After this final upgrade in June I have noticed that user tokens’ validity has been extended from 90 to 720 days? Is this a wanted change or a bug?
I have previously already communicated about token validity issue with Comodo. My stand is that there is need for this token validity period to be subjected to customization, so admins would have ability to limit token’s validity based on their business need. This is important for MSPs if they want to control process of enrollment of customers devices. If you leave validity period to be 720 days, customer can continue to enroll his devices for 2 years without MSP’s permission. And, the bad part is that you cannot configure EM to generate alert when new device appears on the platform.
Secondly, MSPs and Comodo, both, have problem with DoS attacks if those links become available publicly, purposefully or not. I am pretty sure that you have not implemented any restrictions on the number of newly enrolled devices per day, for example. Or, possibly option to limit token usage to a customized number of devices. For example, if I expect customer to enroll 50 devices it would be good to have an option to limit the number of devices enrolled with this token to 50.