Re: Restrict Duo self-enrolment to trusted environments

superfuzz56 · ‎12-12-2023

Is it possible to restrict self-enrolment so that it can only be done in a trusted environment, eg on premise or from a trusted device? If inline self-enrolment is enabled, and a user who has never bothered to enrol gets phished, the attacker can simply enrol their own device and they're in.

I know this is possible with Microsoft MFA and conditional access policies, but wondering if there's an equivalent with Duo?

DuoKristina · ‎12-14-2023

You can somewhat do this with Duo policies on the applications i.e. if your Duo Authorized Networks policy only permits access to an app from known, specified networks, then enrollment would also be restricted to those networks.

There isn't support now for separating enrollment from auth in Duo policy though... like, to permit access to already enrolled users from any network but only specified networks for enrollment.

What some people do is have some dedicated enrollment portal restricted to certain networks, and set the new user policy to deny unenrolled for anything else.

We also recently added a new lockout & fraud option to lock out users who haven't enrolled after a certain amount of time. The user has to exist in Duo first - like if you have directory sync importing users into Duo and the sync emails an enrollment link, you could configure unenrolled lockout after 7 days so any user who hadn't used the enrollment link to enroll after a week would be locked out - preventing a bad actor from enrolling as them.

Please do reach out to your Duo account exec or customer success manager if you have one to submit your ideas for solving this as a feature request. If you don't have Duo account contacts you can also create a request via Duo Support.

Duo, not DUO.