diff --git a/docs/docs/topics/device-identity.md b/docs/docs/topics/device-identity.md
index 7f5ad7566..ac476e551 100644
--- a/docs/docs/topics/device-identity.md
+++ b/docs/docs/topics/device-identity.md
@@ -55,6 +55,8 @@ The nature of cross-platform keys mean they are not associated with a single end
 
 Pomerium supports policies that use device identity since version [0.16.0](/docs/upgrading.md#policy-for-device-identity). We use the [Web Authentication][webauthn-api] (**WebAuthN**) API to bring authentication and authorization based on device identity into your security framework. Pomerium's device identity support enables users to register their devices, and administrators to enforce access to applications and services to a particular set of trusted devices.
 
+<iframe width="800" height="500" src="https://www.youtube.com/embed/aJzgnaXEpLo?rel=0" frameborder="0" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen />
+
 To get started, review the following pages:
 
 - [Pomerium Policy Language](/docs/topics/ppl.md) to learn how to build policies that use device ID.
diff --git a/docs/guides/admin-enroll-device.md b/docs/guides/admin-enroll-device.md
index 1440053dd..b61640bd0 100644
--- a/docs/guides/admin-enroll-device.md
+++ b/docs/guides/admin-enroll-device.md
@@ -14,6 +14,9 @@ description: >-
 
 If a Pomerium route is configured to [require device authentication](/docs/topics/ppl.md#device-matcher), then the user must register a [trusted execution environment](/docs/topics/device-identity.md#authenticated-device-types) (**TEE**) device before accessing the route. In Enterprise environments, policies can require that devices be approved in the Pomerium Enterprise Console.
 
+
+<iframe width="800" height="500" src="https://www.youtube.com/embed/aJzgnaXEpLo?rel=0" frameborder="0" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen />
+
 To make the management of approved devices easier, the Enterprise Console lets administrators create registration links that will allow users to register devices as pre-approved, following the [**TOFU**](https://en.wikipedia.org/wiki/Trust_on_first_use) authentication scheme.
 
 This guide instructs Pomerium Enterprise admins on how to create user-specific enrollment links.
diff --git a/docs/guides/enroll-device.md b/docs/guides/enroll-device.md
index 48bdf4bb1..866b82d77 100644
--- a/docs/guides/enroll-device.md
+++ b/docs/guides/enroll-device.md
@@ -14,6 +14,9 @@ description: >-
 
 If a Pomerium route is configured to [require device authentication](/docs/topics/ppl.md#device-matcher), then the user must register a [trusted execution environment](/docs/topics/device-identity.md#authenticated-device-types) (**TEE**) device before accessing the route. Registration is easy, but different depending on the device being used to provide ID.
 
+
+<iframe width="800" height="500" src="https://www.youtube.com/embed/aJzgnaXEpLo?rel=0" frameborder="0" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen />
+
 This guide covers enrollment of a device by a user. This is available for both open-source Pomerium and [Pomerium Enterprise](/enterprise/readme.md) installations. However, Enterprise users may also receive registration links [generated by their administrators](/guides/admin-enroll-device.md), which will mark the newly enrolled device as approved in the Pomerium Enterprise Console.
 
 1. Users are prompted to register a new device when accessing a route that requires device authentication:
