defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Enrollment settings
  • Remote enrollment process
  • Starting remote enrollment (as an admin)
  • Restarting enrollment manually
  • Performing remote enrollment (as a user)

Was this helpful?

Edit on GitHub
  1. Admin & features
  2. Features & configuration

Remote user enrollment

PreviousDNS and domainsNextUser onboarding after enrollment

Last updated 1 year ago

Was this helpful?

By design defguard core is meant to be deployed securely within your infrastructure and only accessible from within the internal network or by VPN.

This introduces an issue with onboarding new users and forces the admin to choose an initial password, setup a VPN device for them, and pass on those details to the end user using possibly insecure channels.

To avoid this issue you can deploy a public which enables a secure enrollment process:

Enrollment settings

As an admin, you can configure enrollment-related settings on the Enrollment page. This includes:

  • Making the VPN device step optional or mandatory in the enrollment wizard

Message template tags

  • {{ first_name }} - newly created user first name

  • {{ last_name }} - newly created user last name

  • {{ username }} - newly created user username/login

  • {{ admin_first_name }} - first name of the administrator who initiated the enrollment process

  • {{ admin_last_name }} - last name of the administrator who initiated the enrollment process

  • {{ admin_phone }}- phone number of the administrator who initiated the enrollment process

  • {{ admin_email }}- email of the administrator who initiated the enrollment process

  • {{ defguard_url }}- internal defguard URL (your defguard instance address)

  • {{ defguard_version }}

Remote enrollment process

Starting remote enrollment (as an admin)

  • Go to Users page

  • Click Add new user button

  • Within the modal that appears fill in the new user's data as usual, but instead of entering a password check the Use enrollment process checkbox

  • Click the Add user button

  • In the next modal choose whether you want to Send token by email or Deliver token yourself

  • If you choose to deliver the enrollment token by email provide an email address to which a notification will be sent

The email address you specify for delivering the enrollment token can be any email available to the user. It does not have to be the same one used when creating an account as we assume that a new user does not yet have access to their official company email account.

  • Click Start enrollment

  • If you choose to deliver the token yourself you'll be shown a URL and token that you can copy and pass to the user

Restarting enrollment manually

If there are any issues with the enrollment process (failed notification delivery, a lost token etc) you can restart it:

  • Go to Users page

  • Find the relevant user and click on the Action button on the right

  • A Start enrollment option should be available in the popover menu

  • Clicking it will open the same Start enrollment modal where you can choose how to deliver the enrollment token

Performing remote enrollment (as a user)

As a new user after an admin starts the enrollment process, you will receive your enrollment token.

If you receive an email notification just click the link and you'll be redirected the the enrollment wizard.

If the admin decides to deliver your token through some other secure means you'll have to go the the specified enrollment page and enter the token manually.

By following the enrollment wizard you'll be able to do the following:

  • verify that your data is correct

  • activate your user account

  • choose your password

  • add an initial device for VPN access

After completing the wizard you should be able to connect to the VPN and access the main defguard web UI.

The proxy is included when using the default .

Please also see the relevant configuration options for and the .

In order for the enrollment process to function correctly you must also for delivering email notifications.

Customizing the user .

There are several template tags (similar to tags) that you can use in the onboarding messages to insert some dynamic content:

deployment instructions
set up an SMTP server
onboarding messages
Jinja2
defguard proxy
core
proxy itself