Skip to main content

Pre-Approved Device Enrollment

If a Pomerium route is configured to require device authentication, then the user must register a trusted execution environment (TEE) device before accessing the route. In Enterprise environments, policies can require that devices be approved in the Pomerium Enterprise Console.

To make the management of approved devices easier, the Enterprise Console lets administrators create registration links that will allow users to register devices as pre-approved, following the TOFU authentication scheme.

This guide instructs Pomerium Enterprise admins on how to create user-specific enrollment links.

Before You Begin

  • This guide is written for Pomerium Enterprise environments,
  • You must have the Admin role in the Enterprise Console to perform these steps.
  1. From the Pomerium Enterprise Console, select Devices from the left-hand menu.

  2. Click the + NEW ENROLLMENT button at the top:

    Visualization of the fist two steps in creating a device enrollment link

  3. From the New Enrollment modal:

    • search for and select the user this URL will be valid for,
    • optionally provide a URL for the user to be redirected to after a successful enrollment,
    • define if the user can enroll any trusted execution environment, or restrict the user to secure envlaves: Screenshot of the New Enrollment Modal
  4. Click Submit to get the URL:

    Screenshot of a new enrollment link

    Provide the URL to the user.