Remote user enrollment
By design Defguard core is meant to be deployed securely within your infrastructure and only accessible from within the internal network or by VPN.
This introduces an issue with onboarding new users and forces the admin to choose an initial password, setup a VPN device for them, and pass on those details to the end user using possibly insecure channels.
To avoid this issue you can deploy a public Defguard proxy which enables a secure enrollment process.
Here is a video showcasing:
how admin adds a user with secure remote enrollment
then how the enrollment process looks like for the user
How to initiate user secure enrollment
When adding a new user please select the option: Use user self-enrollment process:

After filling out the user data, there are two options to start the process for the user:

Automatic: Sending token by email (this requires for SMTP to be configured) - the user will receive an email will all the instructions how to initiate the Enrollment process
Manual: Deliver the token yourself — this will only display the URL and token that must be handed over to the user personally.
When the user adds a Defguard instance in the Desktop client using the received token, not only is the VPN client configured, but the user can also:
set up their password
configure MFA, which is required to connect to MFA-protected locations
This means the user may not even have access to Defguard itself, but can still configure both VPN and MFA!
For MFA configuration to be mandatory during the enrollment process, there must be at least one VPN location with MFA enabled. Otherwise, MFA setup will remain optional.
Restarting enrollment manually
If there are any issues with the enrollment process (failed notification delivery, a lost token etc) you can restart it:
Go to Users page
Find the relevant user and click on the Action button on the right
A Start enrollment option should be available in the pop-over menu
Clicking it will open the same Start enrollment modal where you can choose how to deliver the enrollment token
Performing remote enrollment (as a user)
As a new user, after an admin starts the enrollment process, you will receive your enrollment token.
If you receive an email notification, just click the link, and you'll be redirected to the enrollment wizard.
If the admin decides to deliver your token through some other secure means, you'll have to go the specified enrollment page and enter the token manually.
By following the enrollment wizard, you'll be able to do the following:
verify that your data is correct
activate your user account
choose your password
add an initial device for VPN access
After completing the wizard, you should be able to connect to the VPN and access the main Defguard web UI.
Enrollment settings
In order for the enrollment process to function correctly you must also set up an SMTP server for delivering email notifications.
As an admin, you can configure enrollment-related settings on the Enrollment page. This includes:
Making the VPN device step optional or mandatory in the enrollment wizard
Customizing the user onboarding messages.
Message template tags
There are several template tags (similar to Jinja2 tags) that you can use in the onboarding messages to insert some dynamic content:
{{ first_name }}
- newly created user first name{{ last_name }}
- newly created user last name{{ username }}
- newly created user username/login{{ admin_first_name }}
- first name of the administrator who initiated the enrollment process{{ admin_last_name }}
- last name of the administrator who initiated the enrollment process{{ admin_phone }}
- phone number of the administrator who initiated the enrollment process{{ admin_email }}
- email of the administrator who initiated the enrollment process{{ defguard_url }}
- internal Defguard URL (your Defguard instance address){{ defguard_version }}
Last updated
Was this helpful?