Duo Administration - User Enrollment & Account Management

Overview

Duo Premier, Duo Advantage, and Duo Essentials plans customers gain granular control of end-users' enrollment and self-service portal experiences with enrollment policies.

Previously all aspects of Duo’s enrollment and self-service experiences have been controlled by the same set of policies that are also used for access and authentication. To reduce confusion and challenges for customers who may want to define these experiences separately, the User Enrollment and Management page allows you to create and manage enrollment policies, allowing you to manage certain aspects of the end-user enrollment and self-service portal experiences.

How Does it Work?

Enrollment policies define behavior for users once they have entered Duo’s enrollment or self-service portals:

• For unenrolled users:
  • Enrollment policies define certain aspects of unenrolled users’ enrollment experience.
  • Enrollment policies do not define the decision for a user to enter enrollment or not. This continues to be handled by the effective authentication policy for that method of enrollment.
    • For email link enrollment, users will always be prompted to enroll.
    • For inline enrollment, this decision is controlled by the effective authentication policy for the users accessing that inline application.
    • For standalone Device Management Portal (DMP) enrollment, this decision is controlled by the effective authentication policy of the user for the DMP application in use.
• For enrolled users:
  • Enrollment policies define certain aspects of enrolled users’ self-service portal (SSP) experience once they have gained access to the SSP.
  • Enrollment policies do not define the requirements for access into the SSP. The effective policy for access into the SSP is determined by:
    • When using SSP inline with an application or via Duo Central:
      • If an SSP policy is enabled, the effective SSP policy applies for that user.
      • If an SSP policy is not enabled, the effective policy for the inline application being accessed applies.
    • When using SSP with a DMP application:
      • If using a DMP, the effective policy for the user accessing that DMP application applies.

Prerequisites and Limitations

• Enrollment policies are available only for Duo’s web-based Universal Prompt enrollment and self-service portals including:
  • Email enrollment
  • Enroll Portal Enrollment (both enrollment code and enrollment via external IDP)
  • Standalone Device Management Portal (DMP) enrollment
  • Self-Service Portal (SSP)
  • Duo Central Device Management (via the Duo Central launcher or the dedicated URL)
• The traditional Duo Prompt, Admin Panel, and Auth API application enrollment actions are unaffected by enrollment policies.

Configure Enrollment Policies

Role required: Owner or Administrator

Create and manage your enrollment policies from Policies → User Enrollment and Account Management in the Duo Admin Panel.

Only admins with the Owner or Administrator roles can create or edit enrollment policies.

Since the enrollment and self-service portals can be invoked from a variety of applications, enrollment policies apply across all applications or by assigning a policy to groups.

• Global: This is the organization’s default policy and is applied when no superseding policy applies.
  • If there are multiple configurable sections in the policy, it is possible that the user’s effective enrollment policy will be a combination of an item specified at the global or group level.
  • If a user is not subject to any group enrollment policy, then they are subject only to the global enrollment policy.
• Group: Items specified in this enrollment policy apply to all users who are members of any group(s) this enrollment policy is applied to. This applies across all applications. If users are members of multiple group policies, the effective policy will be determined by the order in which the group policies are applied. Users cannot have more than one global group policy apply at one time.

Policy Enablement

This setting defines, for overlapping controls, whether Global or Application Polices or Enrollment policies defined on this page will take effect for enrollment and self-service portals. Click on the Enable the enrollment and account management policies on this page button to use the policies on this page to define the experience and requirements of enrollment and account management. Policy enablement is set to Disable enrollment and account management policies by default.

A banner will display below this setting when this page’s policies are not in effect.

Enrollment Policy Options

Once in the Global Enrollment Policy editor, update the setting configuration on the right side of the editor with your desired enrollment policy options for Authenticators and Duo Password.

You can configure rules for: - Authenticators - click on the list of options to specify which will be available (but not required) during enrollment and self-service device management: - Passkey (biometric, security key) - Enabled by default. - Duo Mobile - Enabled by default. - Phone number - Disabled by default. - Duo Desktop - Duo password - click on the checkbox to select or deselect Require users to create a password for use with Duo. When selected, unenrolled users will be required to create a password during enrollment. If an already-enrolled user without a password later becomes part of an enrollment policy requiring a password, they will be prompted to set it upon next successful authentication to any Duo SSO application. Disabled by default.

Global Enrollment Policy

The Global Enrollment Policy is built-in and cannot be deleted. If you selected to Enable the enrollment and account management policies on this page in the "Policy enablement" section, the Global Enrollment Policy always applies to all applications. Edit this policy if there are settings you'd like to control for all users and all applications. You can view and edit your current Global Enrollment Policy settings on the Policies → User Enrollment and Account Management page.

