Skip to main content

How to roll out XFA to a team

Use this guide to onboard a team to XFA in a planned way. Start with Discovery and policy, choose the rollout path, test the experience yourself, tell users what to expect, then invite the team through Awareness or fast-track onboarding through Enforcement.

Before you start

You need:

  • An XFA admin role.
  • A connected identity provider, or the admin access needed to connect one.
  • The user group or department you want to start with.
  • A default policy, or a draft policy for this rollout.
  • A support contact, such as an email address or internal chat channel.
  • A rollout date and, if you plan to block access, an enforcement date.

1. Discover the team devices

Go to Discovery and connect the identity provider that covers the team.

Use the guide for your provider:

After Discovery runs, open Devices and use Devices and People to understand who has devices, which devices are verified, and which users still need onboarding.

2. Create or review the team policy

Go to Policies and create or edit the policy for this team.

For a first rollout, start with checks users can understand quickly:

  • Operating system version.
  • Browser version.
  • Disk encryption.
  • Screen lock.
  • Antivirus.
  • Device reboot.

Set the first checks to warn if you want the team to learn what would fail before access is blocked. Set critical checks to block when the application should not be reached from a device that fails policy.

3. Choose the rollout path

There are two common rollout paths.

Use Awareness first when you want a calmer rollout. Users receive invitations and reminders before sign-in depends on XFA.

Use Enforcement fast-track when you want sign-in to drive onboarding. Users meet XFA when they access the protected application. This gets people onboarded quickly, but it can create more support demand.

If you choose the fast-track path, set up Enforcement for a small group first and test the flow yourself. For SAML applications, use Create a SAML application in XFA.

4. Test the experience yourself

Scope the rollout to yourself or a small admin test group before you invite the whole team.

Check:

  1. You can send yourself a test invitation.
  2. You can complete device verification.
  3. Your device appears in Devices.
  4. You can trigger the sign-in flow for the protected application.
  5. The policy result matches the checks you configured.

This is the fastest way to find a wrong policy, a wrong configuration, or a sign-in issue before users see it.

5. Prepare the team communication

Before invitations or sign-in checks go out, tell the team what will happen.

Start with the XFA onboarding package (PDF). It includes admin communication templates for preparing the rollout, rolling out Awareness, and introducing Enforcement, as well as an employee FAQ.

Adapt the relevant template for your organization and support channels. The message should cover:

  1. What XFA is: a device-security check before access to work applications.
  2. Why the team is being onboarded.
  3. What users may see: an XFA invite, the XFA app, and security guidance during sign-in.
  4. What XFA checks: security settings such as updates, encryption, screen lock, and antivirus.
  5. What XFA does not see: personal files, browsing history, messages, or location.
  6. The rollout date, the enforcement date if you have one, and where users can get help.

If you want users to see your own support note inside the XFA web flow, configure custom onboarding and sign-in messages. Keep the message short: what is happening, where users can get help, and which support link to use.

For most teams, send the first message before invitations go out, send a reminder before enforcement, and send a final note on the day stricter checks begin.

6. Configure Awareness for the team

Go to Awareness and configure the rollout in one pass:

  1. In Settings for invitations and security alerts, choose Desktop devices and Mobile devices for the device types in scope.
  2. Use Only unmanaged devices if this rollout should focus on devices outside your current coverage.
  3. Use Filter by groups if your identity provider syncs the team groups you want.
  4. In Onboard your team, turn on the invitation channel you want to use, such as Send auto-invites through email.
  5. In Onboarding reminders, set Send every to the reminder cadence your team can support.
  6. In Security awareness, choose how onboarded users should be notified when a verified device is at risk.
  7. Send yourself a test invitation, reminder, or notification before the wider rollout.
  8. Select Save changes when the setup is ready.

Check the targeted user and device counts before saving.

Awareness messages guide users to fix issues. XFA does not change their device settings for them.

7. Prepare support for the first week

Before the first reminders or Enforcement checks go out:

  1. Give support the rollout scope, dates, and policy checks.
  2. Share the user-facing install guide: Install XFA.
  3. Agree what support should do when a user cannot fix a check.
  4. Decide who can change a check from block to warn if needed.
  5. Keep the support contact visible in every announcement.

This keeps the rollout from turning into an access surprise. Users should know where to go before they are asked to fix a device.

8. Watch onboarding progress

Open Devices and use the People tab to track status.

Useful states include:

  • Discovered: the user was found by Discovery but has not received an invite yet.
  • Invited: an invite was sent, but onboarding has not started.
  • Onboarding: some devices are verified.
  • Onboarded: every device for that user is affiliated and verified.
  • Lost connection: at least one device needs the user to reopen and reconnect the XFA app.

Use this view before enabling stricter Enforcement.

9. Add Enforcement when the team is ready

When the team is onboarded enough for sign-in checks, go to Enforcement.

  1. Select New.
  2. Choose the identity provider or application integration you want to protect.
  3. Use the policy you prepared for the team.
  4. Start with warning behavior if you are still in rollout mode.
  5. Move to blocking behavior only when the team has had time to fix common issues.

If you chose the fast-track path earlier, use this step to expand Enforcement from the test group to the full rollout group.

Verify it worked

Check:

  • You received and completed a test invitation.
  • Your own sign-in shows the expected XFA flow.
  • Awareness shows the intended scope and channels.
  • Devices shows the expected people and device status.
  • Test users see the expected warning or block behavior at sign-in.
  • Support knows the rollout dates, policy checks, and contact path.

Notes and troubleshooting

  • If the targeted count looks wrong, check group sync and the device-type filters in Awareness.
  • If users do not receive an invite, check whether they are included in the Awareness scope.
  • If a user has a Lost connection device, ask them to open the XFA app and confirm it is still affiliated with your organization.
  • If the first policy creates too much friction, keep the same rollout group but switch strict checks to warn before using block.
  • If users are worried about privacy, explain that XFA checks security settings and guides them to fix issues. It does not read personal files, browsing history, messages, or location.