Enrollment Options and Best Practices

Specops Software strives to create solutions that are simple to deploy, manage, and understand. Specops Password Reset (SPR) is a great example of this goal. Deploying Specops Password Reset is straight forward. For most organizations the initial setup and deployment will only take a few hours. As with many enterprise class solutions, the user experience needs to be bootstrapped. With SPR this process is called “Enrollment.” Setting your expectations and understanding your roll out goals will help you complete this process as soon as possible.

Introduction

In today’s IT world no two end-users are the same. Some users sit on traditional ‘domain joined’ Windows computers, while some use MAC, Linux or other operating systems. Mobile users do most of their work on their devices and roam from hotel to customer site to mobile office and more. This reality creates the need for flexibility. SPR provides IT administrators’ flexibility in deciding how to get their end users enrolled in the password management system. Below you will find descriptions of the different enrollment options available in SPR. The enrollment process is only required when you are using Challenge Response Questions.

Windows Domain Joined Systems

This is typically the most common scenario for enterprise organizations and has the most functionality in the solution. The Specops Client component provides a few different capabilities. Being on a Windows domain joined computer is a requirement for the Client.

Balloon Tip

The least intrusive method of communicating the need to enroll is through a balloon tip. When a user who has not enrolled, logs in to a domain joined Windows computer, a balloon tip will launch reminding them to enroll. If the user clicks on the balloon tip it will bring them to the web page for enrollment.

Alt text for this image

Start Browser

If you want to crank it up a bit, you can have the browser launch with reminders to enroll. Remember this only shows for users who should enroll, but have not. In this scenario the user logs into the system and IE will launch the SPR Enrollment web site.

Alt text for this image

The user can now complete the enrollment process or close the window and avoid enrolling in the system. Our experience shows us that most will enroll and the word will spread through the user community about how simple the process is to complete.

There are, however, last mile challenges for some customers such as “how do I get the last 5% of my users enrolled?”

Note: The experience for the Web application is customizable with a simple tool provided with SPR. You can add your own logos, backgrounds and custom wording with the Web Customization Tool. This allows you to create a personalized experience for your organization and your users. The increases familiarity and trust in the solution.

Start Unclosable Fullscreen Browser

This is the most intrusive method to get your users to enroll in the system. This method takes over the desktop until the user finishes the enrollment process. When an IT administrator chooses this configuration, they are presented with an informational warning reminding them that it will take over the desktop until completed. For many organizations this is exactly what they need to reach their 100% enrollment goals.

In this scenario the user logs in and IE opens ‘fullscreen’ without the option to close the Windows. The user will have no choice but to walk through the process. The below screenshot is the full desktop consumed by IE.

Alt text for this image

Remote or Roaming Users

The email notification method is great for non-traditional users. If they are always or often out of the corporate network, or if they don’t use domain joined Windows machines, this method helps get the word out. It is implemented as a simple email notification. This notification will be sent once a day until the user is enrolled in the system. This capability is a very popular way to communicate with users who work on non-Windows operating systems, or non-domain joined machines.

Alt text for this image

Auto-Enrollment

There are times where organizations want to setup the environment and not require the users to go through the enrollment process. We do not typically recommend this process for one specific reason. If you know both the question and answer pairs (e.g. User Ken = Q; What is your favorite color? A; Blue) to enroll in the system, logic dictates that it is less secure than if you don’t. But, we do understand the need and have provided a means to do this. We perform this task through PowerShell.

The SPR PowerShell PSSnapIns are configured when you setup the administration tools. You can execute the cmdlet to Auto-Enroll a user with the following command line.

Copy

Shell Script

PS: C:\> New-PasswordResetEnrollment –UserName kevins –QuestionsAndAnswers @{‘What is your name?’=’King Arthur’;’What is your quest?’=’I seek the holy grail’;’What is the air speed velocity of a sparrow?’=’African or European’}

If you are familiar with PowerShell you may already assume that you can use a CSV file with users, questions and answers and pipe it into this ‘New-PasswordResetEnrollment’ cmdlet. You would be correct. The script to do this is simple and the .csv file is easy to create.

Alt text for this image

More details on how to configure enrollment options can be found in the Specops Password Reset Administration Guide.

Reporting

Last but not least, you will want to track your enrollment process. Specops Password Reset includes a simple and focused reporting experience that provides reports on:

  1. Enrolled users
  2. System utilization
  3. License utilization

For enrollment needs, understanding your progress is as easy as opening a web page. A link to the SPR reporting page will be available in the start menu of any machine with the Administration Tools are installed. Everything you need to know to ensure you are tracking to your goals is on this first page.

Alt text for this image