This article contains information on Mimecast's Device Enrollment feature, explaining how it enhances security for accessing attachments and links, benefits like tracking forwarded messages, and steps for enabling and managing device enrollment with cookies and authentication.
See the Email Security Cloud Gateway Knowledge Hub for detailed information on configuring, optimizing, integrating, and troubleshooting.
How Device Enrollment Works
Device enrollment enhances security when accessing attachments and links in messages by using an authentication service. A cookie is stored on the user's device if the authentication service is turned on.
See the Apple Support guide on how to disable Private Browsing mode here.
When they access a Targeted Threat Protection service (e.g., a rewritten or attachment release link), a check is made to see if the cookie is on their device:
- If yes, the user is allowed to access the service.
- If not, the user must complete a two-step authentication process to enroll their device. Once their device is enrolled, a cookie is added to their browser, which is used for future interactions with our Targeted Threat Protection service.
Once a cookie is stored on the end user's device, it's renewed with each additional Targeted Threat Protection service interaction. You can set an expiry period for the cookie. However, because it's renewed with each Targeted Threat Protection service interaction, the user only enrolls once unless they don't access the service again before the cookie expires.
Benefits of Device Enrollment
Device enrollment offers the following security benefits:
- The user who clicks a link in a forwarded message is recorded. If a message containing a URL is forwarded, the recipient that clicks on the link is recorded in a log file. Without device enrollment, the log entry shows the details of the user who received the original message, not the recipient of the forwarded message.
- Releases attachments found in internally forwarded messages to the recipient. If the "Release Forwarded Internal Attachment" option is enabled in an Attachment Protection definition, users can release an attachment from the sandbox when a message is forwarded. If the option isn't set and device enrollment is not enabled, the attachment is released to the original forwarder instead. See Attachment Protect Definitions for full details.
- User awareness checks are not available externally. User awareness is not available for non-Mimecast customers.
- Releases attachments sent to a distribution list to the recipients. If device enrollment is enabled and a distribution list recipient requests an attachment, it's sent to that user only. If device enrollment is not enabled and a distribution list recipient requests an attachment, it's sent to everyone on the list.
- The logs record the user details when a message is sent to a distribution list and a recipient clicks on a link where URL Protection is applied to embedded links. The URL is rewritten before the message is forwarded to the Exchange. Once the message is exploded, everyone gets a copy of the same message. As a result, you can track which distribution list recipient clicked on the link.
For troubleshooting Device Enrollment issues, please see the Troubleshooting section of Managing Device Enrollment.
Comments
Please sign in to leave a comment.