If you restrict enrollment to registered devices only, you also have the option of requiring a registration token. This option increases security by confirming that a particular user is authorized to enroll.
To enable token-based enrollment:
Select the appropriate organization group and navigate to Devices > Device Settings > Devices & Users > General > Enrollment and ensure the Authentication tab is selected.
Scroll down past the Getting Started section and select Registered Devices Only as the Devices Enrollment Mode. A checkbox labeled Require Registration Token will appear in which you should insert a check mark. This will restrict enrollment to only registered devices.
Select a Registration Token Type.
- Single-Factor – The token is all that is needed to enroll.
- Two-Factor – A token and login with user credentials are required to enroll.
- Set the Registration Token Length. This required field denotes how complex the Registration Token is and must contain a value between 6 to 20 alphanumeric characters in length.
- While you can set the Token Expiration Time (in hours), note that it does not apply to DEP devices at this time.
Alternative methods for generating an enrollment token exist. For more information, see Alternate DEP Device Enrollment Flows.
Specify Enrollment Token Delivery Method
- Navigate to Accounts > Users > List View and select Edit User for a user. (This process also works with creating new users.) The Add / Edit User page displays.
- Scroll down and select a Message Type: Email for directory users and SMS for basic user accounts.
Generate Enrollment Token
Once the MDM profile is installed on the device, the token is considered "used" and cannot be used to enroll other devices. If enrollment was not completed, the token can still be used on another device.
DEP Profile Settings for Token Enrollment
Use a DEP profile with Authentication set to On to prompt the user to enter credentials – a username and password – during the Setup Assistant process. If Require Registration with a Single-Factor token is enabled for the organization group which has DEP configured, the user must enter the one-time token that is sent to them into both the username and password fields.
For better user experience – and to direct users to follow the process – consider creating a custom message template, which can have a message similar to: "Please enter the one-time token you received through email or SMS into both the username and password fields."