New user enrollment procedure

We’re just getting our feet wet on the platform and one thing I’m confused about is how to handle the process of enrolling new users when the only thing we’re currently protecting is Windows Login (aka Microsoft RDP).

We have scripts so that when a user is added to Active Directory, they will get automatically synced to Duo as a bypass user. After 2 weeks, they are converted to a regular user. This is done because there is no self service enrollment with Microsoft RDP and if they weren’t set as a bypass, they wouldn’t be able to log in.

It appears when a user is set as bypass, they also are not able to enroll.

Are we missing something?

A couple of options here that I’m aware of.

  1. Don’t bypass users, basically defeats the purpose of using DUO in the first place. Because you’re bypassing you’re never getting to the iFrame where you could allow a device enrollment. You can set it up in the policy to allow enrollment through the iFrame that appears. I’m sure it likely works the same way with the new DUO prompt (not sure if that is avail for RDP yet).

  2. Set up a device management portal. Have the user sign in with provided credentials and let them enroll their devices from there.

  3. Reach out before start date and activate devices via text. I have found this method to be the easiest and least hoops to have the end user step through. Just call them and explain that they need to use the DUO application for 2FA. They download it from the app/play store… then you send them the activation text and you’re good to go.