Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1924
Views
0
Helpful
1
Replies

Multiple Concurrent Enrollment Types

Go to solution
olfuddyduddy
Level 1
Level 1

‎09-24-2018 11:38 AM

The powers that be want to allow self-enrollment in conjunction with syncing our AD users via security group(s). We have two user camps we need to accommodate; proficient users that want to enroll on their own and the polar opposite that need walked through the process.

I’ve read a number of KB’s where partially enrolled users have issues with authentication, some apps don’t allow for the completing the enrollment process even if they’re configured to bypass. I’d like to know if there is some middleground for a mixed deployment.

I’d greatly appreciate any insight or alternatives that others may have implemented to allow multiple enrollment types.

The projected configuration would be as follows:

  1. Use Directory Sync with Active Directory using 2 different security groups
    • Enrollment Session Group - As user group session participants are added to the group before the
      scheduled session and emailed a link to complete enrollment.
    • All Employees Group - synchronize all users usernames without phone numbers. This should leave
      the users partially enrolled.
  2. User Self Enrollment
    • Users will have already been partially enrolled by the “All Employees Group”.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
WLanphear
Level 1
Level 1

‎09-24-2018 12:09 PM

You are correct partially enrolled users will have issues accessing protected apps prior to completing enrollment. Also once a user is synced via AD they are partially enrolled and AD exclusively handles some attributes like Group Membership which could make it difficult to do what the “Powers That Be” would like.

When we deployed to our organization we did an AD sync before we deployed any applications with plenty of user outreach with instructions on how to complete enrollment. We were able to watch the status of enrollment and target email to users that were failing to complete enrollment. Prior to protecting any applications.

Hope this helps.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
WLanphear
Level 1
Level 1

‎09-24-2018 12:09 PM

You are correct partially enrolled users will have issues accessing protected apps prior to completing enrollment. Also once a user is synced via AD they are partially enrolled and AD exclusively handles some attributes like Group Membership which could make it difficult to do what the “Powers That Be” would like.

When we deployed to our organization we did an AD sync before we deployed any applications with plenty of user outreach with instructions on how to complete enrollment. We were able to watch the status of enrollment and target email to users that were failing to complete enrollment. Prior to protecting any applications.

Hope this helps.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents