There may be instances when customers want to exclude certain users from needing to utilize MFA, while retaining VIP MFA services for all other users.

There isn't anyway to whitelist a user on the VIP Enterprise Gateway side. This needs to be done at the application level.

As an example, for the VIP Microsoft Credential Provider (MCP) integration, there is an option to configure a "no2fa" group. If the user is put in this group, then the MCP client does not require MFA and does not contact the VIP Radius in the authentication flow. Refer to documentation here: https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/dita/symantec-security-software/identity-security-authentication/vip/generated-pdfs/Integration_Microsoft_CredentialProvider.pdf

Some integrations may also support Intelligent Authentication. This does not remove the MFA requirement, but can simulate an authentication code where the user is not required to manually input an MFA option. For more information on Intelligent Authentication, please refer to this documentation:  https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/dita/symantec-security-software/identity-security-authentication/vip/generated-pdfs/IA_MemberSite_Integration.pdf

Alternatively, VIP administrators can limit access to VIP web authentications for users in a VIP user group by enforcing the Access Policy. There are 2 access policy level settings:
Access Denied: Users in this group are denied access to any VIP web resource protected by VIP. However, you can still allow users to access specific IP addresses. Users in this group are prompted for additional authentication at these IP addresses (challenge).
Challenge with Multi-factor Authentication: Users in this group are prompted for multi-factor authentication through VIP when they sign in. This is the default policy setting. For IP addresses that you allow (whitelist), VIP authentication always succeeds. You can also deny access to specific IP addresses (blacklist).