Edit the Global Enrollment Policy

Role required: Owner or Administrator

To edit the Global Enrollment Policy:

1. Navigate to the Policies → User Enrollment and Account Management page.

2. Click Global Enrollment Policy under "Name" or click on the checkbox to select the Global Enrollment Policy and use the "Actions" menu to select Edit to open the "Global Enrollment Policy" editor.

3. Once in the "Global Enrollment Policy" editor, update the enrollment policy options on the right side of the editor.

   

4. Click Save Policy when your edits to the Global Enrollment Policy are complete.

If you'd like to restore the original Global Enrollment Policy settings, open the Global Enrollment Policy editor again and click the Revert to default button at the top of the "Global Enrollment Policy" window. Click Save Policy to apply the Global Enrollment Policy defaults.

The Global Enrollment Policy cannot be assigned, unassigned, or deleted.

Custom Enrollment Policies

Create and assign enrollment policies to create custom enrollment experiences.

Create a Custom Enrollment Policy

Role required: Owner or Administrator

To create a new enrollment policy:

1. Scroll down to the enrollment policies list.

2. Click the + Add Policy button.

3. In the "Create Enrollment Policy" editor, enter a descriptive Policy Name at the top of the left column, and then click on a rule to configure the enrollment policy options for Authenticators and Duo Password in your new group enrollment policy.

   

4. When you are done adding and configuring policy settings, click Create Policy to save the settings.

Apply an Enrollment Policy to a Group

You can apply an enrollment policy to a specific group or groups. For example, you can apply an enrollment policy to specify a certain group of users with privileged access that you only want to enroll in phishing-resistant authentication methods.

To apply an enrollment policy to a group:

1. Under the "User Group Enrollment Policy" section, click Apply user group policy.

2. In the Apply an enrollment policy to a group editor under "Policies" select the policy you want to apply to specific groups.

3. Under "Groups", add the groups you want to assign this policy.

   

4. Click Apply Policy.

5. You should now see the table of enrollment policies reflecting the changes you made. Additionally, you will see more detailed information and a visual hierarchy of the policies in the summary table.

Unassign User Group Enrollment Policies

To unassign a user group enrollment policy:

1. From the "User Group Enrollment Policy" section, locate the enrollment policy that you want to unassign and use the "Actions" menu to select Replace.

   

2. Confirm that you want to unassign the enrollment policy by clicking Unassign.

   

Replace User Group Enrollment Policies

As opposed to unassigning and then reassigning group enrollment policies, you can also simply replace them.

To replace user group enrollment policies:

1. From the "User Group Enrollment Policy" section, locate the enrollment policy that you want to replace and use the "Actions" menu to select Replace.

   

2. In the "Replace an enrollment policy" window, under "Policies" select the policy you want to to apply to these groups instead.

3. Under "Groups", review, add, or remove any groups to specify which groups you want to replace.

   

4. Click Apply Policy.

Reorder Policies

When multiple policies apply, the effective policy is the first in order. If you have multiple group enrollment policies and want to change the order of the policies that take effect, click on the Move Up and Move Down buttons for each applied policy in the User Group Enrollment Policy section.

Duplicate Enrollment Policies

1. From the enrollment policy list, click on the checkbox to select the enrollment policy you want to duplicate and click Duplicate, or use the "Actions" menu and select Duplicate.

   

2. A new enrollment policy will automatically be created under the same name, but with “copy” appended to the end.

3. When duplicated, this new policy will not be assigned to any groups. You can assign it to a group to use it.

Delete Group Enrollment Policies

1. From the enrollment policy list, click on the checkbox to select the enrollment policy you want to delete and click Delete, or use the "Actions" menu and select Delete.

   

2. Confirm that you want to delete the enrollment policy by selecting Delete.

   

Enable Enrollment Policies

If you did not already enable enrollment and account management policies you must do so for your new policies to take effect.

1. Once you have fully configured your policies, return to the "Policies" section.

2. Under Policy enablement, select Enable the enrollment and account management policies on this page.

   

3. Confirm the change by selecting Switch to custom policies.

   

Start Enrollment With an External Auth Source

To specify if you want to start enrollment with an external authentication source:

1. Under the "Settings" section, click the Allow users to begin enrollment using an external authentication source button. By default, the Don't use an external authentication source to allow access to enrollment button is selected.

2. Click Save.

   

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.