Targeted Threat Protection: Device Enrollment

Document created by user.oxriBaJeN4 Employee on Oct 5, 2015Last modified by user.oxriBaJeN4 Employee on Apr 2, 2019
Version 21Show Document
  • View in full screen mode

This guide describes how device enrollment works with Mimecast's Targeted Threat Protection, and describes the benefits of enabling this authentication service for end user devices. 


Applies To...


  • Administrators responsible for managing device enrollment on end user devices.


How Device Enrollment Works


Device enrollment enhances security when accessing attachments and links in messages, by using an authentication service. If the authentication service is turned on, a cookie is stored on the user's device. 


When they access a Targeted Threat Protection service (e.g. a rewritten or attachment release link), a check is made to see if the cookie is on their device:

  • If yes, the user is allowed to access the service.
  • If no, the user must complete a two-step authentication process to enroll their device. Once their device is enrolled, a cookie is added to their browser, which is used for future interactions with our Targeted Threat Protection service. 


Once a cookie is stored on the end user's device, it's renewed with each additional Targeted Threat Protection service interaction. You can set an expiry period for the cookie. However because it's renewed with each Targeted Threat Protection service interaction, the user only enrolls once unless they don't access the service again before the cookie expires.


Benefits of Device Enrollment


Device enrollment offers the following security benefits:


The user who clicked a link in a forwarded message is recorded.

If a message containing a URL is forwarded, the recipient that clicks on the link is recorded in a log file. Without device enrollment, the log entry shows the details of the user that forwarded the message, not the recipient.

Releases attachments found in internally forwarded messages to the recipient.

If the "Release Forwarded Internal Attachment" option is enabled in an Attachment Protection Definition, users can release an attachment from the sandbox when a message is forwarded to them. If the option isn't set, and device enrollment is not enabled, the attachment is released to the original forwarder instead.

Releases attachments sent to a distribution list to the recipients.

If device enrollment is enabled, and a distribution list recipient requests an attachment, it's sent to that user only. If device enrollment is not enabled, and a distribution list recipient requests an attachment, it's sent to everyone on the distribution list.

User awareness checks are not available externally.

User awareness is not available for non-Mimecast customers. If an external user clicks on the link, and they aren't a Mimecast customer, they must enroll their device to access the link. 


See Also...