Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
2
Replies

Does someone know if I can enroll a users duo mobile when he is in status "bypass"

Go to solution
Daniel_PE
Level 1
Level 1

‎05-26-2023 07:03 AM

Hello,

maybe someone here can help me out. I want to send enrollment mails to my users that are already known in duo but in status “bypass”. I figured out that when the users are in status bypass the enrollment link wont work. Is there a workaround? I want the users to already link their duo user with duo mobile but activating them later on.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎05-26-2023 09:53 AM

If the user’s status is “bypass”, there’s no opportunity for self-enrollment because bypass means bypass.

I want the users to already link their duo user with duo mobile but activating them later on.

So, what we call “activation” is I think what you mean by “link their duo user with duo mobile”. I think also when you say “but activating them later on” you mean you want the users all set up to be able to use Duo for MFA, but not actually require them to use MFA. Is that correct?

What we would recommend you do is not apply bypass status to the users, but instead use the new user policy set to allow access and the authentication policy set to bypass 2fa and apply this to your Duo application(s), then set all the users to active status.

With that, your users can perform device enrollment or activation via an emailed link but won’t need to actually perform Duo 2FA when they log in to your protected apps.

Then when you are ready to have everyone start using Duo to log in, just remove the policy settings that are allowing access without 2FA from the applications.

Another option is to enter phone numbers for each user and then sending each of them an activation link.

Duo, not DUO.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎05-26-2023 09:53 AM

If the user’s status is “bypass”, there’s no opportunity for self-enrollment because bypass means bypass.

I want the users to already link their duo user with duo mobile but activating them later on.

So, what we call “activation” is I think what you mean by “link their duo user with duo mobile”. I think also when you say “but activating them later on” you mean you want the users all set up to be able to use Duo for MFA, but not actually require them to use MFA. Is that correct?

What we would recommend you do is not apply bypass status to the users, but instead use the new user policy set to allow access and the authentication policy set to bypass 2fa and apply this to your Duo application(s), then set all the users to active status.

With that, your users can perform device enrollment or activation via an emailed link but won’t need to actually perform Duo 2FA when they log in to your protected apps.

Then when you are ready to have everyone start using Duo to log in, just remove the policy settings that are allowing access without 2FA from the applications.

Another option is to enter phone numbers for each user and then sending each of them an activation link.

Duo, not DUO.
0 Helpful

Go to solution
Daniel_PE
Level 1
Level 1
In response to DuoKristina

‎05-30-2023 04:05 AM

Your first recommendation worked. Thank you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents