Prevent Self-enrollment on Untrusted Devices
Users cannot set up multi-factor authentication on devices that aren't trusted to ensure data security.
Plain language
This control ensures that people in your organisation can't set up extra security measures, like multi-factor authentication, on devices that aren't trusted by the company. This is important because untrusted devices could be insecure or compromised, which means sensitive data could be at risk of being stolen if accessed from one of these devices.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
When multi-factor authentication is used to authenticate users to online services, online customer services, systems or data repositories - that process, store or communicate their organisation's sensitive data or sensitive customer data - users are prevented from self-enrolling into multi-factor authentication from untrustworthy devices.
Why it matters
Allowing MFA self-enrolment from untrusted devices increases the risk of account takeover and unauthorised access to sensitive services and data.
Operational notes
Require MFA enrolment only from trusted, managed devices (e.g., domain-joined/MDM compliant) and block enrolment from unknown endpoints; review trusted device rules regularly.
Implementation tips
- The IT team should define what devices are considered 'trusted.' This means making a list of devices approved for secure use, like company-issued laptops and mobile phones, and ensuring they have up-to-date security protections.
- Management needs to communicate the organisation's policy on trusted devices to all staff. This involves sharing clear guidelines in staff meetings or through internal memos about when and how multi-factor authentication should be set up only on approved devices.
- IT support should set up a system that blocks untrusted devices from being able to enrol in multi-factor authentication. They can do this by configuring network access controls that only allow trusted devices to reach the enrolment portal.
- HR should include device security training in new employee onboarding. This training should explain the importance of using only trusted devices for accessing company systems and how to recognise non-approved devices.
- Regular checks should be carried out by the IT team to ensure no untrusted devices have managed to enrol. This can involve running reports on device usage and cross-referencing them with the trusted device list to catch any discrepancies.
Audit / evidence tips
- AskThe policy document on trusted devices and multi-factor authentication enrolment GoodWill provide a detailed, current document that covers all aspects of the policy
- GoodShows that no such entries exist, or appropriate actions were taken if they did
- AskRecords of employee training sessions related to device security GoodShows regular training sessions with high attendance and clear materials on trusted device use
- GoodIncludes documented evidence of these configurations being in place
- AskThe results of recent audits or reviews on device enrolment policies GoodIncludes resolved issues and updates that keep the enrolment process secure
Cross-framework mappings
How ISM-1920 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1920 requires that users are prevented from self-enrolling MFA from untrustworthy devices when authenticating to online services, sys... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-MF-ML1.6 | E8-MF-ML1.6 requires customers to use MFA when authenticating to online customer services handling sensitive customer data | |
| handshake Supports (2) expand_less | ||
| E8-MF-ML2.3 | E8-MF-ML2.3 requires organisations to use phishing-resistant MFA for users of online services to prevent credential interception and repl... | |
| E8-MF-ML3.1 | E8-MF-ML3.1 requires MFA to authenticate users of data repositories | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.