Then I'd assume its a limitation of the free account and probably on purpose.

Why don't you just make a second admin account? 

I'd love to see a mapping of the domain name to OAUTH user source in Control -- so these 5 domains go to this OAUTH client.. and anything else goes to the local source for example.  

When a user enters their email address Control would know where to send them for login the same way Microsoft does when you enter a domain that is using federated auth.

I'd like this as well, not to have the accounts bypass MFA but allow login at all from a defined set of IPs (with MFA as well)

Caitlin,

David's one of my guys so as a point of clarification...

The problem with the side dock is that you can't go full screen with the remote session and keep it docked on the side.  As soon as I maximize the window the helper dock goes away.  

I just discovered I can go back to the top and it pops back up, but maybe an option to just have those stay present even when full screen along with the ability to take the helper pod and pop it out to a full browser window when needed.

It would be nice to be able have the IPs from the Cloud tenants pushed out to the clients as well -- so the primary connection can be via DNS, but if for some reason DNS resolution isn't working it could still connect via IP.  

I understand that the IPs on the cloud side can change from time to time and that I believe as things stand now, the config in question would only be refreshed when the client is installed... so understand that this might not be as simple of a change, but I think it would provide a great value.. 

At a minimum the ability for the client to try to connect to the last known IP if for some reason DNS isn't working

I assume Chris is referring to the "thumbprint" or signature that the antivirus products use to identify the client on the workstations.  I assume that would change anytime there is a client-side upgrade though -- so every time there is an update right?

I think you'll discover that bitlocker code entry is needed before any of the real OS has loaded thus SC isn't going to be usable at that time either.

We've standardized on making sure our client workstations have TPM chips in them moving forward to prevent this from being a problem.

However, in the interim you can suspend bitlocker protection until a machine is rebooted if you execute a command before you reboot it -- which you could do via the SC commands window or manually on the machine -- take a look at: https://www.isumsoft.com/windows-10/enable-suspend-or-resume-bitlocker-protect-for-drive.html

Something as simple as using the domain name from the user's login name to determine which authentication source to use would be a big plus over a drop-down with every domain listed.

There are numerous times that we want to know why a machine is offline... did the user shut it down against instructions when they left, did it just go to sleep or absent any provided reason -- did it just lose Internet... was a reboot initiated and it just hasn't came back online yet, etc.