Choose Zero Trust Access Enrollment Methods for Your Organization
There are two ways to enroll user devices for Zero Trust Access:
- Enrollment using certificates
- Use this method to enroll user devices without requiring user action or awareness. See, Use Certificate Enrollment Without User Action.
- Users cannot accidentally or intentionally unenroll the zero trust client module on their device.
- This option is currently available only for Windows and macOS devices.
- Periodic enrollment renewal is automatic if requirements are still met.
- For setup instructions, see Enroll Devices in Zero Trust Access Using Certificates.
- Enrollment using SSO authentication, such as SAML
- This method requires users to sign in on their device and follow simple prompts using information that you provide to them outside of Secure Access.
- This method is available to all client platforms: Windows, macOS, iOS, and Android.
- This is the default enrollment method and is always enabled.
- Users of managed or unmanaged devices can use this enrollment method.
- For setup instructions, see Use SSO Authentication for Zero Trust Access Client Enrollment.
If you enable both methods, a device can use either method if the per-device and per-user requirements are met. Each device requires only one method to enroll.
If you deploy a certificate-based configuration file on a device, SAML-based enrollment is automatically disabled. If you remove the certificate-based configuration file from the device, SAML-based enrollment automatically becomes available for that device.
Both enrollment authentication mechanisms are used only for enrollment and enrollment renewal; they are not involved in per-session connectivity when end users access resources. Per-session authentication is managed by the Zero Trust Access feature.
Both methods require periodic enrollment renewal.