Remote user enrollment

By design Defguard core is meant to be deployed securely within your infrastructure and only accessible from within the internal network or by VPN.

This introduces an issue with onboarding new users and forces the admin to choose an initial password, setup a VPN device for them, and pass on those details to the end user using possibly insecure channels.

To avoid this issue you can deploy a public Defguard proxy which enables a secure enrollment process.

Here is a video showcasing:

  • how admin adds a user with secure remote enrollment

  • then how the enrollment process looks like for the user

The proxy is included when using the default deployment instructions.

Please also see the relevant configuration options for core and the proxy itself.

How to initiate user secure enrollment

When adding a new user please select the option: Use user self-enrollment process:

By enabling this option, the admin will only provide the user data and will not be able to set the user’s password, the user will create their own password during the enrollment process in the desktop client.

After filling out the user data, there are two options to start the process for the user:

  1. Automatic: Sending token by email (this requires for SMTP to be configured) - the user will receive an email will all the instructions how to initiate the Enrollment process

  2. Manual: Deliver the token yourself — this will only display the URL and token that must be handed over to the user personally.

The email address you specify for delivering the enrollment token can be any email available to the user. It does not have to be the same one used when creating an account as we assume that a new user does not yet have access to their official company email account.

When the user adds a Defguard instance in the Desktop client using the received token, not only is the VPN client configured, but the user can also:

  • set up their password

  • configure MFA, which is required to connect to MFA-protected locations

This means the user may not even have access to Defguard itself, but can still configure both VPN and MFA!

Restarting enrollment manually

If there are any issues with the enrollment process (failed notification delivery, a lost token etc) you can restart it:

  • Go to Users page

  • Find the relevant user and click on the Action button on the right

  • A Start enrollment option should be available in the pop-over menu

  • Clicking it will open the same Start enrollment modal where you can choose how to deliver the enrollment token

Performing remote enrollment (as a user)

As a new user, after an admin starts the enrollment process, you will receive your enrollment token.

If you receive an email notification, just click the link, and you'll be redirected to the enrollment wizard.

If the admin decides to deliver your token through some other secure means, you'll have to go the specified enrollment page and enter the token manually.

By following the enrollment wizard, you'll be able to do the following:

  • verify that your data is correct

  • activate your user account

  • choose your password

  • add an initial device for VPN access

After completing the wizard, you should be able to connect to the VPN and access the main Defguard web UI.

Enrollment settings

As an admin, you can configure enrollment-related settings on the Enrollment page. This includes:

  • Making the VPN device step optional or mandatory in the enrollment wizard

  • Customizing the user onboarding messages.

Message template tags

There are several template tags (similar to Jinja2 tags) that you can use in the onboarding messages to insert some dynamic content:

  • {{ first_name }} - newly created user first name

  • {{ last_name }} - newly created user last name

  • {{ username }} - newly created user username/login

  • {{ admin_first_name }} - first name of the administrator who initiated the enrollment process

  • {{ admin_last_name }} - last name of the administrator who initiated the enrollment process

  • {{ admin_phone }}- phone number of the administrator who initiated the enrollment process

  • {{ admin_email }}- email of the administrator who initiated the enrollment process

  • {{ defguard_url }}- internal Defguard URL (your Defguard instance address)

  • {{ defguard_version }}

Last updated

Was this helpful?