This guide applies to Apple, Windows, and Android devices
What is Require Authentication?
Require Authentication is an enrollment setting that allows administrators to force user authentication through an identity provider (IdP) before proceeding with device enrollment. Administrators can match the authenticated IdP user to a user in their IdP and assign the matched user to the device record automatically.How Require Authentication Works
After configuring a Single Sign-On (SSO) connection in Iru Endpoint and assigning it to an Automated Device Enrollment Library Item or Blueprint on the Enrollment page, users will need to authenticate through an IdP in order to enroll their devices with Iru Endpoint. Iru Endpoint admins can opt to automatically assign users to device records based on email matches. For Automated Device Enrollment configurations that require authentication, admins can prefill and lock account details during setup. This ensures that only authorized users can enroll devices while providing a streamlined enrollment experience.Platform-Specific Configuration
- Apple
- Windows
- Android
Prerequisites
- A working SSO configuration in Settings > Access
- Apple devices with Automated Device Enrollment configured - see Configuring Apple Enrollment
Configuring Require Authentication with Automated Device Enrollment
To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.1
Create Library Item
Give the new Automated Device Enrollment Library Item a Name
2
Assign to Blueprints
Assign to your desired Blueprints
3
Enable Authentication
Check the box for Require Authentication
4
Select SSO Connection
Select an SSO Connection
5
Configure User Assignment
Optionally, Assign user to device record
Enabling this option will attempt to match the user authenticated by the identity provider to a user that exists in your user directory integration(s). If the authenticated IdP user’s email address matches the email address in your integrated directory, the user will be assigned to the device.
6
Configure Account Details
To prepopulate your user’s initial account information to match your IdP, select Prefill primary account details
7
Lock Account Details
To ensure that your user cannot change their initial account information, select Lock primary account details
8
Save Configuration
Configure the rest of your Automated Device Enrollment Library Item as desired, and click Save
Configuring Require Authentication with Manual Enrollment
1
Navigate to Enrollment
Select Enrollment in the navigation bar
2
Access Manual Enrollment
Navigate to the Manual Enrollment tab
3
Enable Authentication
Scroll down to your desired Blueprint and check the box for Require Authentication
4
Configure User Assignment
If desired, check the box to Assign user to device record
Enabling this option will attempt to match the user authenticated by the identity provider to a user that exists in your user directory integration(s). If the authenticated IdP user’s email address matches the email address in your integrated directory, the user will be assigned to the device.
Considerations
Passport Integration: If you’re using Passport, make sure to turn off Prefill initial account creation details and Lock prefilled account creation details options. These settings conflict with Passport’s account creation process and can cause Setup Assistant errors.SSO Connection Status: Your SSO connection doesn’t need to be “Active” in Settings > Access for enrollment authentication to work. Only set it to Active if you want your Iru Endpoint admins to use that same connection to sign into the web app.User Access: Anyone assigned to the Application in your Identity Provider can enroll devices. You can either reuse your existing admin SSO connection or create a separate one just for device enrollment.User Experience: If you use the same connection for both admin access and device enrollment, your end users will see the Iru Endpoint app in their identity provider’s catalog. Don’t worry - this won’t give them admin access to your Iru Endpoint tenant.Google Workspace Setup
Use Custom SAML: When using Google Workspace as your identity provider, you must create your SSO connection using Custom SAML. The built-in Google Workspace integration will cause a 403 error during enrollment.2-Step Verification Scenarios:Here’s what happens depending on the user’s 2-Step Verification status:Already set up: Users see the normal Google authentication window with options for text, authenticator app, or backup codes.Past enrollment period: Users get an error message about not meeting the 2-Step Verification policy. They’ll need to contact their admin to resolve this.Never enabled, still in grace period: Users will see a 404 error.Related Documentation
Configuring Apple Enrollment
Cross-platform enrollment setup
Configuring Windows Enrollment
Windows enrollment setup
Configuring Android Enrollment
Android enrollment setup
User Experience with Apple Enrollment
Apple user guide
User Experience with Windows Enrollment
Windows user guide
User Experience with Android Enrollment
Android user guide