Working Remotely

Welcome to the New York State Office of Information Technology Services (ITS) "Working Remotely" page. To work remotely is to access your agency's network while you are away from your primary workstation. This site contains resources and common troubleshooting tips to support individuals who may be working remotely. 

Request RSA SecurID Token 

To access your agency's network and necessary applications remotely you will need to request and activate an RSA SecurID token. 

An activated RSA SecurID authentication token will enable you to access programs such as the Outlook Web Application (OWA), Office 365 (O365) products including SharePoint, and Virtual Desktop Infrastructure (VDI).  

To obtain a token you will need to submit your request through https://mytoken.ny.gov/. For detailed instructions, click on the RSA SecurID Token tab above. 

The ITSM Self-Service Portal [https://nysitsm2.service-now.com/sp

The ITSM Self-Service Portal can be used to check the status of a ticket or request assistance. Please click the link above and sign into the self-service portal.

RSA PIN Reset: If you need to request a RSA Pin Reset, Log in to https://mytoken.ny.gov/ using your email address and password. Then click Troubleshoot

Report other RSA token issues: For additional RSA assistance, please visit https://its.ny.gov/rsa-token to view important "How To's", answers to common questions, Troubleshooting help, User Guides, tips and instructional videos.

When working remotely, which option is right for me? 

"I need access to email and Microsoft Office products (Word, Excel, etc.) and the ability to share files with others via SharePoint or OneDrive though Outlook Web Access (OWA)."

What equipment do I have or need? State-issued or personal device with Internet access and an RSA Token. 

Where do I go? https://portal.office365.com

Where can I find instructions? Click on the O365 tab above. 


"I need to access the ITS Service Management System (ITSM) and the Statewide Learning Management System (SLMS)."

What equipment do I have or need? State-issued or personal device with Internet access. *An RSA Token is not Required.

Where do I go? https://my.ny.gov

Where can I find instructions? Sign in with your my.ny.gov username and password and select the application you need to access.


"I need access to my full desktop I use in the office, including my agency-specific applications."

What equipment do I have or need? Windows based personal device with internet connectivity and an RSA Token or State issued device that does not have the PulseSecure Client VPN installed.

Where do I go? SSL VPN - https://nysra.ny.gov/MRA

Where can I find instructions? Click on the Remote Access SSL VPN tab above.


"I need access to my Virtual Desktop (VDI) since I am a VDI user in the office and require access to my full desktop. I don't have a PC to log into at the office. I have VDI thin client or zero client at the office."

What equipment do I have or need? VMWare Horizon Client application and RSA Token.

Where do I go? https://desktop.ny.gov

Where can I find instructions? Click on the Virtual Desktop tab above.


 

Generally, the following must be completed before an individual can begin working remotely. If you have questions regarding working remotely, please discuss with your supervisor or refer to your Agency's policy. 

1. Working Remotely Online Training

NYS Agency Staff:

Please follow your agency's specific policy and mandate for training and remote work.

NYS Office of Information Technology Staff: 

All ITS employees are required to complete and pass the "How to Work Remotely" online training course before beginning to work remotely. This course covers the technical aspects of working remotely and can be found in the Statewide Learning Management System (SLMS) using code ITS_Work_2019 or by clicking the link here. 

2. Hardware

Your Agency may or may not provide you with any additional hardware for the sole purpose of working remotely. Subject to your agency's discretion, employees who have been approved to work remotely  may be permitted to use their personal devices, such as a personal desktop computer, laptop, tablet, and/or smartphone. ITS will not be responsible for any hardware issues that may occur on personal equipment because of the program. Users are responsible for keeping their personal devices functioning.  The ITS Service Desk cannot answer calls and/or respond to tickets that are related to personal device hardware issues. 

 


Please note that individuals must be approved to work remotely and secure appropriate access prior to doing so.

RSA SecurID Token

RSA SecurID is a multi-factor authentication technology that is used to protect network services. The RSA SecurID authentication mechanism consists of an assigned hardware or software "token" that generates a dynamic authentication number code at fixed intervals. Users provide the unique number code when logging into a protected service from any network outside the State network.

For any questions regarding using RSA SecurID for working remotely, please discuss with your supervisor or refer to your Agency's policy.

