Choose Zero Trust Access Enrollment Methods for Your Organization

Manage Zero Trust Access using Cisco Secure Client > Requirements for Secure Access with Zero Trust > Choose Zero Trust Access Enrollment Methods for Your Organization

There are two ways to enroll user devices for Zero Trust Access:

• Enrollment using certificates
  • Use this method to enroll user devices without requiring user action or awareness. See, Use Certificate Enrollment Without User Action.
  • Users cannot accidentally or intentionally unenroll the zero trust client module on their device.
  • This option is currently available only for Windows and macOS devices.
  • Periodic enrollment renewal is automatic if requirements are still met.
  • For setup instructions, see Enroll Devices in Zero Trust Access Using Certificates.
• Enrollment using SSO authentication, such as SAML
  • This method requires users to sign in on their device and follow simple prompts using information that you provide to them outside of Secure Access.
  • This method is available to all client platforms: Windows, macOS, iOS, and Android.
  • This is the default enrollment method and is always enabled.
  • Users of managed or unmanaged devices can use this enrollment method.
  • For setup instructions, see Use SSO Authentication for Zero Trust Access Client Enrollment.

If you enable both methods, a device can use either method if the per-device and per-user requirements are met. Each device requires only one method to enroll.

If you deploy a certificate-based configuration file on a device, SAML-based enrollment is automatically disabled. If you remove the certificate-based configuration file from the device, SAML-based enrollment automatically becomes available for that device.

Both enrollment authentication mechanisms are used only for enrollment and enrollment renewal; they are not involved in per-session connectivity when end users access resources. Per-session authentication is managed by the Zero Trust Access feature.

Both methods require periodic enrollment renewal.

Procedure

To enable zero trust access enrollment methods for your organization:

1. Navigate to Connect > End User Connectivity.
2. Click the Zero Trust Access tab.
3. In the Enrollment Methods section, click Manage.
4. If you will use SAML, see Enroll Devices in Zero Trust Access Using SSO Authentication
5. (Optional) Enable Use Certificates.
   You can upload CA certificates and download and distribute the configuration file now or later. For complete instructions, see Enroll Devices in Zero Trust Access Using Certificates.

---

Requirements for Secure Client with Zero Trust Access > Choose Zero Trust Access Enrollment Methods for Your Organization > Enroll Devices in Zero Trust Access Using Certificates