I set up a test domain over the weekend to see if duo would work for us, but I can’t get it to work in what I would consider a sensible way.
If I add the RDP/Login to duo, it’s easy enough to set it up for only enrolled accounts to be asked for additional authentication, that’s fine.
however the moment I add a new account it locks that account from logging in. This presents a problem, since you can’t send an enrollment email without adding the user - which prevents them logging in to receive the email.
I need to set duo up so that someone who has been sent an email but not enrolled is allowed to enroll in their own time - enforcement is months away… it needs to be voluntary.
The documentation talks about self enrollment but I’ve been unable to work out how to set that up. Is there a standard URL for that on the server? Writing my own email that says ‘go here to enroll’ is acceptable.