Auto-Enrolling Devices

this feature is in early access and not yet generally available early access gives select customers the opportunity to try a new features, share feedback, and help shape its final release contact your account team if you're interested in participating in maro's early access program device enrollment guide this guide walks administrators through setting up silent authentication for your organization using the maro browser extension silent auth allows managed devices to authenticate automatically without requiring users to manually sign in what's supported today auto detects user based on chrome edge email logged into browser profile ✅ (google workspace) ✅ (microsoft com) microsoft idp / oauth logins pending pending google idp / oauth logins pending pending overview silent authentication works by an admin generates a time limited enrollment key scoped to your organization's email domain the enrollment key is deployed to managed devices via mdm (or manually using the provided scripts) the maro browser extension reads the enrollment key and registers the device when a user signs in to an identity provider on the configured domain an admin reviews and approves enrolled devices (or enables auto approval on the enrollment key) approved devices can silently authenticate with maro without user interaction prerequisites admin access to the maro dashboard ability to deploy the maro browser extension installed on target devices (for mdm deployment) access to your organization's mdm platform (e g , jamf, intune, mosyle) extension ids the maro extension has different ids on the chrome web store and the edge add ons store use the correct id for your target browser throughout this guide browser extension id store link google chrome elopbipdaffijbfafcgmkilmmegldlmp chrome web store https //chromewebstore google com/detail/maro/elopbipdaffijbfafcgmkilmmegldlmp microsoft edge ccpahlhjnkgadkgicbmdenmgonjjcomc edge add ons https //microsoftedge microsoft com/addons/detail/maro/ccpahlhjnkgadkgicbmdenmgonjjcomc step 1 generate an enrollment key navigate to employees in the maro dashboard sidebar click the devices tab click setup enrollment to open the enrollment keys panel click create key fill in the enrollment key details email domain — the domain to scope this key to (e g , company com ) only users with email addresses on this domain will be able to automatically enroll expires in (hours) — how long the key is valid default is 36 hours, maximum is 168 hours (7 days) after expiry, no new devices can enroll with this key auto approve devices — when enabled, devices that enroll with this key are automatically approved when disabled, an admin must manually approve each device click create key copy the enrollment token (jwt) and download script for your environment — this token is only shown once store it securely you will need it when deploying to devices step 2 deploy the enrollment token to devices the enrollment token must be installed as a mandatory browser policy so the maro extension can read it choose the method that matches your environment option a manual installation (generated scripts) use these scripts for testing or small deployments for production, use mdm (option b) after creating an enrollment key (step 1), the dashboard generates ready to run scripts with the enrollment token already embedded select your target browser (chrome / edge) and os (macos / windows), then download or copy the script macos the generated script writes a managed preferences plist to /library/managed preferences/ run it with sudo sudo bash install enrollment token chrome macos sh requires sudo because chrome storage managed only reads from mandatory (system level) policies windows open powershell as administrator , then run the generated script set executionpolicy scope process executionpolicy bypass \install enrollment token chrome windows ps1 this writes the token to the windows registry under hklm \software\policies\\ for the selected browser hklm \software\policies\microsoft\edge\3rdparty\extensions\\\<extension id>\policy ⚠️ important after running any script, fully restart the browser (cmd+q on macos, or close all windows on windows) the policy will not take effect until the browser restarts verifying the policy after restarting the browser chrome navigate to chrome //policy and look for the extension policy the level should show mandatory note this will only show up if the maro extension is installed and matches the extension id you installed with you may need to restart preferences sudo killall cfprefsd edge navigate to edge //policy and look for the extension policy (this may not show up on edge devices) option b mdm deployment (recommended for production) deploy the enrollment token through your mdm platform as a managed browser extension policy jamf pro (macos) create a new configuration profile in jamf pro add a custom settings payload set the preference domain based on the target browser chrome com google chrome extensions elopbipdaffijbfafcgmkilmmegldlmp edge com microsoft edge extensions ccpahlhjnkgadkgicbmdenmgonjjcomc configure the following payload \<dict> \<key>enrollment token\</key> \<string>your enrollment token here\</string> \</dict> scope the profile to your target devices/groups deploy the configuration profile if your organization uses both chrome and edge, create a separate configuration profile for each browser using the corresponding extension id microsoft intune (windows) navigate to