Duo Administration - User Enrollment & Account Management

Overview

Duo Premier, Duo Advantage, and Duo Essentials plans customers gain granular control of end-users' enrollment and self-service portal experiences with enrollment policies.

Previously, the same set of policies used for access and authentication controlled all aspects of Duo’s enrollment and self-service experiences. To reduce confusion and challenges for customers who may want to define these experiences separately, the User Enrollment and Management page allows you to create and manage enrollment policies, allowing you to manage certain aspects of the end-user enrollment and self-service portal (SSP) experiences.

How Does it Work?

Enrollment policies define behavior for users once they have entered Duo’s enrollment or self-service portals:

• For unenrolled users:
  • Enrollment policies define certain aspects of unenrolled users’ enrollment experience.
  • Enrollment policies do not define the decision for a user to enter enrollment or not. This remains handled by the effective authentication policy for that method of enrollment.
    • Email link enrollment always prompts users to enroll.
    • Inline self-enrollment remains subject to the effective authentication policy for the users accessing that inline application.
    • For standalone Device Management Portal (DMP) enrollment, this decision is controlled by the effective authentication policy of the user for the DMP application in use.
• For enrolled users:
  • Enrollment policies define certain aspects of enrolled users’ self-service portal (SSP) experience once they have gained access to the SSP.
  • Enrollment policies do not define the requirements for access into the SSP. The effective policy for access into the SSP is determined by:
    • When using SSP inline with an application or via Duo Central:
      • With an SSP policy enabled, the effective SSP policy applies for that user.
      • With an SSP policy disabled, the effective policy for the inline application accessed applies.
    • When using SSP with a DMP application:
      • If using a DMP, the effective policy for the user accessing that DMP application applies.

Prerequisites and Limitations

• Enrollment policies are available only for Duo’s web-based Universal Prompt enrollment and self-service portals including:
  • Email enrollment
  • Enroll Portal Enrollment (both enrollment code and enrollment via external IDP)
  • Standalone Device Management Portal (DMP) enrollment
  • Self-Service Portal (SSP)
  • Duo Central Device Management (via the Duo Central launcher or the dedicated URL)
• Enrollment policies do not affect enrollment actions for the traditional Duo Prompt, Admin Panel, Auth API applications, or any Duo-protected application which does not show the Universal Prompt in a browser.

Configure Enrollment Policies

Role required: Owner or Administrator

Create and manage your enrollment policies from Policies → User Enrollment and Account Management in the Duo Admin Panel.

Since a variety of applications allow access to the enrollment and self-service portals, enrollment policies apply across all applications or by assigning a policy to groups.

• Global: This is the organization’s default policy when no superseding policy applies.
  • If there are multiple configurable sections in the policy, the user’s effective enrollment policy may be a combination of an item specified at the global or group level.
  • If a user is not subject to any group enrollment policy, then they are subject only to the global enrollment policy.
• Group: Items specified in this enrollment policy apply to all users who are members of any group(s) assigned this enrollment policy. This applies across all applications. If users are members of multiple group policies, the effective policy determination is the order in which the group policies are applied. Users cannot have more than one global group policy apply at one time.

Policy Enablement

This setting defines, for overlapping controls, whether Global or Application Polices or Enrollment policies defined on this page will take effect for enrollment and self-service portals. Click on the Enable the enrollment and account management policies on this page button to use the policies on this page to define the experience and requirements of enrollment and account management. Policy enablement is set to Disable enrollment and account management policies by default.

A banner below this setting indicates when this page’s policies are not in effect.

Enrollment Policy Options

Once in the Global Enrollment Policy editor, update the setting configuration on the right side of the editor with your desired enrollment policy options for Authenticators and Duo Password.

You can configure rules for:

• Authenticators - click on the list of options to specify which will be available (but not required) during enrollment and self-service device management:

  • Passkey - Enabled by default.

    Allow users to enroll platform WebAuthn authenticators integrated into their current device hardware and operating system, like the Touch ID fingerprint reader on a Mac, or a roaming FIDO2-compliant USB, Bluetooth or NFC WebAuthn security key.

    Enable the user verification option if you want security key users enrolling devices for passwordless authentication.

  • Duo Mobile - Enabled by default.

    Duo's service sends an authentication request to the Duo Mobile iOS or Android app for the user to approve or deny.

  • Phone number - Disabled by default.

    Users enroll a phone number to receive calls or SMS messages during authentication. These methods won't work for passwordless authentication.

  • Duo Desktop

    This option makes Duo Desktop available for enrollment as an authenticator if the user already has Duo Desktop installed. Enabling this does not offer or require Duo Desktop installation during first-time enrollment. Configure your Global Policy to require the Duo Desktop app if you want to prompt your users to install Duo Desktop during enrollment.

• Duo password - click on the checkbox to select or deselect Require users to create a password for use with Duo. When selected, unenrolled users must create a password during enrollment from an emailed enrollment link or at the hosted enrollment portal. Existing users may first authenticate with a temporary password provided by an administrator, and then set a new password.

