Duo recommends allowing users to enroll themselves whenever possible, either using inline self-enrollment or bulk self-enrollment. In either case, users add themselves to Duo by following online instructions to install Duo Mobile on their mobile devices and add their accounts. Self-enrollment only takes two minutes and each user will only need to do it once.

See the End User Enrollment Guide for a complete walkthrough of self-enrollment.

Inline Self-Enrollment

Role required: Owner, Administrator, or Application Manager.

Inline self-enrollment is available for most web-based applications: SSL VPNs, Outlook Web Access, WordPress, etc., as well as Duo Unix applications (Duo Unix users are given an enrollment link that they can copy and paste into a web browser).

To set up inline self-enrollment for an application:

1. Log into the Duo Admin Panel. Click Applications in the left sidebar, and then select the application whose enrollment policy you’d like to modify.
2. Select Require Enrollment. Unenrolled users will now be prompted to enroll the next time they attempt to log in with their existing username and password.

Bulk Self-Enrollment

Role required: Owner, Administrator, or User Manager.

If your application type doesn’t support inline self-enrollment (as is the case with OpenVPN, RDP and RDGateway, certain VPN clients, and some others), then you can use the bulk self-enrollment tool to send enrollment links to your users via email. If your organization uses email filtering, be sure to allow the sender no-reply@duosecurity.com.

1. Log into the Duo Admin Panel. Click Users in the left sidebar, then click the Bulk Enroll Users submenu or click the Bulk Enroll Users link near the top of the page.
2. Type or paste in a CSV (comma-separated value) set of usernames and email addresses. The “Bulk Enroll Users” tool won’t send a new enrollment email to an existing enrolled user.
3. You now have a chance to review and customize the self-enrollment email message sent to your users. Check the box to save this custom email and subject line for future use. You can choose whether your users to see the traditional prompt or Universal Prompt by changing your “Enrollment Email” settings. When satisfied with the email message and subject line, click the Send Enrollment Links button at the bottom of the page.The sent message will have a non-editable header added, informing the user it’s an automated message sent by Duo and to contact their organization’s Duo admins or IT support group with any questions.
4. Users receive custom links via email which will allow them to complete self-enrollment. The enrollment link expires after thirty days.Users appear listed in the “Users” section of the Duo Admin Panel as soon as you send the enrollment link.
5. The Pending Enrollments table shows which users created by bulk enrollment or directory sync have not yet completed enrolling their 2FA devices in Duo, along with the user’s email address and the expiration date for the current enrollment link.

If you need to send the user another copy of the enrollment link email, click the Resend button, or click Resend All to send the email again to all users with outstanding enrollment links. Resending the email does not change the current enrollment link’s expiration date. The email message gets sent to the current email address for the user, not the address that was used when the original enrollment was sent if it’s been changed since then.

Click Delete to remove a pending enrollment. Deleting a pending enrollment immediately invalidates any unexpired enrollment link previously sent to that user. The user associated with the pending enrollment remains in Duo, so you can send them a new enrollment link via email.

Manual Enrollment

Role required: Owner, Administrator, or User Manager.

Admins can add individual users and phones from the Duo Admin Panel. To add a new user manually:

1. Log into the Duo Admin Panel.
2. From the Dashboard page you can click the Add New… button in the top right and then click User. Otherwise, click Users in the left sidebar, then click the + Add User button or the Add User submenu item in the left sidebar.
3. Type in the username. A Duo username should match the user’s primary authentication username. Duo usernames are not case-sensitive and are normalized to lowercase.

   Note

   To ease the integration of your systems and Duo, different application types allow for varying degrees of username normalization. Username normalization preferences are set on the properties page for each application.

4. Once the user is created you can click the Send Enrollment Email link to send your new user a message that contains a link they can use to add a phone or other 2FA authentication device.
5. Optionally, you can add a phone to the user now. Scroll down on the new user’s details page to the “Phones” table and click Add Phone.
6. Chose “Phone” or “Tablet,” and type in the phone number (leave this field blank if adding a tablet). Click the Add Phone button.
7. Choose the appropriate phone “Type” and “Platform” from the drop-down menus and enter a “Device name” (this field can be left blank). If you know the device is a smartphone but aren’t sure exactly what the platform is, choose “Generic Smartphone” and the actual platform will be set when the user completes Duo Mobile activation. Click the Save Changes button.
8. Click the Activate Duo Mobile link in the “Device Info” section. This link is only available when you set the phone type to “Mobile” and selected something other than “Unknown” as the platform.Then on the next page click the Generate Duo Mobile Activation Code button. By default, activation codes will expire after 24 hours. You can change the activation code expiration by entering a different value.
9. If the device you’re activating is a phone (with a phone number), you’ll see two text messages that you can send. The first has a link that helps the user install Duo Mobile. The second message has a code that the user can use to immediately add the account to their Duo Mobile app. Click the Send Instructions by SMS button to send the text messages to the user’s phone. These instructions can also be copied and pasted into an email to the user, if that’s preferable.If the device is an iPad or Android tablet (and does not have a phone number), you’ll be able to email the activation link to the user. If the Duo user has an email address set then that address will be automatically present in the Email Address field. You can change this destination email address if you need to, or enter it if the Duo user has no email address saved. You may also choose whether to include your organization’s logo in the message, or modify the subject or content before clicking Send Instructions by Email.

Send Enrollment Emails to Existing Users

Role required: Owner, Administrator, User Manager, or Help Desk (when permitted in the “Help Desk” global setting).

When a user already exists in Duo with an email address present in the user’s details, but has yet to register any two-factor authentication devices, you can send an enrollment email to the user from the Admin Panel. If an enrollment email was already sent to the user by any method (manually by a Duo admin, automatically as part of directory sync, etc.) but the user did not receive it or deleted it without enrolling, you can resend the email.

1. Log into the Duo Admin Panel.
2. Search for the user using the search bar at the top of the page, or click Users in the left sidebar and locate the user to which you want to send or resend an enrollment email. Click through to the user’s details page.
3. Click the Send Enrollment Email or Resend Enrollment Email link at the top-right of the user’s details page. Note that if the user has no valid email address present in the “Email” field, you’ll receive an error. Update the email information for the user (clicking Save when done) and try sending the enrollment email again.