3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-03 20:36:03 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/guides/admin-enroll-device.md
Alex Fornuto eda30cbf86
add device identity video (#3304)
2022-04-29 10:20:46 -05:00

48 lines
No EOL
2.4 KiB
Markdown
Raw Blame History

---
title: Admin Device Enrollment
lang: en-US
meta:
- name: keywords
content: >-
pomerium, identity access proxy, webauthn, device id, enroll, enrollment,
authentication, authorization, enterprise
description: >-
This guide covers how Pomerium Enterprise admins can create pre-approved device registration links.
---
# Pre-Approved Device Enrollment
If a Pomerium route is configured to [require device authentication](/docs/topics/ppl.md#device-matcher), then the user must register a [trusted execution environment](/docs/topics/device-identity.md#authenticated-device-types) (**TEE**) device before accessing the route. In Enterprise environments, policies can require that devices be approved in the Pomerium Enterprise Console.
<iframe width="800" height="500" src="https://www.youtube.com/embed/aJzgnaXEpLo?rel=0" frameborder="0" allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen />
To make the management of approved devices easier, the Enterprise Console lets administrators create registration links that will allow users to register devices as pre-approved, following the [**TOFU**](https://en.wikipedia.org/wiki/Trust_on_first_use) authentication scheme.
This guide instructs Pomerium Enterprise admins on how to create user-specific enrollment links.
## Before You Begin
- This guide is written for [Pomerium Enterprise](/enterprise/about.md) environments,
- You must have the [Admin](/enterprise/concepts.md#admin) role in the Enterprise Console to perform these steps.
## Create an Enrollment Link
1. From the Pomerium Enterprise Console, select **Devices** from the left-hand menu.
1. Click the **+ NEW ENROLLMENT** button at the top:
![Visualization of the fist two steps in creating a device enrollment link](./img/admin-enroll-1.png)
1. From the **New Enrollment** modal:
- search for and select the user this URL will be valid for,
- optionally provide a URL for the user to be redirected to after a successful enrollment,
- define if the user can enroll any [trusted execution environment](/docs/glossary.md#trusted-execution-environment), or restrict the user to [secure envlaves](/docs/glossary.md#secure-enclave):
![Screenshot of the New Enrollment Modal](./img/new-enrollment.png)
1. Click **Submit** to get the URL:
![Screenshot of a new enrollment link](./img/enrollment-created.png)
Provide the URL to the user.
Reference in a new issue View git blame Copy permalink