devices > configuration profiles in the intune admin center create a new profile (windows 10 and later, settings catalog) add the following registry based setting for your target browser chrome registry path software\policies\google\chrome\3rdparty\extensions\elopbipdaffijbfafcgmkilmmegldlmp\policy value name enrollment token value type reg sz value your enrollment token here edge registry path software\policies\microsoft\edge\3rdparty\extensions\ccpahlhjnkgadkgicbmdenmgonjjcomc\policy value name enrollment token value type reg sz value your enrollment token here assign the profile to your target device groups if your organization uses both browsers, create separate configuration items for each other mdm platforms the general approach is the same across mdm platforms use the correct extension id for your target browser (see extension ids above) macos (managed preferences plist) browser preference domain chrome com google chrome extensions elopbipdaffijbfafcgmkilmmegldlmp edge com microsoft edge extensions ccpahlhjnkgadkgicbmdenmgonjjcomc windows (registry) browser registry path chrome hklm\software\policies\google\chrome\3rdparty\extensions\elopbipdaffijbfafcgmkilmmegldlmp\policy edge hklm\software\policies\microsoft\edge\3rdparty\extensions\ccpahlhjnkgadkgicbmdenmgonjjcomc\policy in both cases, the value name is enrollment token (string/reg sz) step 3 device enrollment once the enrollment token is deployed and the browser is restarted, the maro extension will automatically attempt to enroll the device when one of the following triggers occurs chrome profile identity — if the user is signed in to chrome with a matching email domain, enrollment is attempted immediately on extension startup idp login capture — when the user signs in to an identity provider (e g , okta, azure ad) on the configured domain, the extension captures the login and attempts enrollment manual maro login — when the user signs in to the maro extension directly no user action is required enrollment happens silently in the background step 4 managing enrolled devices navigate to employees > devices tab in the maro dashboard the device enrollments table shows all devices that have attempted enrollment device statuses status description pending device has enrolled but is awaiting admin approval approved device is approved and can authenticate silently revoked device has been revoked and can no longer authenticate approving a device find the device in the enrollments table click the checkmark button to approve confirm the approval in the dialog once approved, the device can authenticate silently with maro revoking a device click the x button on an approved or pending device confirm the revocation in the dialog revoked devices will need to re enroll to regain access auto approval if you enabled auto approve devices when creating the enrollment key, devices are automatically approved upon enrollment auto approved devices display an info tooltip indicating the approval method auto approved — user authenticated manually with their maro credentials auto approved via enrollment key — approved automatically because the enrollment key permitted it step 5 managing enrollment keys open the enrollment keys panel by clicking setup enrollment on the devices tab key lifecycle enrollment keys expire after the configured duration (default 36 hours) expired keys cannot be used for new enrollments, but devices already enrolled are not affected you can revoke an active key at any time by clicking the trash icon revoking an enrollment key revoking a key prevents any new device enrollments using that key devices that have already enrolled with the key are not affected — they retain their current approval status creating new keys you can create multiple enrollment keys scoped to the same or different domains this is useful for rolling deployments across different device groups different auto approval policies for different teams time boxed enrollment windows troubleshooting the enrollment token isn't showing in chrome //policy ensure the browser was fully restarted (not just the tab — quit and relaunch) verify the policy level shows mandatory , not recommended on macos, the plist must be in /library/managed preferences/ , not /library/preferences/ on windows, the registry key must be under hklm , not hkcu the extension shows "no enrollment token configured" check chrome //policy to verify the token is installed ensure the managed schema json is present in the extension build try reloading the extension from chrome //extensions device enrollment isn't triggering the user must sign in to an identity provider on the domain configured in the enrollment key verify the enrollment key hasn't expired (check the devices tab in the dashboard) check the extension's service worker console for \[device enrollment] log messages ( chrome //extensions > maro > "inspect views service worker") "email domain mismatch" in extension logs the enrollment key is scoped to a specific domain the user's email must match (e g , if the key is scoped to company com , the user must sign in with user\@company com ) security considerations enrollment tokens are short lived jwts — generate new ones as needed rather than reusing expired tokens use auto approve only when you trust the enrollment channel (e g , mdm managed devices) regularly review the device enrollments list and revoke devices that are no longer authorized revoke enrollment keys immediately if you suspect they have been compromised