---
title: User Device Enrollment
lang: en-US
meta:
  - name: keywords
    content: >-
      pomerium, identity access proxy, webauthn, device id, enroll, enrollment,
      authentication, authorization
description: >-
  This guide covers how to enroll a trusted execution environment device as a Pomerium end-user.
---

# Enroll a Device as a User

If a Pomerium route is configured to [require device authentication](/docs/topics/ppl.md#device-matcher), then the user must register a [trusted execution environment](/docs/topics/device-identity.md#authenticated-device-types) (**TEE**) device before accessing the route. Registration is easy, but different depending on the device being used to provide ID.


<iframe width="800" height="500" src="https://www.youtube.com/embed/aJzgnaXEpLo?rel=0" frameborder="0" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen />

This guide covers enrollment of a device by a user. This is available for both open-source Pomerium and [Pomerium Enterprise](/enterprise/readme.md) installations. However, Enterprise users may also receive registration links [generated by their administrators](/guides/admin-enroll-device.md), which will mark the newly enrolled device as approved in the Pomerium Enterprise Console.

1. Users are prompted to register a new device when accessing a route that requires device authentication:

    ![The WebAuthn Registration page with no devices registered](./img/webauthn/no-device.png)

    Users can also get to the registration page from the special `.pomerium` endpoint available on any route, at the bottom of the page:

    ![The Device Credentials section of the .pomerium endpoint with the WebAuthn link highlighted](./img/webauthn/device-credentials-empty-highlight.png)

1. Click on **Register New Device**. Your browser will prompt you to provide access to a device. This will look different depending on the browser, operating system, and device type:

    ::::: tabs
    :::: tab Windows
    ![The device authentication prompt on Windows](./img/webauthn/security-key-windows.png)
    ::::
    :::: tab Chrome
    ![The device authentication prompt in Google Chrome](./img/webauthn/security-key-google.png)
    ::::
    :::: tab Firefox
    ![The device authentication prompt in Firefox](./img/webauthn/security-key-firefox.png)
    ::::
    :::: tab ChromeOS
    ![The device authentication prompt on ChromeOS](./img/webauthn/security-key-chromebook.png)
    ::::

## Find Device ID

If a route's policy is configured to only allow specific device IDs you will see a 450 error even after registering:

![450 device not authorized error screen](./img/webauthn/450-error.png)


From the `.pomerium` endpoint you can copy your device ID to provide to your Pomerium administrator.

![Device ID list at /.pomerium](./img/webauthn/device-id-list.png)

From here you can also delete the ID for devices that should no longer be associated with your account.