Invite Code and Device Enrollment

How the CSE Invite Code is used, and what happens to already-enrolled devices when you rotate it

  • Updated on

Rotating (changing) your organization’s CSE Invite Code does not affect actively-used devices that are already enrolled. The Invite Code is used only to enroll a device (initially, or to re-enroll one whose certificate has fully expired). Ongoing access relies on each device’s device certificate and automatically renewed tokens — not the Invite Code — so after you rotate the code, active users stay connected with no prompts and no action required. The current code is needed only for new installations and for re-enrolling a device whose certificate has fully expired (see When the Invite Code is needed again).

What the Invite Code is for

The Invite Code associates a newly installed CSE app with your organization during initial device enrollment. You can find and regenerate it in the Command Center under Settings > CSE Client > Deployment tab > Invite Code.

It is entered once, when a device first registers:

  • Manual installs: the desktop app and mobile app prompt for the Invite Code, then authenticate the user through your Identity Provider.
  • Unattended / MDM deployments: the code is supplied as a parameter (for example, INVITE_CODE in the Windows MSI or mdm-config.json for zero-touch deployments) so new devices enroll automatically.

The Invite Code is not an ongoing credential. It plays no part in authenticating a device after enrollment.

What already-enrolled devices use instead

Once a device is enrolled, access is governed by:

  • a device certificate — valid for one year (see Device Certificates); and
  • short-lived session tokens plus long-lived tokens that renew automatically in the background on the desktop app v4.3.0+ and the mobile app v2.3.7+. Enrolled devices stay enrolled across renewal cycles without prompting the user (see Enable App Auto Update).

Renewal begins about three months before the certificate expires, so a device that comes online at least once during that window renews automatically, with no prompt and no Invite Code.

Because none of this depends on the Invite Code, changing the code has no effect on devices that stay active and renew on schedule.

When the Invite Code is needed again

A device needs the current Invite Code in two situations:

  • First-time enrollment — the app is freshly installed and pointed at your organization: a new install, a reinstall, a new or factory-reset device, or an MDM / zero-touch redeployment.
  • Re-enrollment after full expiry — if a device’s certificate has fully expired (see Exceptions), the device must enroll again, and re-enrollment requires the current Invite Code.

A device that stays active and renews on schedule (online at least once during the roughly three-month pre-expiry renewal window) never reaches this point and does not need the Invite Code again.

Exceptions

  • Device offline past expiration. Device certificates are valid for one year, and renewal is attempted starting about three months before expiry. A device that stays offline through that entire window lets its certificate fully expire and must then re-enroll with the current Invite Code. In the worst case (offline for the whole renewal window), as little as ~3 months offline can trigger full expiry.
  • De-registered or banned devices (revoked certificate). A device whose certificate has been revoked must enroll again, which requires the current Invite Code. See De-register and Ban Devices.
  • Older app versions. Before desktop app v4.3.0 and mobile app v2.3.7, tokens and certificates are not renewed silently, so these devices are more likely to reach expiry; once a certificate fully expires, re-enrollment requires the current Invite Code.

How to rotate the Invite Code safely

  1. Regenerate the Invite Code in the Command Center under Settings > CSE Client > Deployment tab > Invite Code.
  2. Existing, active devices: no action is required. Users are not prompted and remain connected.
  3. New installs going forward: update the code everywhere it is used to enroll new devices — MDM / zero-touch profiles and any deployment scripts (for example, the INVITE_CODE value in the MSI or mdm-config.json).
  4. Share the new code with anyone who performs manual, first-time installs.
  5. Keep the current code available for re-enrollment: a device that later fully expires (for example, offline through its renewal window) will re-enroll with whatever the Invite Code is at that time, so ensure your MDM profiles and installation documentation always reflect the latest code.

Platform behavior

Client Silent certificate/token renewal (no Invite Code, no prompt)
Desktop app — macOS, Windows, Linux v4.3.0 and later
Mobile app — iOS, Android v2.3.7 and later

On all platforms, the Invite Code is required for first-time enrollment and for re-enrollment after a certificate has fully expired. Client versions earlier than those above do not renew silently, so they are more likely to reach expiry and need re-enrollment with the current Invite Code.