick ticketing or manually select the summary and board/status info. 

Introduction

At MSP Process we believe in only setting the minimum permissions required to leverage our application for your business needs. Please find the outline below along with a more granular review of the permissions. 

Adding a Security Role for MSP Process

1. Login to your ConnectWise Manager account
2. Navigate to System -> Security Roles
3. Add a new role, name it MSP Process, and give it the permissions listed below: 

Area	Permission
Companies	Company Maintenance: Inquire (All) Company/Contact Group Maintenance: Inquire (All) Contacts: Add/Edit/Inquire (All) CRM/Sales Activities: Inquire (All) Manage Attachments: Add/Inquire (All) Notes: Add/Edit/Inquire (All) Team Members: Inquire (All)
Finance*	Invoicing: Inquire (All)
Project	Project Tickets: Inquire (All)
Service Desk	Close Service Tickets: Add/Edit/Inquire (All) Resource Scheduling: Add/Inquire (All) Service Ticket - Dependancies: Add/Edit/Inquire (All) Service Tickets - Finance: Inquire (All) Service Tickets: Add/Edit/Inquire (All) SLA Dashboard: Inquire (All) Ticket Templates: Inquire (All)
System	Member Maintenance: Inquire (All) My Company: Inquire (All) Table Setup: Inquire (All)

* only required if using the Invoices tab within the MSP Process Client Portal

       4. Within the System area, click the customize link beside the Table Setup permission (screeshot below):

       5. Make sure that all of the entries are "allowed access" as shown below. You may then save and close the MSP Process Security Role.

 

API Endpoints Used by MSP Process

This is a list of all APIs we get information from or post using the API connections. Please adjust your permissions based on the details below. Please note that some of these API requests are part of other functions of our app and are not needed for End User and SMS utilization. 

Type	API (resource)	Description
GET	/company/companies/count	Check is connection is valid
GET	/company/companies/statuses	Get statuses (company filters)
GET	/company/companies/types	Get types (company filters)
GET	/company/configurations/statuses	Get statuses (configuration filters)
GET	/company/configurations/types	Get types (configuration filters)
GET	/company/configurations	Get configurations
GET POST	/company/companies	Get all companies
GET	/company/communicationTypes/info	For contact creation
GET POST	/company/contacts	For contact creation
GET	/company/noteTypes	note types
GET	/company/contacts/{contactId}/notes	contact notes
GET	/company/contacts/{contactId}	contact
GET	/company/contacts/count	contacts count
GET	/company/contacts/validatePortalCredentials	valiadate client portal credentials
POST	/company/contacts/requestPassword	request reset password

 

System

Finance

Service

Ticket Notes

Time Entries / Schedule entries

Click on Portal Settings -> Settings. Then Select upload new Image. 

Login to your lastpass vault and click on Advanced. Then turn off "Use Improved save and fill". 

Bulk Opt In Forms

They serve two purposes for MSPs. You can allow your users to opt in to receive SMS messaging prior to you sending them for support.

The system will also allow them to update their phone number if it is not the correct number for SMS. 

Before you begin we recommend setting up your company logo if you haven't already: 

Update your Company Logo (mspprocess.com)

Go to Ticketing -> PSA Contacts

On this screen you can set your Opt in template that shows the messaging that will be sent to your users on the email: 

Here is a sample of what one might look like: 

Filter by name, company or phone numbers. Then select the users you'd like to email the Opt In form and select Opt In as shown below: 

A review screen will come up that shows you any issues such as an incorrect format of the existing phone number. To receive SMS each contact needs to have the Country Code such as +1 in front of the number for US. We generally recommend emailing the Opt In forms but you can also choose to send via SMS as well as an option or mix and match depending on the company/user. 

Click submit once you are ready to email out the forms. Emails will be sent to everyone in the list and they will have the opportunity to update their contact number from the link in the email. 

The system will show if there are any errors (incorrect email/phone number etc): 

Here is a sample email received and how it looks if a user opens/clicks on their mobile phone as well: 

You can now send one or many opt in forms via email to your clients using the PSA Contacts screen. 

If you'd like to allow your user to update their mobile phone you can check that box. The preferred way to send Opt in should be email so that you don't send SMS without the users permission. 

