-
-
- Cookies are expiring, forcing your user to enroll.
- Your users have to enroll different web browsers on the same device.
- Your users need to enroll their device each time they click a link in a message or request the release of an original email attachment if:
- Their corporate policy enforces cookie deletion.
- They're using a non-persistent desktop configuration where cookies are cleared on logging out.
-
About Device Enrollment
Device enrollment enhances security when accessing attachments and links in messages by using an authentication service.
See Device Enrollment for further details.
When a user either clicks a link in a message or requests the release of an original email attachment, a check is made to see if their device has been enrolled. This is established by the presence of a browser cookie on their device.
-
-
- If the device is enrolled, the browser cookie is found, and the user is allowed access to the link.
- If the device isn't enrolled, there is no browser cookie present, and the user must enroll their device to continue. This requires them to
- Enter their Email Address.
- Click the Get Authentication Code button. A one-time code is sent to their email address.
- Enter the Authentication Code to enroll the device. Once complete, a cookie is written to the browser, and they're allowed access to the link.
- The user must enroll their device if:
- Device enrollment has been enabled.
- The cookie has expired.
- They use a new or different browser.
- The corporate policy enforces cookie deletion.
- They're using a non-persistent desktop.
-
The cookie is refreshed each time an end user clicks a link in a message or requests the release of an original email attachment.
Prerequisites
To use the automatic device enrollment functionality, you must have the following enabled and installed:
-
-
- Targeted Threat Protection URL Protect with Device Enrollment enabled. See the Enabling/Disabling Device Enrollment section of Managing Device Enrollment.
- Windows: Mimecast Security Agent v1.7 or later installed. See Mimecast Security Agent for Windows and Mimecast Security Agent for Windows Server.
- macOS: Mimecast Security Agent v1.3 or later installed. See Mimecast Security Agent for Mac.
- The user’s discovery method is Domain User or Authenticated User.
-
The following browsers are supported:
| Browsers | Windows | MacOS |
|---|---|---|
| Chrome | Yes | Yes (Up to version 93 only)* |
| Firefox | Yes | Yes |
| Microsoft Edge | Yes | No |
| Internet Explorer 11 | Yes | No |
| Safari | No | Yes (Full Disk Access Required) |
* Chrome browser versions 94 and above store encrypted credentials in Apple’s Keychain, which is not accessible.
Enabling/Disabling Automatic Device Enrollment
You can enable/disable automatic device enrollment by using the following steps:
- Log on to the Mimecast Administration Console.
- Navigate to Web Security | Agent Settings.
- Click on the Settings tab.
- Enable the Automatic Device Enrollment option.
The Mimecast Security Agent automatically enrolls all end-user devices on which it is installed. The user is prompted to restart their browser if it’s open during the initial enrollment.
Revoking Device Enrollment
The Mimecast Security Agent sets a continuous 60-day cookie life. This is irrespective of the number of days set in the Targeted Threat Protection Authentication Duration option in your Account Settings.
To revoke a device, you must:
- Revoke the user’s device. See Managing Device Enrollment and Device Enrollment Best Practice.
- Clear the browser's data and delete the browser cookies. This forces the Mimecast Security Agent to automatically enroll the device again.
Troubleshooting
If you experience issues with device enrollment:
-
-
- Verify that automatic device enrollment is enabled. See Enabling/Disabling Automatic Device Enrollment
- Check that the device's discovery method is set to Domain User or Authenticated User. Local or other discovery methods aren't supported.
- Verify the Basic Diagnostics show all installed browser's status:
- Success: A cookie was written.
- Failed: Unable to write a cookie. Continue troubleshooting.
- N/A: A browser was not installed or not found.
-
Windows:
- Check the browser store for the presence of a valid cookie in the following locations:
If the browser store has not been created, open the browser so it can create the store.
-
C:\Users\Your User Name\AppData\Local\Google\Chrome\User Data\Default -
C:\Users\Your User Name\AppData\Roaming\Mozilla\Firefox\Profiles
- Check the browser store for the presence of a valid cookie in the following locations:
-
macOS:
- If automatic enrollment fails on Safari, double check that the Mimecast Security Agent has disk access permission and that you've opened the browser and a tab at least once.
- If you’re using a device with multiple supported browsers, then you may need to open and restart each browser to dismiss the restart notification.
- If the notification persists, then check the following:
- Safari: Open the browser, navigate to a web page, then close the browser. If the problem continues to persist, then open Preferences | Privacy, then Manage Website data, filter for mimecast.com and then Remove that record.
- Firefox: Navigate to About: Profiles ensure that there is a profile called default-release or default. Profiles with any other names are not supported. We suggest renaming the user’s main profile to default-release.
-
Comments
Please sign in to leave a comment.