This scenario is intended to guide system administrators through the procedures for enabling users to register devices. Users typically register their own devices, but system administrators must enable the relevant settings. When devices are registered, you can manage them in Admin Portal, install mobile device policies, and deploy mobile applications to specified devices.
Registering a device requires Privileged Access Service to push a user certificate to the device. Typically, we use the User Principle Name (UPN) as the subject alternative name of the certificate. If you want to use Distinguished Name (DN), please contact Privileged Access Service Support.
Note: If you have the Direct Control agent installed, you must remove it before installing the Centrify Mac Agent version 19.5 or higher to use MFA for Mac. The MFA for Mac feature is not compatible with the Direct Control agent. Refer to Installing and removing the agent and leaving a domain for more information about uninstalling the Direct Control agent and leaving an AD domain.
This scenario includes the following topics:
Before a user can register a device, you must provide this user with the relevant policy set.
- Log in to Admin Portal.
- Click Access > Roles.
- Create a new role or select an existing role.
- Click Members > Add.
- On the Add Members window:
Click Save to save the changes.
Click Policies and either click Add Policy Set or select an existing policy.
Click Devices > Device Registration Settings.
Select Yes in the Permit device registration policy.
Configure the remainder of the policy settings.
These settings apply regardless of whether you use the Centrify directory policy service or Active Directory group policies to manage device configuration policies:
Device registration control settings
To enforce these limitations
Allow user notifications on multiple devices
Select Yes to send authentication notifications to multiple registered devices and No to send to the first registered device only (default setting), or "--" to use the default setting.
Enable debug logging
There are two logging modes on devices: regular - the default setting - and debug logging. Use this policy to turn on the debug logging mode.
Select Yes to enable debug logging, No to set regular logging, or "--" (Not configured) to use the default setting.
Enforce fingerprint scan for Mobile Authenticator
Enforce Finger Print Scan for Mobile Authenticator Select Yes to require that users provide a finger print scan to use mobile authenticator. Using the associated policy option, users can alternatively use the client application PIN for access. The default setting is No.
Permit non-compliant devices to enroll
Prevent noncompliant devices from enrolling.
To enable users to enroll a noncompliant device, select Yes in the drop-down menu.
Open the tool tip for more information on this policy.
Report mobile device location
Select Yes to allow devices to report their location, No to stop the device from reporting location, or "--" to use the default setting (Yes).
Require client application passcode on device
Select Yes to require a passcode to open the client application, No to allow opening the client application without a passcode, or "--" (Not configured) to use the default setting. Note: You must select Yes to enable other client application passcode policies.
Click Policy Settings.
Specify the policy assignment:
All users and devices
Applies this policy to all users and devices registered on Privileged Access Service.
Click Add to select the roles to which you want this policy applied.
Sets (NOT applicable for unregistered devices)
Specify the set type (currently only Device type is supported) for registered devices and the set parameters (iOS devices, corporate owned devices, and so on). Sets are a collection of devices, users, etc.
Important: Do not use this option when configuring a policy for device registration. Sets only apply to registered devices. If you assign this policy to users who do not already have a device registration policy (through the All Users and Devices or Specified Roles option), device registration will fail.