3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-02 20:06:03 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/guides/enroll-device.md
Alex Fornuto d1e784efa9
DOCS: Standardize Reference image paths in Enterprise Docs (#3080) 
* copy enterprise reference image to core reference img dir

* standardize reference image path

* link fixes
2022-02-25 09:38:35 -06:00

54 lines
No EOL
2.7 KiB
Markdown
Raw Blame History

---
title: User Device Enrollment
lang: en-US
meta:
- name: keywords
content: >-
pomerium, identity access proxy, webauthn, device id, enroll, enrollment,
authentication, authorization
description: >-
This guide covers how to enroll a trusted execution environment device as a Pomerium end-user.
---
# Enroll a Device as a User
If a Pomerium route is configured to [require device authentication](/docs/topics/ppl.md#device-matcher), then the user must register a [trusted execution environment](/docs/topics/device-identity.md#authenticated-device-types) (**TEE**) device before accessing the route. Registration is easy, but different depending on the device being used to provide ID.
This guide covers enrollment of a device by a user. This is available for both open-source Pomerium and [Pomerium Enterprise](/enterprise/readme.md) installations. However, Enterprise users may also receive registration links [generated by their administrators](/guides/admin-enroll-device.md), which will mark the newly enrolled device as approved in the Pomerium Enterprise Console.
1. Users are prompted to register a new device when accessing a route that requires device authentication:
![The WebAuthn Registration page with no devices registered](./img/webauthn/no-device.png)
Users can also get to the registration page from the special `.pomerium` endpoint available on any route, at the bottom of the page:
![The Device Credentials section of the .pomerium endpoint with the WebAuthn link highlighted](./img/webauthn/device-credentials-empty-highlight.png)
1. Click on **Register New Device**. Your browser will prompt you to provide access to a device. This will look different depending on the browser, operating system, and device type:
::::: tabs
:::: tab Windows
![The device authentication prompt on Windows](./img/webauthn/security-key-windows.png)
::::
:::: tab Chrome
![The device authentication prompt in Google Chrome](./img/webauthn/security-key-google.png)
::::
:::: tab Firefox
![The device authentication prompt in Firefox](./img/webauthn/security-key-firefox.png)
::::
:::: tab ChromeOS
![The device authentication prompt on ChromeOS](./img/webauthn/security-key-chromebook.png)
::::
## Find Device ID
If a route's policy is configured to only allow specific device IDs you will see a 450 error even after registering:
![450 device not authorized error screen](./img/webauthn/450-error.png)
From the `.pomerium` endpoint you can copy your device ID to provide to your Pomerium administrator.
![Device ID list at /.pomerium](./img/webauthn/device-id-list.png)
From here you can also delete the ID for devices that should no longer be associated with your account.
Reference in a new issue View git blame Copy permalink