During enrollment, we don't have a notification of the enrollment process that is acknowledged by the user being enrolled. So far the methods we have assume that the information being registered (mobile device, fingerprint, face) belongs to the user. While we have the "Request user credentials" as part of the "Helpdesk options" policy, these could be compromised.
For implementations that have the Smartphone push, perhaps we could have a policy "Notify user enrollment" which would be activated once the user is enrolled for smartphone. What this would mean is that for further enrollments, the user would get a push message with Accept/Decline that he/she could acknowledge before the enrollment is completed. The history is kept in the NetIQ app and the user can have this if investigations have to be performed.
This would only be to "add enrollments" and not to "delete enrollments" because in the use case where users lost the mobile device, the helpdesk admin should be able to remove the old enrollments. This would be supported by the current "Request user credentials" policy.

by: Bruno U. | over a year ago | Configuration