Enrollment best practices

In order to start using Specops Authentication, all users and administrators need to enroll with identity services. The number of identity services users need to enroll with depends on how the policies for their particular service are configured (i.e. how many stars that need to be accumulated in order to authenticate or change passwords etc.). However, getting users to enroll with the necessary identity services can be challenging in some organizations. Below are a few suggestions to increase enrollment.

Administrative enrollment (auto-enroll)

The most efficient way to get all users enrolled is using identity services where users don’t need to enroll, or the enrollment can be automated. For a list of supported identity services supported, refer to the Identity services overview page.

Start Unclosable Fullscreen Browser

This is the most intrusive method to get your users to enroll in the system. This method takes over the desktop until the user finishes the enrollment process. When an IT administrator chooses this configuration, they are presented with an informational warning reminding them that it will take over the desktop until completed. For many organizations this is exactly what they need to reach their 100% enrollment goals. Taking over the entire screen and preventing the user from starting other applications is an efficient way of enforcing users to enroll. It should be seen as a best-effort method and organizations are encouraged to inform their users to enroll. There are scenarios where the unclosable browser can be bypassed by for instance advanced users, or users having multiple monitors. It is recommended to use the unclosable flag, while also monitoring the enrollment ratio. Users who have not enrolled after the initial enrollment period is over may be need to be encouraged to enroll in other ways.

Managing end-user notifications in uReset

The notification settings affect the Specops Client, an optional component installed on workstations, which can notify users if they required to enroll in the system. The type of reminders you want your users to receive, and how often they should receive them, can be configured as well.

In the Gatekeeper Admin Tool, click uReset.
In the Client Notification GPOs section, find the GPO (if already configured) you want to alter and click Edit, or if no GPOs have been configured yet, click Select GPO, then in the list, mark the correct GPO and click OK.
In the User status check interval section, configure how often the Specops Client check the user’s enrollment status. A user that has not enrolled with Specops Authentication will receive an enrollment reminder.

Note

If Specops Password Policy is also used, this setting also configures how often user’s password is checked for expiration.
In the When to show enrollment reminder section you can configure the reminder to appear at the following events/intervals (the interval refers to the interval set in the previous step):
- At logon and at each interval
- At logon only
- At each interval
- Never
Note

When to show enrollment reminder does not affect the password expiration reminder.
In the enrollment reminder mode settings, select one of the following options:
- Balloon tip in the notification area: Clicking the reminder will take the user directly to the enrollment web page.
- Start browser: The reminder opens a browser window with the enrollment web page.
- Start unclosable fullscreen browser: The reminder opens a full screen browser window with the enrollment web page which cannot be closed until the enrollment has been completed.