Remote user enrollment

By design, Defguard Core is meant to be deployed securely within your infrastructure and only accessible from within the internal network or by VPN.

This introduces an issue with onboarding new users and forces the admin to choose an initial password, set up a VPN device for them, and pass on those details to the end user using possibly insecure channels.

To avoid this issue you can deploy a public Defguard Edge (formerly Proxy) which enables a secure enrollment process.

Here is a video showcasing:

• how admin adds a user with secure remote enrollment

• then how the enrollment process looks like for the user

How to initiate user secure enrollment

When adding a new user please choose "Add user with self-enrolment option"

If SMTP is configured, you will see "Send enrollment details to user by email" checkbox.

If you don't have any SMTP configuration, Defguard instance URL and Activation token must be handed over to the user personally.

When the user adds a Defguard instance in the Desktop client using the received token, not only is the VPN client configured, but the user can also:

• set up their password

• configure MFA, which is required to connect to MFA-protected locations

This means the user may not even have access to Defguard itself, but can still configure both VPN and MFA!

Restarting enrollment manually

If there are any issues with the enrollment process (failed notification delivery, a lost token etc) you can restart it:

• Go to Users page

• Find the relevant user and click on the "…" button on the right

• An Initiate self-enrollment option should be available in the pop-over menu

• Clicking it will open the same modal as before.

Performing remote enrollment (as a user)

Obtaining token manually (e.g., via encrypted chat)

1. Go to Edge page

1. Enter your enrollment token and click "Continue" button

1. Download Desktop Client compatible with your Operating System.

1. Now, enrollment can be performed in Desktop Client

Now you can click "One-Click Configuration" which will open Desktop Client and enter credentials for you.

Obtaining token via email

1. Click "Enroll with desktop client", or copy URL/Token manually to Desktop Client

Entering URL/Token inside Desktop Client will trigger user enrollment process.

By following the enrollment wizard in Desktop Client, you'll be able to do the following:

• verify that your data is correct

• activate your user account

• choose your password

• setup MFA method

• add an initial device for VPN access

After completing enrolment process, you will be able to connect to the VPN.

Enrollment settings

As an admin, you can configure enrolment-related settings on the Enrollment page. This includes:

• Setting token validity time

• Enrollment session duration

• Customizing the user onboarding messages.

Message template tags

There are several template tags (similar to Jinja2 tags) that you can use in the onboarding messages to insert some dynamic content:

• {{ first_name }} - newly created user first name

• {{ last_name }} - newly created user last name

• {{ username }} - newly created user username/login

• {{ admin_first_name }} - first name of the administrator who initiated the enrollment process

• {{ admin_last_name }} - last name of the administrator who initiated the enrollment process

• {{ admin_phone }}- phone number of the administrator who initiated the enrollment process

• {{ admin_email }}- email of the administrator who initiated the enrollment process

• {{ defguard_url }}- internal Defguard URL (your Defguard instance address)

• {{ defguard_version }} - Defguard version