RSA Training Videos

How to use the RSA Self-Service Console and Choosing a Token

Software Tokens

How to Request and Activate a Software Token

How to Use a Software Token

How to Log into Office 365 with a Software Token from a computer

Hardware Tokens

How to Request and Activate Hardware Token

How to Use a Hardware Token

How to Log into Office 365 with a Hardware Token from a computer

RSA User Guides

RSA Token Request Job Aid

RSA Quick Reference Guide

RSA Help Section

What is Multi-Factor Authentication (MFA)? 

Multi-Factor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login. 

What is a Token Passcode?

For a Software Token, your Token Passcode is the eight-digit number generated after entering your PIN on the RSA App. On your Soft token, the passcode refreshes every sixty seconds. If you have difficulty logging in after providing the passcode, ensure the correct PIN was entered. 

Your Hard Token generates a random, six-digit passcode every sixty seconds, also known as a Token code. Your Token Passcode is your PIN followed the Token code (the six random digits) from the Hard Token, with no spaces between them. 

How do I request a new token?

Log in to https://mytoken.ny.gov/ and request a new Token. You must mention that you are replacing your existing Token. You are only allowed one Token at any given time. 

Should I use a hardware or software token? 

Software tokens are the preferred method. Hardware tokens can become lost or stolen. 

I forgot my PIN, what do I do? 

If you forget or need to change your PIN, log into the Self-Service Console using your email address and password at https://mytoken.ny.gov/, then click "Change PIN". 

What is "Next Token Code Mode" and what do I do about it?

After entering too many incorrect passcodes, you may be required to enter a next Token code. If using a Soft Token, wait and then enter the next available passcode shown. If using a Hard Token, wait and then enter the next available Token code shown (random 6 digits). Do NOT enter PIN + Token code. 

I am locked out of my RSA Token account, what do I do?

Go to https://mytoken.ny.gov/, do not login. Click on "Troubleshoot SecurID Token". Enter your email address and answer the identifying questions. Upon submission of correct answers, your RSA account will no longer be locked. 

I lost/damaged my hardware token. 

Log into the Self-Service Console and request a new hardware token noting that the current one is broken or lost. If broken, send to: 

RSA Enterprise Platform Admins 

WA Harriman Campus Bldg. 8 Room 331 

Albany, Ny 12227. 

Where do I return my RSA token? 

RSA Enterprise Platform Admins 

WA Harriman Campus Bldg. 8 Room 331 

Albany, Ny 12227.

Office 365 is a collection of apps and cloud services that you can use to be productive across a variety of devices from just about anywhere. Office 365 (O365) is a cloud-based version of the Microsoft Office suite. For New York State employees, Office 365 includes online versions of Word, Excel, PowerPoint, and SharePoint. 

When you log in through your web browser, you can access Office 365 anywhere you need to work and without having an installed version on your desktop or device.  Office 365 also includes One Drive for cloud storage and sharing.  

When working remotely, employees can always use the VMware Horizon Client to access their virtual desktop but many employees do not need to. Most employees will be able to perform all their duties by just using Office 365. For any questions regarding using O365 for working remotely, please discuss with your Supervisor or refer to your Agency's policy.

Office 365 Training Videos 

How to Log into Office 365 with a Software Token from a computer

How to Log into Office 365 with a Hardware Token from a computer

 

Office 365 Quick Start Video Guide

Word Online

Excel Online

PowerPoint Online

Outlook on the Web

SharePoint Online

OneDrive

Office 365 Help Section 

I do not know how to sign in. 

Sign it to Office 365 using your full work email address and your network password. You will also need to enter an RSA token passcode. 

Can I access a shared inbox through Outlook on the web? 

Yes. You will have access to any shared mailbox that you have in the Outlook Client that is installed on your workstation PC. 

How secure is Office365? 

Microsoft has robust policies, controls, and systems built into Office 365 to help keep our information safe.

Virtual Desktop Infrastructure (VDI) 

Virtual Desktop Infrastructure (VDI) is the practice of running a user's desktop inside a virtual machine that lives on a server in a data center. All profile settings, installed applications, and the operating system are stored and managed centrally. Centralized desktop images, applications and files make data security more manageable, regardless of whether an employee is accessing the virtual desktop from within the state network (at their work desk) or while outside the state network (e.g. from a home Internet connection or a Wi-Fi hotspot). Files should be saved to network drives in order to be accessed via VDI. Files saved on local drives such as the Desktop, or C: Drive cannot be accessed.

The Office of Information Technology Services uses a specific software program called VMWare Horizon to use the Virtual Desktop Infrastructure. For any questions regarding using VMWare for working remotely, please discuss with your Supervisor or refer to your Agency's policy.

Horizon VMWare Training Videos 

Microsoft Windows Videos

How to Install the VMWare Horizon Client on Microsoft Windows PCs

How to Connect to your Virtual Desktop From a Windows PC

Apple & iOS Videos

How to install the VMWare Horizon Client on Apple Mac Computers

How to install the VMWare Horizon Client on Apple iOS Devices (iPhone, iPad)

How to connect to your virtual desktop from an Apple Mac

How to connect to your virtual desktop from a iOS device

Google Videos

How to install the VMWare Horizon Client on Google Chromebooks

How to connect to your virtual desktop from a Google Chromebook

Android Videos

How to install the VMWare Horizon Client on Android Devices

How to connect to your virtual desktop from a Android Devices

VMWare Horizon User Guides 

VMWare Horizon User Guide.PDF 

VMWare Help Section 

Is VDI the same desktop as my work site computer? 

No, files that are stored on your C: drive or Desktop will not be available when using VDI. 

My VDI session froze. How do I get back in to the VDI session? 

Use the "send Ctrl-Alt-Delete" button at the top of the session to unlock the computer. Turn off the device, wait 4-5 minutes and try logging back on. Your session should restart with a new virtual machine (new desktop). 

What are some benefits of VDI? 

VDI can yield significant benefits to New York State in terms of service, manageability, security and cost. Below are some of the key benefits of VDI: 

VDI eliminates the physical management issues for desktops, since all resources (CPU, memory, storage etc.) are managed centrally. VDI also reduces time spent managing networks because you only need to address software issues on one server as opposed to each individual machine. 

VDI can dramatically drive down cost of hardware and support, when compared to the costs of Desktop PCs. 

Centralized desktop images, applications and files make data security more manageable regardless of whether an employee is accessing the virtual desktop from within the state network (at their work desk) or while outside the state network (e.g. from a home Internet connection or a Wi-Fi hotspot). 

I'm getting an error message stating that I am "Not entitled to use the system"? 

You will need to request access to your agency's VDI pool. Please contact the Enterprise Service Desk or your local Service Desk and request access.

Remote Access SSL VPN

The following Agencies currently have access to SSL VPN which is accessed with the directions below. If your agency is not listed please check again tomorrow, we plan on adding support for additional Agencies over the next couple of days. 

Before beginning, this method of VPN will only work under the following circumstances: 

  • You are trying to connect to your work computer from an outside computer. 
  • Your work computer must remain on. 
  • You must be using a Windows computer; this will not work on a Mac.

