Enable invitation-based device enrollment

This topic describes how to allow users to enroll their devices without completing MFA challenges. Users select the link and certificate exchanges happen automatically. This option is ideal for smart card users to enroll their mobile devices because these users do not have passwords.

Both Android and iOS devices are supported.

We support the following mobile browsers for invite-based enrollment.

Invite-based enrollment browser support

Mobile app platform

Chrome

Edge

Safari

Firefox

Opera

Android

Yes

No

No

Yes

No

iOS

No

Yes

Yes

No

Yes

To enable invitation-based enrollment for mobile devices:
  1. Go to Core Services > Roles.

  2. Create a new role or select an existing role.

  3. Click Members > Add.

  4. On the Add Members window, search for and select the objects that you want to add to the role membership, then click Add and save the changes.

  5. Click Policies and either click Add Policy Set or select an existing policy.

  6. Go to Endpoint Policies > Device Enrollment Settings.

  7. Select Yes for Permit device enrollment.

  8. Select Yes for Skip MFA for invite-based enrollment.

  9. Select the length of time (in minutes) that the invitation will remain valid in the Invite based enrollment link expiration (default 60 minutes) policy.

  10. Configure the other policies as necessary, then click Save.

  11. Go to Policy Settings > Apply policy to specific roles and select the role you created or selected previously, then click Save.

  12. Click Users, select the relevant users, go to Actions, and select either Send SMS invite for device enrollment or Send email invite for user portal setup to have CyberArk Identity send a text or email message with the enrollment link.

The selected users can now enroll their device through email, SMS, or QR Code without completing MFA challenges.