Enroll devices

This topic guides you through the procedures for enabling users to enroll devices. Users typically enroll their own devices, but system administrators must enable the relevant settings. When devices are enrolled, you can manage them in the Admin Portal, install mobile device policies, and deploy mobile applications to specified devices.

Enrolling a device requires CyberArk Identity to push a user certificate to the device. Typically, we use the User Principle Name (UPN) as the subject alternative name of the certificate. If you want to use Distinguished Name (DN), please contact CyberArk Identity Support.

This scenario includes the following topics:

Enable users to enroll devices

Enable users to enroll devices with Role-based policies.

Step 1: Add the users to a role if they are not already in a role.

  1. Click Core Services > Roles.

  2. Create a new role or select an existing role.

  3. Click Members > Add.

  4. On the Add Members window, search for and select the objects that you want to add to the Role membership, then click Add and save the changes.

Step 2: Update Policy settings.

  1. Click Policies and either click Add Policy Set or select an existing policy.

  2. Click Endpoint Policies > Device Enrollment Settings.

  3. Select Yes in the Permit device enrollment policy.

    This same policy setting exists under User Security Policies > User Account Settings. Any time you change this policy in either location, the setting is updated in both locations.

    If you want to prompt users to enroll their device on the first login, on the User Security Policies > User Account Settingspage of the policy setting, select Prompt users to enroll a mobile device on login.

  4. Configure the remainder of the policy settings.

    These settings apply regardless of whether you use the CyberArk Cloud Directory policy service or Active Directory group policies to manage device configuration policies:

    Device enrollment control settings

    To enforce these limitations

    Customize User Portal Add Devices options

    Controls the device enrollment options users will see when they enroll their devices from the User Portal > Devices > Add Devices option. Selecting Yes shows the following options:

    • Display SMS enrollment option
    • Display Email enrollment option
    • Display QR code enrollment option

    You must have one option selected.

    Enable invite based enrollment

    Allows an enrollment invitation to be sent via email or SMS message and for password-less enrollment through QR code. To view the invitation or update it, see Customize email message contents.

    Select Yes to allow users to scan the CyberArk Identity generated QR code (instead of entering their user name and password) to enroll their devices.

    Permit only corporate device enrollment

    Limits enrollment to corporate-owned devices.

    If you select the following combination of policy settings, users will not be able to enroll iOS or Android devices:

    • Permit only corporate device enrollment: Yes

      Limits enrollment to corporate-owned devices.

    • Allow personal or corporate device selection during enrollment: No or --

      No or -- for this setting defers to the setting for Enroll as corporate device by default.

    • Enroll as corporate device by default: No or --

      No or -- for this setting means only personal devices are allowed, which conflicts with setting Permit only corporate device enrollment to Yes.

    Permit non-compliant devices to enroll

    Prevent non-compliant devices from enrolling.

    To enable users to enroll a non-compliant device, select Yes in the drop-down menu.

    Open the tool tip for more information on this policy.

    Invite based enrollment link expiration (default 60 minutes)

    Limits how long the enrollment remains active.

    Max number of devices a user can enroll

    Limit the number of devices a user can enroll. Default is set to 20. Maximum number is 1000.

    Send notification on device enrollment

    If you enable this policy and want users to have the option to unenroll the second device, you must set the Permit users to unenroll devices policy in Common Mobile Settings > Restrictions Settings to Yes.

    Show welcome text on device enrollment

    You can customize the welcome text for supported languages using the Specify unique welcome message for supported languages setting in Settings > Endpoints > Enrollment Customization.

    Allow personal or corporate device selection during enrollment

    Select Yes to allow users to toggle between enrolling the device as a personal or corporate device during enrollment. Select No to not give users the option during enrollment. If you select No, then the Enroll as corporate device by default policy setting is used for enrollment.

    The default behavior is equivalent to No.

    This policy setting can impact the user experience when used with Permit only corporate device enrollment.

    This policy setting only applies to iOS and Android devices.

    Force users to explicitly select corporate or personal device enrollment

    To use this option you must set Allow personal or corporate device selection during enrollment to Yes.

    Select Yes to make choosing personal or corporate device during enrollment a required selection. Select No to use the Enroll as corporate device by defaultpolicy setting.

    The default behavior is equivalent to No.

    This policy setting only applies to iOS and Android devices.

    Enroll as corporate device by default

    Select Yes to make corporate device the default setting if you've set Allow personal or corporate device selection during enrollment to Yes. If users are not allowed to choose, this setting applies to all enrollments. Select Yes for corporate device enrollment, or No for personal device enrollment. The default behavior is equivalent to No.

    This policy setting can impact the user experience when used with Permit only corporate device enrollment.

    This policy setting only applies to iOS and Android devices.

    Permit Android device enrollments

    Use the drop-down menu to select All to allow users to enroll any Android device, Filter to define enrollment rules for Android devices, None to prevent users from enrolling Android devices, or "--" (Not configured) to use the default setting. The default is All. If you select Filter, click Add Rule to specify a filter, condition, and value for each rule. Click Add to save each rule.

    For users to enroll with a username and password, the domain suffix must be listed in Settings > Customization > Suffix. Refer to Manage login suffixes for more information about login suffixes.

    Alternately, you can instruct users to change the cloud URL in the CyberArk Identity mobile app Settings to match your tenant URL.

    Permit iOS device enrollment

    Use the drop-down menu to select All to allow users to enroll any iOS device, Filter to define enrollment rules for iOS devices, None to prevent users from enrolling iOS devices, or "--" (Not configured) to use the default setting. The default is All. If you select Filter, click Add Rule to specify a filter, condition, and value for each rule. Click Add to save each rule.

    For users to enroll with a username and password, the domain suffix must be listed in Settings > Customization > Suffix. Refer to Manage login suffixes for more information about login suffixes.

    Alternately, you can instruct users to change the cloud URL in the CyberArk Identity mobile app Settings to match your tenant URL.

     

    Permit OS X device enrollment

    Use the drop-down menu to select All to allow users to enroll any OS X device, Filter to define enrollment rules for OS X devices, None to prevent users from enrolling OS X devices, or "--" (Not configured) to use the default setting. The default is All. If you select Filter, click Add Rule to specify a filter, condition, and value for each rule. Click Add to save each rule.

    If you permit OS X device enrollment, the Enable "Enroll your Mac" prompt at portal login drop-down menu appears. Select Yes to prompt users to enroll when they log in to the CyberArk Identity User Portal from an OS X device, No to not prompt users to enroll, or "--" (Not configured) to use the default setting. The default is No.

    Permit Windows device enrollment

    Use the drop-down menu to select All to allow users to enroll any Windows device, Filter to define enrollment rules for Windows devices, None to prevent users from enrolling Windows devices, or "--" (Not configured) to use the default setting. The default is All. If you select Filter, click Add Rule to specify a filter, condition, and value for each rule. Click Add to save each rule.

  5. Click Save.

  6. Click Policy Settings.

  7. Specify the policy assignment:

    Policy assignment

    Description

    All users and devices

    Applies this policy to all users and devices enrolled on CyberArk Identity.

    Specified Roles

    Click Add to select the roles to which you want this policy applied.

    Sets (NOT applicable for unenrolled devices)

    Specify the set type (currently only Device type is supported) for enrolled devices and the set parameters (iOS devices, corporate owned devices, and so on). Sets are a collection of devices, users, etc.

    Do not use this option when configuring a policy for device enrollment. Sets only apply to enrolled devices. If you assign this policy to users who do not already have a device enrollment policy (through the All Users and Devices or Specified Roles option), device enrollment will fail.
  8. Click Save.

Send a one-time enrollment invitation

You can send a SMS for users to enroll a device outside of the user creation or device enrollment process. If you did not enable this option previously, you can do it per user.

  1. Log in to the Admin Portal.

  2. Click Core Services > Users.

  3. Right click the relevant user and select Send SMS invite for device enrollment.

  4. Accept the confirmation prompt.

Enroll Mac devices on behalf of users

Enrolling Mac devices in CyberArk Identity using the Mac Cloud Agent provides:

  • endpoint authentication

    Enrolling a Mac with CyberArk Identity (cloud-join) provides endpoint authentication; provisioned users can authenticate (basic authentication or multi-factor authentication) to their machines without depending on direct connectivity (LAN or VPN) to the directory source (for example, Active Directory).

  • adaptive multi-factor authentication

  • Certificate-Based Authentication (CBA), also called Zero Sign-On

  • application management

  • location reporting

The Mac Cloud Agent requires a local account with a username that matches the directory source (CyberArk Cloud Directory or AD) username to enforce MFA.