(AGM) Dept. of Agriculture and Markets

(APA) Adirondack Park Agency

(DCJS) Division of Criminal Justice Services

(DCS) Dept. of Civil Services

(DEC) Dept. of Environmental Conservation

(DHR) Division of Human Rights

(DHSES) Dept. of Homeland Security and Emergency Services

(DMV) Department of Motor Vehicles

(DOB) Division of Budget

(DOCCS) Dept. of Corrections and Community Supervision

(DOH) Dept. of Health

(DOL) Dept. of Labor

(DOS) Department of State

(DOT) Department of Transportation

(DPS) Department of Public Service

(DTA) Department of Tax Appeals

(DTF) Department of Taxation and Finance

(GAMING) NYS Gaming Commission

(GOER) Governor's Office of Employee Relations

(HCR) NYS Homes and Community Renewal

(HESC) Higher Edu Services Corp

(ILS) Indigent Legal Service

(ITS) Information Technology Services

(JC) Justice Center

(JCOPE) Joint Commission on Public Ethics

(NYSPI) NYS Psychiatric Institute

(OASAS) Office of Alcoholism & Substance Abuse Services

(OCFS) Office of Children and Family Services

(OFA) NYS Office for the Aging

(OGS) Office of General Services

(OMH) Office of Mental Health

(OMIG) Office of Medicaid Inspector General

(OPDV) Office for the Prevention of Domestic Violence

(OPWDD) Office for People with Developmental Disabilities

(OTDA) Office of Temporary Disability Assistance

(OVS) Office of Victim Services

(Parks) Parks, Recreation, and Historical Preservation

(SCOC) State Commission on Corrections

(SLA) State Liquor Authority

(VA) Division of Veterans Affairs

(WCB) Workers Compensation Board

Click here to view and download PDF of instructions

Client VPN

Client VPN is an application that creates a secure connection from your state- issued device to NYS network. 

Before beginning, this method of VPN will only work under the following circumstances: 

  • You are trying to connect to NYS network; 
  • You have NYS State issued device; and 
  • The VPN Client is installed. 
  • The client is typically installed on most windows-based state issued devices and preconfigured. This allows for quick connection once you’ve entered the RSA Passcode when prompted. 
  • How to determine if the VPN Client is already installed.

The following Agencies currently have access to the new Client VPN (please see instructions below.)

(AGM) Dept. of Agriculture and Markets

(DCJS) Division of Criminal Justice Services

(DCS) Dept. of Civil Services

(DEC) Dept. of Environmental Conservation

(DHSES) Dept. of Homeland Security and Emergency Services

(DMV) Department of Motor Vehicles

(DOB) Division of Budget

(DOH) Dept. of Health

(DOL) Dept. of Labor

(DOS) Department of State

(DOT) Dept. of Transportation

(DPS) Dept. of Public Service

(DTF) Dept. of Taxation and Finance

(GAMING) NYS Gaming Commission

(GOER) Governor’s Office of Employee Relations

Indigent Legal Service

(ITS) Information Technology Services

(JC) Justice Center

(JCOPE) Joint Commission on Public Ethics

(OASAS) Office of Alcoholism & Substance Abuse Services

(OCFS) Office of Children and Family Services

(OGS) Office of General Services

(OMH) Office of Mental Health

(OPWDD) Office for People with Developmental Disabilities

(OTDA) Office of Temporary Disability Assistance

(SLA) State Liquor Authority

(WCB) Workers Compensation Board

(OFA) NYS Office for the Aging

(DOCCS) Dept. of Corrections and Community Supervision

(HCR) NYS Homes and Community Renewal

(OMIG) Office of Medicaid Inspector General

(Parks) Parks, Recreation, and Historical Preservation

How to Check if You have PulseSecure Client

1. Check for pulse secure

Turn device/laptop on, login with your NYS credentials, connect to internet service and see if Pulse Secure/Always On is on the device:

If after a short period the PulseSecure popup (below) appears, you have PulseSecure:

If no screen pops up, click the up arrow /\  at the bottom right of your computer screen (as below):

If you see the following icon somewhere in the group, you have Pulse:

You can see the status of your connection.

*If not, your device does not have PulseSecure and you should refer to one of the other methods of connectivity listed on the Overview page. 

Should you utilize remote access, please note the following requirements: 

