Welcome to Dispel! This guide is intended to assist a new Organization Admin on the Dispel Dashboard. It will cover important settings, workflows, and features that an Admin may use to manage their organization members and resources in Dispel.

An Organization Admin is a role within the Dispel dashboard with the highest permissions. They are able to see and edit all Members, Devices / ACLs, Stacks, Regions, and Facilities in their organization.

An organization admin has the ability to do the following:

The Organizations Settings page is where an admin can make global changes to an organization, such as:

Require multi-factor authentication

As an administrator, you have the option to require multi-factor authentication for all users within your organization. This option will be grayed out at first, as you will need to set up MFA for your own account before you can require it for the entire organization.

Do not ask for Dispel MFA for SSO users

This option eliminates the need for extra authentication when logging into the Dashboard if a user is set up with SSO (Single Sign-On) such as Microsoft Azure Active Directory. Non-SSO users would still need to use MFA if the previous option is enabled.

Require Virtual Desktop Users to request access

If this option is enabled, anyone within the organization with the role of VDI-User will have to request access to one of their assigned facilities in order to access a virtual desktop. This is a recommended setting for most organizations.

Require Organization Users to request access

If this option is enabled, anyone within the organization with the role of User will have to request access to one of their assigned facilities in order to access a virtual desktop.

Enforce password reuse policy

Prevent members from reusing previous passwords.

Enforce password min/max lifetime policy.

Set the minimum and maximum number of days a password can be valid.

Inactivity Lockout

Define how many days a user can go without logging in before they are denied access.

When using the Dispel Dashboard, you have the option to integrate and manage members through Okta. If you are looking to do this, please visit our collection on Okta:

To start, click on the Members tab to the left:

Once there, click the invite button:

Input the email of the person you would like to invite, select the permission level (role) for their account, and select the language for the invitation. Once configured, click Invite this member. An email will be sent to them containing an invite link that they can open to set up their Dispel account.

Organization roles are used to determine the level of permissions a member has on the dashboard. Regions and facilities each have permission levels as well.

There are three types of organization roles:

Admin - An Organization Admin has the ability to make changes to anything in the organization. It is important to issue this role sparingly!

User - An Organization User can use the Dispel Dashboard as well as the Dispel VPN applications. They can be an admin of a Facility, as well as an access approver for a facility.

VDI User - A VDI-User can only use the Dispel Dashboard to reserve a virtual desktop after an approved access window. This role is often assigned to vendors and those who need the minimum amount of permissions to perform their work. Similar to an Organization User, they can be an access approver for a facility if an admin grants them that permission.

Navigate to the Members page and click settings for the member you would like to change the role:

To remove a member, navigate to the Members page, click the three dots next to their name and then click Remove member.

To add a member to a Region, click onto the Regions page, select the Members tab, and then click Add member.

Here you will be prompted to enter the email address of the person you are inviting:

On the member's list, you can adjust the member’s permission level for that Region.

You can remove members from the Region by clicking the three dots next to their email on this page and clicking Remove member from region.

Navigate to the Facilities page, click into the Members tab, then click Add members.

Select the members you would like to add to the Facility, set their permission level, and click Add selected members.

​Admin - A Facility Admin has the ability to see and manage all Facility members, devices, and accesses. They are also automatically added to the Access Approvers list.

User - A Facility User is restricted to only being able to see and access what they are explicitly given access to. They are only able to see the admins in their Facility, devices they are given permission access to, and their own access requests.

If your organization has Access Requests enabled, then non-admin users will be required to request access for a determined period of time prior to using a virtual desktop or VPN. Approvers have the ability to approve these request via email, a direct link to the request, or by the Access Windows page.

If you navigate to the Settings tab under Facilities, you are able to determine who is an approver of the Access Requests mentioned above. These users will receive request emails and can approve or deny requests on the Access Windows page. These users can be non-admins that are trusted to approve requests in their respective Facility.

They can be added by simply typing their email address and clicking Add members to approvers list. They can be removed by clicking the three dots next to their name and then clicking Remove approver.

By default, any member added to the Access requests page has emails for requests enabled. If a member would like to opt out of request emails, they are able click the blue drop-down menu to the right of their name and click No Email.

Devices are stored at the Facility level. This allows for organizations to have devices that are segmented into their respective sites instead of having one large pool of devices for the entire moving-target defense network.

In regards to Devices, a Facility Admin has the ability to:

Navigate to the Devices tab on dashboard and click Create

Next, enter the appropriate information for this specific device. (Make and model are optional fields).

At the bottom of the prompt, you will be given the option to add protocols in which you would like to connect to this device.

Devices function by enabling specific ports and protocols on a user-by-user basis. These ACLs are set by an admin and will remain inactive until a member's access window is approved. The ACLs are returned to inactive at the end of the access window.

Navigate to Access on the Devices page to view the ACLs for a specific device

Once on this page, you can either click the port / protocol to enable or disable it, or click the three dots on the right-hand column to perform a bulk add / remove.

While non-admins only have access to device ACLs during a given access window, an admin will have access to these ACLs as long as it is enabled for them.

This option can be useful if you want to give a specific member ACLs to multiple devices at a time. Navigate to the Members page, select the relevant person, and then click Devices.

Here, you will see all the devices associated with this member. Just like in the Devices page, you are able to add/remove any ACLs you would like them to have here.
​

The General tab allows you to change the basic attributes such as the name, make, and model of a device.

The Connection tab allows you to edit the networking information, such as the IP address, the ports, and protocol for those ports.

Stacks refer to the collection of Virtual Desktops that members reserve in order to perform their work. They automatically regenerate to reach a given number as members delete them after use.

Members can be added to a stack by navigating to the Stacks page, clicking into the Members tab, clicking Add member, and then entering their email address.

Additionally, members can automatically be added to a stack by navigating to the Access tab under Settings on the Stacks page.

On the Stacks page, navigate to the desired Stack, click into the Virtual Desktops tab, and then click Reserve.

Click Quick Connect after you reserve your Virtual Desktop and a download for a Remote Desktop session will start. Your password will automatically be copied to your clipboard. Open the downloaded file, paste the password in the Remote Desktop client that appears and you will be taken to your Virtual Desktop.

Once you are done with your Desktop, you can delete it by clicking the three dots to the right of Quick Connect and then clicking Delete desktop.
​

This will delete your reserved Virtual Desktop and begin the process of creating a new one.

Access Windows is a feature that allows admins the ability to grant just-in-time access to users and vendors who need to use the Dispel platform - all managed within the web dashboard.
​

An admin has three options to approve or deny just-in-time access requests:

Alternatively, an Admin can choose to create a pre-approved Access Window for a user so that there is no need for a request / approval cycle.

To read more about the Access Windows feature, see the guide attached below:

Groups is a feature on the Dispel Dashboard that focuses on two improvements to the admin workflow:

To read more about this feature, see the guide attached below:

The Logs tab captures events on the Dispel dashboard. Some examples of these events include:

To read more about this feature, see the guide attached below:

Some Dispel deployments use RecordTS on VDI stacks configured to record sessions. This allows admins visibility into what users are doing while accessing resources through Dispel virtual desktops.

To read more about this feature, see the guide attached below: