Targeted Threat Protection: Device Enrollment

Document created by user.oxriBaJeN4 Employee on Oct 5, 2015Last modified by user.oxriBaJeN4 Employee on May 25, 2017
Version 12Show Document
  • View in full screen mode

This guide describes the benefits of enrolling devices with Mimecast's Targeted threat Protection. It also outlines the process of managing end user devices.

 

Applies To...

 

  • Administrators trying to understand whether to turn on device enrollment.
  • Administrators responsible for managing device enrollment on end user devices.

 

How Device Enrollment Works

 

Device enrollment enhances security when accessing attachments and links in messages, by using a authentication service. If the authentication service is turned on, a cookie is stored on the user's device. When an end user accesses a Targeted Threat Protection service (e.g. a rewritten link, attachment release link) a check is made to see if they have the cookie on their device:

  • If they have, they're allowed to access the service.
  • If they haven't, they must complete a two step authentication process to enroll their device. Once their device has been enrolled, a cookie is added to their browser, which is used for future interactions with our Targeted Threat Protection service. 

 

You can:

  • Set an expiry period for the cookie. See the "Enabling / Disabling Device Enrollment" section below for full details. Once created, it is renewed with each additional Targeted Threat Protection service interaction. This means the end user only enrolls once, unless they don't access the service again before the cookie expires.
  • Revoke enrollment on a user's devices.

 

Benefits of Device Enrollment

 

  • Creating Targeted Threat Protection log entries attributed to the local user.
  • Releasing Targeted Threat Protection - Attachment Protect internal forwards to the local user.
  • Releasing Targeted Threat Protection - Attachment Protect attachments received by a distribution list to the local user

 

 

As well as enhancing Targeted Threat Protection security, using the device enrollment authentication service provides the following benefits:

 

BenefitComments
The user who clicked a link in a forwarded message is recorded.

If a message containing a URL is forwarded, the recipient that clicks on the link is recorded in a log file. Without device enrollment, the log entry shows the details of the user that forwarded the message, not the recipient.

Releases attachments in internally forwarded messages to the recipient.

If the "Release Forwarded Internal Attachment" option is enabled in an Attachment Protection Definition, users can release an attachment from the sandbox when a message is forwarded to them. If the option isn't set, and device enrollment is not enabled, the attachment is released to the original forwarder instead.

Releases attachments sent to a distribution list, to the recipients.

If device enrollment is enabled, the attachment is released to everyone on the distribution as some as someone releases it. If device enrollment is not enabled, the attachment is released to the original forwarder instead.

User awareness checks are not available externally.

User awareness is not available for non-Mimecast customers. If an external user clicks on the link, and they aren't a Mimecast customer, they must enroll their device to access the link. 

 

Enabling / Disabling Device Enrollment

 

To enable Targeted Threat Protection device enrollment:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Account | Account Settings menu item.
  4. Expand the User Access and Permissions section.
  5. Select the Targeted Threat Protection Authentication option.
  6. Set the Authentication Duration (Days) option to a value between 1 and 365.
    This controls the expiration date of the device's cookie.
  7. Select the Save and Exit button.

 

 

If device enrollment is disabled, a warning message is displayed when the "Targeted Threat Protection Authentication" option is deselected, informing you of the risks to your security. Similarly if Targeted Threat Protection - URL Protect's user awareness feature is enabled, and Targeted Threat Protection authentication is disabled, a warning message is displayed informing you of the risks of not using authentication.

We've provided an email template you can use to inform your users about how device enrollment affects them.

Using Device Enrollment with Office 365

 

o365error.pngThe device enrollment message from Mimecast to the end user, may be rejected by Office 365 with the error displayed. This error is caused by the message coming from the null address <>. Office 365 rejects messages coming from null addresses.

 

To prevent this error:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Select the Account | Account Settings menu item.
  4. Open the System Notification Options section.
  5. Specify a default email address in the Notification Postmaster Address option. This is used to send system notifications and delivery reports to users.

 

Troubleshooting Cookie Issues

 

If you experience issues with device enrollment, check the following:

  • For device enrollment to work, cookies must be enabled in the end user's device browser.
  • If a user accesses Targeted Threat Protection services on different devices, each device must be authenticated.
  • It is not currently possible to turn device enrollment on / off for a specific group of users or device types.
  • Private browsing must be turned off.
  • Ensure the end user's browser is supported. See the Mimecast Browser Support Matrix page for full details.
  • The primary Mimecast address is being used to log in.

 

Revoking a User's Devices

 

You can revoke all of a user's devices, forcing them to enroll again. This is useful if a device is lost or stolen, or a user leaves the company.

 

To revoke a user's devices:

  1. Log in to the Administration Console.

  2. Click on the Administration menu item.
  3. Select the Directories | Internal Directories menu item. A list of domains is displayed.
  4. Select the required Domain. A list of users is displayed.
  5. Select the User whose device enrollment is to be revoked.
  6. Select the Revoke Authentication button in the Targeted Threat Protection Authentication section.
  7. Select the Save and Exit button.

 

See Also...

 

3 people found this helpful

Attachments

    Outcomes