Documentation Index
Fetch the complete documentation index at: https://docs.iru.com/llms.txt
Use this file to discover all available pages before exploring further.
This guide applies to all device platforms
What is Require Authentication?
Require authentication is an enrollment setting that requires the enrolling user to complete single sign-on before device enrollment can finish. You choose which SSO connection to use from those configured in Access (Account Menu Button → Access). Require authentication can also be used alongside Blueprint Routing, which dynamically assigns devices to Blueprints during enrollment using Assignment Rules.As of April 8, 2026, apps were updated from Kandji 
to Iru 
branding. The manual enrollment portal now uses Iru branding.
to Iru branding. The manual enrollment portal now uses Iru branding.Manual enrollment (all devices)
On the Enrollment page, open the Manual Enrollment tab. For each Blueprint, you can enable Require authentication so users who enroll through the enrollment portal must complete SSO sign-in before enrollment continues.Authentication methods
Require authentication for manual enrollment supports Passkeys, Google Social and Microsoft Social, Custom SAML, and Native SSO.Prerequisites
- Enrollment configured for your platform: Apple, Windows, or Android
- If using Custom SAML or Native SSO: a working SSO configuration in Access
- If using Google Social or Microsoft Social: Limit Authentication to Domain enabled for that connection in Access
Configuring Require Authentication with Manual Enrollment
Open the Blueprint
Scroll down to the Blueprint you want. Click the Blueprint tile or the chevron (down arrow) on the row to expand it.
Assign user to device record
If desired, check Assign user to device record.
When enabled, this option tries to match the authenticated user to a user in your directory integration(s) by email address. If a match is found, the user is automatically assigned to the device.
Automated Device Enrollment (Apple only)
Authentication methods
Require authentication for Automated Device Enrollment supports only Custom SAML, Google Workspace Native, and Microsoft Entra ID Native authentication methods.Prerequisites
- A working SSO configuration in Access
- Apple devices with Automated Device Enrollment configured. See Configure Automated Device Enrollment.
Configuring Require Authentication with Automated Device Enrollment
To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article. If you already have an Automated Device Enrollment Library Item, open it, click Edit, and skip to step 3.Assign to Blueprints
Assign it to your Blueprints.
Require authentication
Check Require authentication. This requires a user to authenticate through single sign-on during device enrollment.
Assign user to device record
Optionally, check Assign user to device record to automatically assign the authenticated user to the device.
When enabled, this option tries to match the authenticated user to a user in your directory integration(s) by email address. If a match is found, the user is automatically assigned to the device.
Prefill initial account creation details
When Assign user to device record is enabled, optionally check Prefill initial account creation details to prepopulate the new computer account in Setup Assistant with the assigned user’s details.
If you’re using Passport, make sure to turn off Prefill initial account creation details and Lock pre-filled account creation details. These settings conflict with Passport’s account creation process and can cause Setup Assistant errors.
Lock pre-filled account creation details
Optionally check Lock pre-filled account creation details. If enabled, the user cannot modify the account creation details.
Considerations
General
Tenant Authentication Status
Tenant Authentication Status
An SSO connection does not need to have Enable Tenant Authentication turned on to be used for Require authentication. Only enable tenant authentication if you also want Iru Endpoint admins to use that same connection to sign in to the Iru Endpoint Web App.
User Experience
User Experience
If you use the same connection for both admin access and device enrollment, your end users will see the Iru Endpoint app in their identity provider’s catalog. This won’t give them admin access to your Iru Endpoint tenant.
Apple
Google Workspace: Use Custom SAML
Google Workspace: Use Custom SAML
When using Google Workspace as your identity provider, you must create your SSO connection using Custom SAML. The built-in Google Workspace integration will cause a 403 error during enrollment.
Google Workspace: 2-Step Verification
Google Workspace: 2-Step Verification
Here’s what happens depending on the user’s 2-Step Verification status:Already set up: Users see the normal Google authentication window with options for text, authenticator app, or backup codes.Past enrollment period: Users get an error message about not meeting the 2-Step Verification policy. They’ll need to contact their admin to resolve this.Never enabled, still in grace period: Users will see a 404 error.
Passport Integration (Automated Device Enrollment)
Passport Integration (Automated Device Enrollment)
If you’re using Passport, make sure to turn off Prefill initial account creation details and Lock pre-filled account creation details. These settings conflict with Passport’s account creation process and can cause Setup Assistant errors.
Windows
Administrator Rights
Administrator Rights
Make sure the user enrolling the device has local administrator rights on the Windows machine.
Network Requirements
Network Requirements
Make sure the device has internet access and Microsoft Edge browser. You’ll also need to open the required firewall ports for enrollment to work. For more information, see Microsoft’s documentation on MDM enrollment.
Microsoft Account Prompt
Microsoft Account Prompt
During enrollment, users will see a “This site is trying to open Microsoft account” prompt. Tell them to click Open to continue the process.
Android
Device State
Device State
Make sure Android devices are in a factory restored state before attempting enrollment.
Work Profile
Work Profile
Enrollment creates a work profile that keeps work and personal data completely separate. Work apps go in the work profile, while personal apps stay in the personal profile.
Related Articles
Configuring Apple Enrollment
Configure Apple device enrollment with Automated Device Enrollment (ADE)
Configuring Windows Enrollment
Windows device enrollment and management setup
Configuring Android Enrollment
Android device enrollment and work profile setup
User Experience with Apple Enrollment
What to expect when enrolling your device through the enrollment portal
User Experience with Windows Enrollment
What to expect when enrolling your Windows device through the enrollment portal
User Experience with Android Enrollment
What to expect when enrolling your Android devices and setting up a work profile