Create client enrollment policies
Advanced Server Access (ASA) Admins can configure clients to behave differently when enrolling in an team to offer more control over their teams. For example, you can require that a client get explicit permission from an Advanced Server Access admins to enroll in a team, or that it remain unbound on a machine until someone is assigned to it Advanced Server Access offers a range of flexibility for teams that are looking to grow or add more security to their environments. Client enrollment policies can be helpful for enrolling machines that are waiting to be assigned, or for admins that want to have more control over which users are able to join their teams.
Types of client enrollment policies
There are two types of Client Enrollment Policies that Admins can create:
- Token Policies
The default enrollment method is self-enrollment, where users can enroll themselves in a team provided that they know the name of the team and can authenticate against Okta. A token enrollment policy allows for a client to be "unbound", which means that the client is enrolled in a team without being associated with a specific user. The client is only bound to a specific user when that user signs in to their team with the unbound client.
Admin approval can be required for both types of enrollment policies, and can be revoked at any time.
Create a client enrollment policy
- To create a client enrollment policy, navigate to the ASA dashboard.
- Select Clients
- Select the Enrollment Policies tab.
- Click Create Client Enrollment Policy .
Select either a Token or Self-Enrollment policy from the Create Client Enrollment Policy drop-down box.
Enter a description for the policy in the Description field.
To require admin approval for clients enrolling with this policy, select the Require Admin Approval check box.
- Click Create Client Enrollment Policy.
Once you have finished the above steps, you have created a Client Enrollment Policy.