  • Employees who use their own personal electronic devices for official New York State business must ensure that their use is in full compliance with the New York State Information Security Policyand the New York State Acceptable Use of Technology Resources Policy, as well as their agency's work rules, ITS Enterprise technical standards and ITS mobile/personal device technical standards and policies. 
  • Do not download or save sensitive or confidential data to a personal device. If you inadvertently do save or download such data to your personal device, you should take immediate steps to permanently remove the data from your device by deleting it from the location where you have it stored, and then deleting it from your recycle or trash bin.   
  • Ensure that you have a strong password to protect access to your personal device and that that password is not shared with others, including friends and family.  Do not reuse your personal passwords for work purposes. Use complex passwords and change them in accordance with your agencies' policy. 
  • Do not accept "remember my password" prompts.  Securely log in each time you utilize remote access. 
  • Explicitly log out of all browser and VDI sessions when not actively in-use, do not just 'X' out of the active window. If you do not log out, others with physical access to your device could gain unauthorized access to agency data.  
  • To the extent possible, ensure that your personal device is fully patched with the latest security patches.  
  •  To the extent possible, ensure your personal device is using a current and up-to-date anti-virus/threat solution, a personal firewall, and a malicious content blocker for your web browser. Microsoft Windows devices come with Windows Defender which provides these things.
  • When traveling with your portable device, ensure that you keep it in your physical possession at all times.  
  • When utilizing Wi-Fi, ensure you only connect to known and secured networks. If use of public wi-fi becomes a necessity for connectivity, ensure that you explicitly ask the hosting organization (e.g., library, coffee shop) for the correct network to join. Be mindful of shoulder surfing and do not leave printed documents on public printers where they can be seen by unauthorized individuals. 
  • "If your State-issued remote access device has been lost or stolen, you must immediately contact your supervisor and your agency information security officer or designated information security representative. If you believe your State-issued remote access has been compromised, immediately contact the NYS Cyber Command Center at (518) 242-5045 or email [email protected].  

Due to the ongoing COVID-19 global emergency, employees are turning to teleconferencing platforms to conduct meetings in order to continue business operations. Unfortunately, threat actors are taking advantage of the increased use of these platforms to obtain sensitive information, eavesdrop on meetings, or conduct other malicious activities.

To protect against teleconferencing attacks, we recommend you implement the following general practices, when offered and practical, if available:

  • Select appropriate access options as part of the meeting set-up (such as turning off attendee videos, muting all attendees, and preventing attendees from sharing their screen).  
  • Ensure that you are using the most up-to-date version of the platform.
  • Do not click on any meeting invitations from unknown senders.
  • Beware of look-alike domains. Carefully inspect meeting invitation links to verify the address of legitimate websites (e.g., webex.com, zoom.us, zoom.com).
  • Do not share meeting invitations publicly, such as on public websites or in social media forums (e.g., Facebook, Twitter).
  • Schedule a meeting instead of using "personal rooms" or "personal meeting IDs" for meetings. This will ensure use of a one-time link.
  • Require a password to join the meeting.  
    • Set a strong password that cannot be easily guessed.
    • Set a different password for every meeting.
  • Do not allow attendees to join before the host.
  • Use a "waiting room" feature to keep participants from joining the meeting without host approval.
  • Use an entry/exit tone or announce name feature to prevent someone from joining the meeting without your knowledge.
  • Remove any unknown participants from your meeting and choose settings that do not allow them to re-join.
  • Lock the meeting once all attendees have joined.
  • Share an individual application or window, instead of sharing your desktop to prevent accidental exposure of sensitive information to your screen.
  • Manage screensharing through a host to prevent someone from randomly taking over what is shown on the screen.
  • Do not use other applications (e.g. Facebook) to sign into teleconferencing meetings to limit the amount of personal data the teleconferencing platform has access to.
  • Consider disabling the chat feature to prevent unwanted messages from being displayed.
  • If calls are recorded:
    • Set a password for your recording.
    • Delete recordings after they are no longer needed.
    • Do not upload recordings to a shared platform (e.g., Dropbox, Sharepoint) that is open to unauthorized parties.
    • If your teleconference comes under attack, immediately go the participants list if available, identify the offending actor, remove them from the meeting, and lock the meeting. Consider putting all other attendees on mute if you have not already done so.
  • If your teleconference comes under attack, immediately go the participants list if available, identify the offending actor, remove them from the meeting, and lock the meeting. Consider putting all other attendees on mute if you have not already done so.

Cleaning Sensitive NYS Information from Personal Devices 

Employees who use their own personal electronic devices for official New York State business must ensure that their use is in full compliance with the New York State Information Security Policy and the New York State Acceptable Use of Technology Resources Policy, as well as their agency's work rules and ITS Enterprise technical standards, including ITS mobile/personal device technical standards and policies. 

Employees must not download or save sensitive or confidential NYS data to a personal device. If you inadvertently do save or download such data to your personal device, or your device automatically backs up items, you should take the following steps to ensure that no sensitive New York State data remains resident on that device. 

To prevent unintentional deletion of data from NYS systems, you should not be remotely logged in with your New York State credentials when performing these actions. 

