Pre-registration is the process of registering a device to an enrollment user without requiring end user interaction to input credentials. This feature is designed for bulk enrollment scenarios such as schools.

The current behavior when enrolling devices that are pre-registered allows any valid enrollment user for that OG to authenticate to the device and then switches the device to the user it was registered to. Device pre-registration with certificate authentication for resources creates the risk of user A gaining access to user B’s resources (eg. Email with cert auth) if the device was pre-registered to user B and accidentally handed to user A.

To resolve this security vulnerability, we will be adding a check to prevent enrollment if the user credentials leveraged for device enrollment do not match the user that the device was pre-registered to. The change will not impact IT administrators leveraging a staging user in this workflow.

Current behavior:

Device pre-registered to user A – User B attempts to enroll = Device enrolled to User A

New behavior:

Device pre-registered to user A – User B attempts to enroll = Device enrollment BLOCKED with error below