Before a user can enroll a device, you must provide this user with the relevant policy set.
To enable users to enroll devices:
1. Log in to Admin Portal.
2. Click Core Services > Roles.
3. Create a new role or select an existing role.
4. Click Members > Add.
5. On the Add Members window:
a. Enter the first few letters of the user, role, or Active Directory/LDAP account/group you want to add and click the search icon.
b. Select the relevant user, role, or Active Directory/LDAP account/group and click Add.
6. Click Save to save the changes.
7. Click Policies and either click Add Policy Set or select an existing policy.
8. Click Endpoint Policies > Device Enrollment Settings.
9. Select Yes in the Permit device enrollment policy.
10. Configure the remainder of the policy settings.
These settings apply regardless of whether you use the directory policy service or Active Directory group policies to manage device configuration policies:
Device enrollment control settings
To enforce these limitations
Enable invite based enrollment
Allows an enrollment invitation to be sent via email or SMS message and for password-less enrollment via QR code. To view the invitation or update it, see How to customize email message contents.
Select “Yes” to allow users to scan the Identity Services generated QR code (instead of entering their user name and password) to enroll their devices.
Permit only corporate device enrollment
Limits enrollment to corporate owned devices.
Invite based enrollment link expiration (default 60 minutes)
Limits how long the enrollment remains active.
Max number of devices a user can enroll
Limit the number of devices a user can enroll. Default is set to 20. Maximum number is 1000.
Permit non-compliant devices to enroll
Prevent noncompliant devices from enrolling.
To enable users to enroll a noncompliant device, select Yes in the drop-down menu.
Open the tool tip for more information on this policy.
Permit Android device enrollments
Use the drop-down menu to select All to allow users to enroll any Android device, Filter to define enrollment rules for Android devices, None to prevent users from enrolling Android devices, or “–” (Not configured) to use the default setting. The default is All. If you select Filter, click Add Rule to specify a filter, condition, and value for each rule. Click Add to save each rule.
Permit iOS device enrollment
Use the drop-down menu to select All to allow users to enroll any iOS device, Filter to define enrollment rules for iOS devices, None to prevent users from enrolling iOS devices, or “–” (Not configured) to use the default setting. The default is All. If you select Filter, click Add Rule to specify a filter, condition, and value for each rule. Click Add to save each rule.
Permit OS X device enrollment
Use the drop-down menu to select All to allow users to enroll any OS X device, Filter to define enrollment rules for OS X devices, None to prevent users from enrolling OS X devices, or “–” (Not configured) to use the default setting. The default is All. If you select Filter, click Add Rule to specify a filter, condition, and value for each rule. Click Add to save each rule.
If you permit OS X device enrollment, the Enable “Enroll your Mac” prompt at portal login drop-down menu appears. Select Yes to prompt users to enroll when they log in to the User Portal from an OS X device, No to not prompt users to enroll, or “–” (Not configured) to use the default setting. The default is No.
11. Click Save.
12. Click Policy Settings.
13. Specify the policy assignment:
●All users and devices
Applies this policy to all users and devices enrolled on Identity Services.
●Specified Roles
Click Add to select the roles to which you want this policy applied.
●Sets (NOT applicable for unenrolled devices)
Specify the set type (currently only Device type is supported) for enrolled devices and the set parameters (iOS devices, corporate owned devices, etc.). Sets are a collection of devices, users, etc.
Important: Do not use this option when configuring a policy for device enrollment. Sets only apply to enrolled devices. If you assign this policy to users who do not already have a device enrollment policy (via the All Users and Devices or Specified Roles option), device enrollment will fail.
14. Click Save.
One time enrollment invitation
You can send a SMS for users to enroll a device outside of the user creation or device enrollment process. If you did not enable this option previously, you can do it per user.
1. Log in to Admin Portal.
2. Click Core Services > Users.
3. Right click the relevant user and select Send SMS invite for device enrollment.
4. Accept the confirmation prompt.
Testing changes