Targeted Threat Protection: Device Enrollment

Document created by user.oxriBaJeN4 Employee on Oct 5, 2015Last modified by user.oxriBaJeN4 Employee on Jul 11, 2019
Version 23Show Document
  • View in full screen mode

This guide describes how device enrollment works with Mimecast's Targeted Threat Protection, and describes the benefits of enabling this authentication service for end user devices. 


Applies To...


  • Administrators responsible for managing device enrollment on end user devices.


How Device Enrollment Works


Device enrollment enhances security when accessing attachments and links in messages, by using an authentication service. If the authentication service is turned on, a cookie is stored on the user's device. 


When they access a Targeted Threat Protection service (e.g. a rewritten or attachment release link), a check is made to see if the cookie is on their device:

  • If yes, the user is allowed to access the service.
  • If no, the user must complete a two-step authentication process to enroll their device. Once their device is enrolled, a cookie is added to their browser, which is used for future interactions with our Targeted Threat Protection service. 


Once a cookie is stored on the end user's device, it's renewed with each additional Targeted Threat Protection service interaction. You can set an expiry period for the cookie. However because it's renewed with each Targeted Threat Protection service interaction, the user only enrolls once unless they don't access the service again before the cookie expires.


Benefits of Device Enrollment


Device enrollment offers the following security benefits:

The user who clicked a link in a forwarded message is recorded.

If a message containing a URL is forwarded, the recipient that clicks on the link is recorded in a log file. Without device enrollment, the log entry shows the details of the user that forwarded the message, not the recipient.

Releases attachments found in internally forwarded messages to the recipient.

If the "Release Forwarded Internal Attachment" option is enabled in an Attachment Protect Definition, users can release an attachment from the sandbox when a message is forwarded to them. If the option isn't set, and device enrollment is not enabled, the attachment is released to the original forwarder instead.

Releases attachments sent to a distribution list to the recipients.

If device enrollment is enabled, and a distribution list recipient requests an attachment, it's sent to that user only. If device enrollment is not enabled, and a distribution list recipient requests an attachment, it's sent to everyone on the distribution list.

User awareness checks are not available externally.

User awareness is not available for non-Mimecast customers. If an external user clicks on the link, and they aren't a Mimecast customer, they must enroll their device to access the link. 

Where a message is sent to a distribution listand a recipient clicks on a link where URL Protection is applied to embedded links, the logs record the user details.

The URL is rewritten before the message is forwarded to the Exchange. Once there the message is exploded, everyone gets a copy of the same message. As a result, you're able to track which distribution list recipient clicked on the link.


See Also...


10 people found this helpful