If the user that you want to enroll already has a local account on the Mac, you should rename the local account to match the username of the account you plan to enroll the device on behalf of. For example, if a user logs in to a local account FirstName and you want to enroll the device on behalf of an AD user FirstName.LastName@mydomain.com, you should rename the local account FirstName to FirstName.LastName so the user can continue using the same desktop after enrollment. Refer to https://support.apple.com/en-us/HT201548 for more information about renaming a user's home directory.

If no matching local account is found, the enrollment process creates a new local account with the same username as the directory source. For example, if the user logs in as FirstName and you enroll the device for an AD user FirstName.LastName@mydomain.com, the enrollment process creates a new local user FirstName.LastName; this new local account does not keep the same desktop and browser settings.

Requirements to enroll Macs on behalf of users

You can enroll Mac devices on behalf of users if the following requirements are met:

  • You are in a role with the Device Enroll On Behalf Of administrative right enabled.

    Refer to Admin Portal administrative rights for more information.

  • You are in a role where Permit device enrollment is enabled via policy.

    Refer to Enroll devices for more information.

Enroll a Mac device on behalf of another user

  1. From the downloads page in the Admin Portal, select Agents from the drop-down menu and download the Mac Cloud Agent.

    The Mac Cloud Agent download begins (CyberArk-Mac-Agent.dmg).

  2. Open the (CyberArk-Mac-Agent.dmg) file, then double-click the (CyberArk-Mac-Agent.pkg) file.

    The installer for Mac Cloud Agent opens.

  3. Click through the on-screen instructions, agreeing to the software license agreement and entering administrator credentials when necessary.

  4. Select Launch CyberArk Agent, then click Continue.

    The Sign In window appears.

  5. Enter the user credentials for an admin user in a role with the Device Enroll On Behalf Of administrative right assigned.

    Refer toAdmin Portal administrative rights for more information.

  6. Click Enroll this mac for a different user.

    The Enroll this mac for a different user window appears.

  7. Complete the User to Enroll and Account Name fields, then click Enroll.

    Enter the admin credentials of the local admin user on the Mac when prompted.

    Field Description

    User to Enroll

    Enter the username and domain suffix that the user will use to log in to the User Portal.

    For example, myuser@mydomain.com.

    Account Name

    Select the username for the account associated with the user.

    For example, myuser.

    You can click the arrows in the menu to see a list of all users (either local users or users in the domain that the device is joined to) or start typing the username to filter the list. If you don’t see the account associated with the user, make sure the user exists or your device is joined to the AD domain

  8. Click Done when you see the Enrollment Complete message.

  1. From the downloads page in the Admin Portal, select Agents from the drop-down menu and download the Mac Cloud Agent.

    The Mac Cloud Agent download begins (CyberArk-Mac-Agent.dmg).

  2. Open the (CyberArk-Mac-Agent.dmg) file, then double-click the (CyberArk-Mac-Agent.pkg) file.

    The installer for Mac Cloud Agent opens.

  3. Click through the on-screen instructions, agreeing to the software license agreement and entering administrator credentials when necessary.

  4. Select Launch CyberArk Agent, then click Continue.

    The Sign In window appears.

  5. Enter the user credentials for an admin user in a role with the Device Enroll On Behalf Of administrative right assigned.

    Refer toAdmin Portal administrative rights for more information.

  6. Click Enroll this mac for a different user.

    The Enroll this mac for a different user window appears.

  7. Complete the User to Enroll and Account Name fields, then click Enroll.

    Enter the admin credentials of the local admin user on the Mac when prompted.

    Field Description

    User to Enroll

    Enter the username and domain suffix that the user will use to log in to the User Portal.

    For example, myuser@mydomain.com.

    Account Name

    Select the username for the account associated with the user.

    For example, myuser.

    You can click the arrows in the menu to see a list of all users (either local users or users in the domain that the device is joined to) or start typing the username to filter the list. If you don’t see the account associated with the user, make sure the user exists or your device is joined to the AD domain

  8. Click Download to download the MDM profile, then close the Mac Cloud Agent.

  9. Open System Preferences, then click Profiles.

  10. Select the CyberArk Identity profile from the list of downloaded profiles, then click Install... and confirm the installation, entering your admin credentials as needed.