cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
495
Views
0
Helpful
2
Replies

Does someone know if I can enroll a users duo mobile when he is in status "bypass"

Daniel_PE
Level 1
Level 1

Hello,

maybe someone here can help me out. I want to send enrollment mails to my users that are already known in duo but in status “bypass”. I figured out that when the users are in status bypass the enrollment link wont work. Is there a workaround? I want the users to already link their duo user with duo mobile but activating them later on.

Thanks

1 Accepted Solution

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee

If the user’s status is “bypass”, there’s no opportunity for self-enrollment because bypass means bypass.

I want the users to already link their duo user with duo mobile but activating them later on.

So, what we call “activation” is I think what you mean by “link their duo user with duo mobile”. I think also when you say “but activating them later on” you mean you want the users all set up to be able to use Duo for MFA, but not actually require them to use MFA. Is that correct?

What we would recommend you do is not apply bypass status to the users, but instead use the new user policy set to allow access and the authentication policy set to bypass 2fa and apply this to your Duo application(s), then set all the users to active status.

With that, your users can perform device enrollment or activation via an emailed link but won’t need to actually perform Duo 2FA when they log in to your protected apps.

Then when you are ready to have everyone start using Duo to log in, just remove the policy settings that are allowing access without 2FA from the applications.

Another option is to enter phone numbers for each user and then sending each of them an activation link.

Duo, not DUO.

View solution in original post

2 Replies 2

DuoKristina
Cisco Employee
Cisco Employee

If the user’s status is “bypass”, there’s no opportunity for self-enrollment because bypass means bypass.

I want the users to already link their duo user with duo mobile but activating them later on.

So, what we call “activation” is I think what you mean by “link their duo user with duo mobile”. I think also when you say “but activating them later on” you mean you want the users all set up to be able to use Duo for MFA, but not actually require them to use MFA. Is that correct?

What we would recommend you do is not apply bypass status to the users, but instead use the new user policy set to allow access and the authentication policy set to bypass 2fa and apply this to your Duo application(s), then set all the users to active status.

With that, your users can perform device enrollment or activation via an emailed link but won’t need to actually perform Duo 2FA when they log in to your protected apps.

Then when you are ready to have everyone start using Duo to log in, just remove the policy settings that are allowing access without 2FA from the applications.

Another option is to enter phone numbers for each user and then sending each of them an activation link.

Duo, not DUO.

Your first recommendation worked. Thank you

Quick Links