  When users enter a Duo password — whether during login or while setting a new one — we check the password against a regularly-updated database of breached passwords. Users may not set a new password found in the breached password database. If we find a user's current password value among the compromised password lists, then the user must set a new, safe password before continuing to the application.

  

Global Enrollment Policy

The built-in Global Enrollment Policy cannot be deleted. If you selected to Enable the enrollment and account management policies on this page in the "Policy enablement" section, the Global Enrollment Policy always applies to all applications. Edit this policy if there are settings you'd like to control for all users and all applications. You can view and edit your current Global Enrollment Policy settings on the Policies → User Enrollment and Account Management page.

Edit the Global Enrollment Policy

Role required: Owner or Administrator

To edit the Global Enrollment Policy:

1. Navigate to the Policies → User Enrollment and Account Management page.

2. Click Global Enrollment Policy under "Name" or click on the checkbox to select the Global Enrollment Policy and use the "Actions" menu to select Edit to open the "Global Enrollment Policy" editor.

3. Once in the "Global Enrollment Policy" editor, update the enrollment policy options on the right side of the editor.

   

4. Click Save Policy when your edits to the Global Enrollment Policy are complete.

If you'd like to restore the original Global Enrollment Policy settings, open the Global Enrollment Policy editor again and click the Revert to default button at the top of the "Global Enrollment Policy" window. Click Save Policy to apply the Global Enrollment Policy defaults.

The Global Enrollment Policy cannot be assigned, unassigned, or deleted.

Custom Enrollment Policies

Create and assign enrollment policies to create custom enrollment experiences.

Create a Custom Enrollment Policy

Role required: Owner or Administrator

To create a new enrollment policy:

1. Scroll down to the enrollment policies list.

2. Click the + Add Policy button.

3. In the "Create Enrollment Policy" editor, enter a descriptive Policy Name at the top of the left column, and then click on a rule to configure the enrollment policy options for Authenticators and Duo Password in your new group enrollment policy.

   

4. When you finish adding and configuring policy settings, click Create Policy to save the settings.

Apply an Enrollment Policy to a Group

You can apply an enrollment policy to a specific group or groups. For example, you can apply an enrollment policy to specify a certain group of users with privileged access that you only want to enroll in phishing-resistant authentication methods.

To apply an enrollment policy to a group:

1. Under the "User Group Enrollment Policy" section, click Apply user group policy.

2. In the Apply an enrollment policy to a group editor under "Policies" select the policy you want to apply to specific groups.

3. Under "Groups", add the groups you want to assign this policy.

   

4. Click Apply Policy.

5. You should now see the table of enrollment policies reflecting the changes you made. Additionally, you will see more detailed information and a visual hierarchy of the policies in the summary table.

Unassign User Group Enrollment Policies

To unassign a user group enrollment policy:

1. From the "User Group Enrollment Policy" section, locate the enrollment policy that you want to unassign and use the "Actions" menu to select Replace.

   

2. Confirm that you want to unassign the enrollment policy by clicking Unassign.

   

Replace User Group Enrollment Policies

You can replace assigned enrollment policies instead of unassigning and then reassigning group enrollment policies.

To replace user group enrollment policies:

1. From the "User Group Enrollment Policy" section, locate the enrollment policy that you want to replace and use the "Actions" menu to select Replace.

   

2. In the "Replace an enrollment policy" window, under "Policies" select the policy you want to apply to these groups instead.

3. Under "Groups", review, add, or remove any groups to specify which groups you want to replace.

   

4. Click Apply Policy.

Reorder Policies

When multiple policies apply, the effective policy is the first in order. If you have multiple group enrollment policies and want to change the order of the policies that take effect, click on the Move Up and Move Down buttons for each applied policy in the User Group Enrollment Policy section.

Duplicate Enrollment Policies

1. From the enrollment policy list, click on the checkbox to select the enrollment policy you want to duplicate and click Duplicate, or use the "Actions" menu and select Duplicate.

   

2. The new enrollment policy created has the same name, but with “copy” appended to the end.

3. When duplicated, this new policy has no group assignments. You can assign it to a group to use it.

Delete Group Enrollment Policies

1. From the enrollment policy list, click on the checkbox to select the enrollment policy you want to delete and click Delete, or use the "Actions" menu and select Delete.

   

2. Confirm that you want to delete the enrollment policy by selecting Delete.

   

Enable Enrollment Policies

If you did not already enable enrollment and account management policies you must do so for your new policies to take effect.

1. Once you have fully configured your policies, return to the "Policies" section.

2. Under Policy enablement, select Enable the enrollment and account management policies on this page.

   

3. Confirm the change by selecting Switch to custom policies.

   

Start Enrollment With an External Auth Source

You can ease your migration from other external authentication sources to Duo-hosted users by allowing your existing users from these authentication sources to begin enrollment after verifying credentials from an external directory. The enrollment policy default is Don't use an external authentication source to allow access to enrollment.

To specify if you want to start enrollment with an external authentication source:

1. Under the "Settings" section, click the Allow users to begin enrollment using an external authentication source button.

2. Click Save.

   

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.