Is it possible to restrict self-enrolment so that it can only be done in a trusted environment, eg on premise or from a trusted device? If inline self-enrolment is enabled, and a user who has never bothered to enrol gets phished, the attacker can si...