When a card is tapped on login phase and it is not already enrolled, based on OneSign appliance configuration, the thin client allow the user to enroll it.
Click on "Enroll this card now".
Insert username and password for valid domain credentials and click on "Next".
Click on "Done".
If the user doesn’t have any already enrolled OneSign PIN and the user policy require Secondary Authentication method then the thin client request the OneSig PIN enrollment.
Insert and confirm the OneSign PIN and click "OK".
The card is now enrolled and protected by the OneSign PIN.