  • Clear any saved passwords to NYS resources 
    Security best practice discourages saving passwords in your web browser. All passwords to New York State resources that are saved within a web browser should be cleared. The option to remove saved passwords is found in most browser configurations under privacy or security settings, or browser history. 
  • Delete locally saved files 
    This includes, but is not limited to, screenshots, photos, emails and files that were directly downloaded or created. Files may be present in the “Downloads,” “My Downloads,” “Documents,” or “My Documents” folder. Documents downloaded from email attachments, SharePoint or other web-based resources may also be stored in temporary locations on your system’s hard drive. Use the Storage Sense or Disk Cleanup utilities in Windows, and selecting Temporary Files and Temporary Internet Files, to remove these files. 
  • Remove Microsoft Office Suite (e.g., Excel and Word) autosaved files 
    Microsoft Office products may automatically save documents to an AutoRecover location commonly found under File -> Options. Select “Save” in the left column and the right column will show the path next to “AutoRecover file location.” Browse to this path to see files that may need to be deleted. 
  • Delete Microsoft Office Document Cache 
    Microsoft Office may cache documents for faster viewing. These cached files should be deleted. Click Start (Windows Icon), Microsoft Office Tools, Office Upload Center, Settings and choose the option to delete cached files. 
  • Clear browser cache and history 
    Web Browsers such as Internet Explorer, Chrome, or Firefox retain some information from web sites that you have visited in the browsers cache. The option to clear the cache is usually found within browser settings under browser data or browsing history. 
  • Ensure all NYS data has been removed 
    If any other NYS data not explicitly mentioned above has been saved to your personal device, please remove this data as well. This may include notes written as text files, files in paint, or Adobe documents. 
  • Empty the Recycle Bin 
    To finalize deletion, the Recycle Bin should be emptied after you remove locally saved files.

"What is Remote Access?"

Remote access is a way to access New York State IT systems from home or other off-site locations.  A description of the remote access solutions is available at https://its.ny.gov/working-remotely

From your personal computer, you may access many New York State IT systems directly from just a web browser.  Microsoft Office 365 Web Access (OWA) is one example of this.  The other remote access solutions that may be available to you from your personal computer are SSL VPN or VDI. 

"Will remote access keep my data safe?"

Yes. The connections are encrypted which prevents data from being intercepted. The use of SSL VPN, VDI, or OWA only grants your personal computer limited access to remote connect to your work computer, the VDI system, or Microsoft Office and does not allow your work computer to access your personal computer. 

"Will using remote access install software on my personal computer?"

Yes. SSL VPN installs Host Checker which is only used to verify that your personal computer is running a supported version of its operating system, is patched, and has functioning antivirus software.  VDI installs the Horizon Client, which is used to access the VDI system.  Neither software runs in the background after you log out.

"Will using SSL VPN, VDI or OWA grant NYS access to my personal computer?"

No.  None of the remote access solutions grant NYS access to your personal computer.  

"Would ITS be able to access logs or other information that reveals how my personal computer has been used other than the connection to NYS?"

No. During the remote access connection, activities that occur through the encrypted remote connection to NYS through OWA, SSL VPN, and VDI are logged, however, activities that occur outside of that connection are not. 

"Does using remote access require an administrator user account on my personal computer?"

Before using SSL VPN or VDI the first time, you must install the Host Checker or Horizon Client, respectively. These installs both require administrative rights.  After installation, you should run SSL VPN or VDI with a non-administrative user account on your personal computer. OWA does not require an installation or administrator privileges to access. 

"Why can't I access my V drives from my personal computer?"

This would create a security risk to NYS systems and data.  Instead, you may access your V drive or other mapped NYS drives within your remote connection to your work computer from an SSL VPN connection, from within a VDI session, or from a NYS issued laptop computer using VPN. OWA will not grant access to the V drive or other NYS mapped drives. 

"Does the use of a soft token on my personal mobile device give NYS any access to my personal mobile device?"

No.  The soft token on a mobile device only stores an encryption key unique to that device.  The encryption key is used to provide an additional authentication factor for your remote login.  This greatly reduces the ability for someone to impersonate you and login into NYS systems inappropriately.