User Enrollment Policies

From idenprotect Knowledge Base
Revision as of 12:36, 23 July 2020 by Aisteshah (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes


There are a number of ways that the process of user-enrollment can be configured to meet different operational requirements.

This article shows you how to configure the User Enrollment policies, if you are looking to configure the behavior of the idenprotect For Mobile application, please see idenprotect for Mobile Configuration

Note that during the enrollment process, depending on the configuration, emails can be sent to the user. If you have not yet gone through any Email Configuration, see Email SMTP Configuration. This article also has additional links to guide you through configuring the Email Content and Email Templates.

Configuring User Enrollment Policies

This configuration can be found in: -

  • User Enrollment Policies section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/
Parameters for Policies
Parameter in Config Tab Parameter in Properties File Description
Server URL login.server The url that the mobile client uses to contact the idenprotect Core Platform. See here for details about {host} configuration
Auto-Enroll Enabled? Set so that enrollment can happen without intervention from system administrator
Enrollment Page User Header The HTTP header used to identify the user

The public onboarding page can be disabled if necessary - see Securing Access to APIs

Active Directory Certificate Required? If True, on enrollment, a certificate will be stored in Active Directory
OTC Required? policy.otc.required If this is set to true a user will be asked to input a valid one-time code as part of the enrollment process
Maximum Number of User Devices policy.max.user.devices This sets the maximum number of devices allowed to be enrolled by a user
Session expiry In Minutes enrollment.timeout.minutes The number of minutes an enrollment session is valid for
Time To Live The number of minutes an enrollment session is valid for
Enrollment Page User Field If using an HTTP header to identify the user, this is the field within the header that contains the users ID.
Activation Required? policy.activation.required Once the user has started enrollment they can be emailed an activation code that they have to enter into the client to complete the process. If this setting is set to False then the user will not be emailed an activation code and the client will not prompt the user to enter it
Certification Verification Required? policy.certificate.verification.required If this is set to true, iOS application will enable TLS Certificate Validation. The qrCodeCallbackLink should also include &certVerification={certVerfication}
QR Code Callback Link This is the url that should be used by the client to download the settings it should use. It is this url that is encoded as a QR code for the user to scan for them to configure/enroll their device. See here for details about {host} configuration
Access Key Required? policy.access.key.required If the property is set to true, idenprotect Core Platform will try to contact UEM server (with a configuration which is set on the UEM properties) and generate a new BlackBerry access key which will then be added to the QR code. If access key generation is unsuccessful, QR code will still be usable and mobile client will prompt for the access key to be entered manually. For more information see UEM Guide
Enrollment Session Required? enrolment.session.required If this is set to true, an enrollment session is created and details of that session are sent to the user with a QR code to scan. If this is set to false, no session is started and the user is sent a url to an onboarding page. The enrollment session and QR code are created on this on-boarding page
Server Based Enrollment Only? policy.server.based.enrolment.only If this is set to true, only server initiated enrollment is permitted