User Enrollment Policies
If you have not made any configuration changes yet, please see How to make configuration changes
Introduction
There are a number of ways that the process of user-enrollment can be configured to meet different operational requirements.
This article shows you how to configure the User Enrollment policies, if you are looking to configure the behavior of the idenprotect For Mobile application, please see idenprotect for Mobile Configuration
Note that during the enrollment process, depending on the configuration, emails can be sent to the user. If you have not yet gone through any Email Configuration, see Email SMTP Configuration. This article also has additional links to guide you through configuring the Email Content and Email Templates.
Configuring User Enrollment Policies
This configuration can be found in: -
- User Enrollment Policies section in the idenprotect Core Platform Admin Console Config Tab
- Server file system in
/etc/idenprotect/userenrolment.properties
Parameter in Config Tab | Parameter in Properties File | Description |
---|---|---|
Server URL
|
login.server
|
The url that the mobile client uses to contact the idenprotect Core Platform. See here for details about {host} configuration |
Auto-Enroll Enabled?
|
policy.auto.enrol
|
Set so that enrollment can happen without intervention from system administrator |
Enrollment Page User Header
|
enrolment.page.http.header
|
The HTTP header used to identify the user
The public onboarding page can be disabled if necessary - see Securing Access to APIs |
Active Directory Certificate Required?
|
policy.ad.certificate.required
|
If True, on enrollment, a certificate will be stored in Active Directory |
OTC Required?
|
policy.otc.required
|
If this is set to true a user will be asked to input a valid one-time code as part of the enrollment process |
Maximum Number of User Devices
|
policy.max.user.devices
|
This sets the maximum number of devices allowed to be enrolled by a user |
Session expiry In Minutes
|
enrollment.timeout.minutes
|
The number of minutes an enrollment session is valid for |
Time To Live
|
time.to.live.minutes
|
The number of minutes an enrollment session is valid for |
Enrollment Page User Field
|
enrolment.page.http.field
|
If using an HTTP header to identify the user, this is the field within the header that contains the users ID. |
Activation Required?
|
policy.activation.required
|
Once the user has started enrollment they can be emailed an activation code that they have to enter into the client to complete the process. If this setting is set to False then the user will not be emailed an activation code and the client will not prompt the user to enter it |
Certification Verification Required?
|
policy.certificate.verification.required
|
If this is set to true, iOS application will enable TLS Certificate Validation. The qrCodeCallbackLink should also include &certVerification={certVerfication} |
QR Code Callback Link
|
qr.code-callback.link
|
This is the url that should be used by the client to download the settings it should use. It is this url that is encoded as a QR code for the user to scan for them to configure/enroll their device. See here for details about {host} configuration |
Access Key Required?
|
policy.access.key.required
|
If the property is set to true, idenprotect Core Platform will try to contact UEM server (with a configuration which is set on the UEM properties) and generate a new BlackBerry access key which will then be added to the QR code. If access key generation is unsuccessful, QR code will still be usable and mobile client will prompt for the access key to be entered manually. For more information see UEM Guide |
Enrollment Session Required?
|
enrolment.session.required
|
If this is set to true, an enrollment session is created and details of that session are sent to the user with a QR code to scan. If this is set to false, no session is started and the user is sent a url to an onboarding page. The enrollment session and QR code are created on this on-boarding page |
Server Based Enrollment Only?
|
policy.server.based.enrolment.only
|
If this is set to true, only server initiated enrollment is permitted |