Flow of Information

When a user logs on to Windows using a domain account, the Enrollment Enforcement Client will get in contact with the user’s enrollment status by sending a web-service request to the MyPass Client, which then ultimately forwards this to the MyPass Server.

The MyPass Server uses the following logic to determine the enrollment status:

1. Is the domain information contained in the request unknown? If yes, then action “UserRepositoryNotFound”
2. Is the user account for the request unknown? If yes, then action “UserNotFound”
3. Is the user account enrolled? If yes, then action “UserIsEnrolled”
4. Is the user account locked in Password Manager? If yes, then action “UserIsLocked”
5. Is the user allowed to enroll? If yes, then action “UserCannotEnroll”. 
6. Has the user been  invited to enroll? If so, then action “UserCanEnroll”.
7. If the user is invited to enroll, then action “UserMustEnroll”

The enrollment status isn’t the only information returned to the Enrollment Enforcement Client. The following data is delivered together with the enrollment status:

• OperationStatus – Contains information of whether the request executed successfully (or failed).
• OperationStatusDetail – Optionally contains error details.
• UserEnrollmentStatus – The enrollment status
• UserEnrollmentEnforcementMethod – Contains information about which method shall be executed by the Enrollment Enforcement Client as a result of the operation. Possible values: None, Window, Hide, Exit and Full Screen.
• UserEnrollmentStatusCheckInterval – Contains information regarding which interval to check the enrollment status.
• UserEnrollmentEnforcementGracePeriod – Contains information regarding the duration the user can postpone when the enrollment status is “UserMustEnroll”.Various customizations can be made on the server side to manipulate the flow mentioned above, but before looking into this; lets first take a look at the user interfaces for the Enrollment Enforcement Client.