Users will receive an email similar to the one below: 

Once they click the Opt in link they will receive a dialog like the one below to confirm they'd like to receive SMS and they can update their phone number in ConnectWise if you've allowed them to do so. 

Once they are opted in the system will show a checkbox that they've opted in. 

This data also shows in the ConnectWise Pod. You can send an Opt in Form from inside of ConnectWise. A green checkbox shows when someone has opted in: 

To change the language in the email that is sent you can use the options above: 

PSA Defaults allow you to predefine settings that will be used in SMS/Ticketing Processes.

Go to Integrations -> PSA Integrations

Click on the integration you have setup. In this case I'll use ConnectWise as an example. 

Select the defaults you'd like for the ticketing profile and click Submit

Name - Give your profile a name

Default Company - This is utilized when the system is not able to match a contact with a company. In this case the ticket will be set to your default company. We usually recommend this be your own business company in your PSA.

Type - Set the ticket type

Subtype - Set the ticket Subtype (optional)

Item - Set the Item (optional)

New Ticket Status - Set the new ticket status. This is the status we will set for new tickets that arrive. 

Closed Ticket Status - If you use close a ticket utilizing MSP Process it will use this status unless you select it. If the user closes the ticket it will set it to this status as well. 

SMS Received Status - When an SMS is received from a user the system can automatically update the status of the ticket. We usually recommend creating a status such as "SMS Received" that way whoever is working the ticket knows an SMS was received. 

Login to ConnectWise as an Admin and select System -> Members -> API Members as shown below:
 

Click on + as shown below: 

Fill out all required fields and click Save button: Be sure to set the permission to "Admin".

Click on API Keys and then click on the + sign to add a new key: 

Give it a description and click Save:The keys will disappear after you click save and close so copy both now to a document or directly into Alert Manager before you save and close in ConnectWise. 

Now login to MSP Process and click on Integrations and click Add CRM
 

Select ConnectWise: 

Input the settings for your integration. Please note your URL and Company ID will be the same that you use to login to CW. Ours is a test system URL. 

Select your Ticketing Defaults

Click on the View Icon shown below to see the details about the ticket and SMS chat.

Our SMS Conversation templates allow you to create templates for use when creating a ticket and enabling SMS. 

Click on SMS -> SMS Conversations as shown below.

From templates you can Add, Edit, Clone or delete existing templates. 

Adding an SMS Channel allows you to create a ticket and enable an SMS chat between you and the contact for the company. 

** IMPORTANT NOTE ** The system will use the ticketing defaults that are setup for that SMS Channel so that you don't have to select them each time. This allows you to generate tickets more quickly with less selections. 

To enable an SMS Channel go to Messaging -> SMS Channels

Click Add at the top right

Once you click Add then select the Company, Contact and a template or manually type in your subject and message. You can also create templates and use those for faster ticket creation. 

Our SMS Channel Configuration Options give you control over how you interact with your customers over SMS. For instance you may not want to allow them to send inbound SMS to create a support ticket depending on your workflows. In this case you can initiate the first SMS and allow the user to respond. Most MSPs are going to a two-way approach allowing their customers to send in tickets this way. It improves time to resolution by allowing customers to communicate on a platform they use all day long, SMS. 

How to Configure SMS Channels

Go to Messaging -> Configurations -> Add

CRM - Choose the PSA you intend to use that you've already setup under integrations. If you are an MSP or provider with more than 1 PSA you can utilize multiple ones and setup separate configurations for each. 

CRM Defaults - Choose your PSA Defaults that the system will use when a user sends in a ticket it will route to the board/queue with proper settings you've selected. 

Phone Number - Select one our avaialble phone numbers or request a new number with your own area code to use. This number can be utilized to send outbound SMS and receive inbound SMS to automatically generate tickets. 

Notification Group - Our Notification groups can be setup for On Call Scheduling to notify the technician on call via Email, SMS, Phone Call and Mobile App (coming soon). 

Allow Users to Create Channels - This allows your customers to send an SMS to your phone number above to generate a ticket and SMS channel. 

Confirm Messages to User - This setting means anytime a user sends in a message, they receive a confirmation text that the system received it and the ticket was updated. The system will by default send them back a message with their ticket info and instructions on the first SMS back to the user. 

Put Channels link to ticket - This adds a link to the SMS chat in MSP Process right into the ConnectWise ticket so the technician can easily click right into the SMS chat.