Targeted Threat Protection: Device Enrollment

Document created by user.oxriBaJeN4 Employee on Oct 5, 2015Last modified by user.oxriBaJeN4 Employee on Mar 12, 2018
Version 18Show Document
  • View in full screen mode

This guide describes how device enrollment works with Mimecast's Targeted Threat Protection, and describes the benefits of enabling this authentication service for end user devices. 


Applies To...


  • Administrators responsible for managing device enrollment on end user devices.


How Device Enrollment Works


Device enrollment enhances security when accessing attachments and links in messages, by using an authentication service. If the authentication service is turned on, a cookie is stored on the user's device. When they access a Targeted Threat Protection service (e.g. a rewritten link, attachment release link) a check is made to see if they've the cookie on their device:

  • If they have, they're allowed to access the service.
  • If they haven't, they must complete a two step authentication process to enroll their device. Once their device has been enrolled, a cookie is added to their browser, which is used for future interactions with our Targeted Threat Protection service. 


Once a cookie is stored on the end user's device, it is renewed with each additional Targeted Threat Protection service interaction. You can set an expiry period for the cookie, but because it is renewed with each Targeted Threat Protection service interaction, the end user only enrolls once unless they don't access the service again before the cookie expires.


Benefits of Device Enrollment


Device enrollment offers the following security benefits:


The user who clicked a link in a forwarded message is recorded.

If a message containing a URL is forwarded, the recipient that clicks on the link is recorded in a log file. Without device enrollment, the log entry shows the details of the user that forwarded the message, not the recipient.

Releases attachments found in internally forwarded messages to the recipient.

If the "Release Forwarded Internal Attachment" option is enabled in an Attachment Protection Definition, users can release an attachment from the sandbox when a message is forwarded to them. If the option isn't set, and device enrollment is not enabled, the attachment is released to the original forwarder instead.

Releases attachments sent to a distribution list to the recipients.

If device enrollment is enabled, the attachment is released to everyone on the distribution list. If device enrollment is not enabled, the attachment is released to the original forwarder instead.

User awareness checks are not available externally.

User awareness is not available for non-Mimecast customers. If an external user clicks on the link, and they aren't a Mimecast customer, they must enroll their device to access the link. 


See Also...


8 people found this helpful