Managed or Unmanaged Device? Duo’s Device Trust Has You Covered
“How do I allow access only to devices that meet my organization’s trust and compliance standards?” This is the problem that many security practitioners are trying to solve. This problem is further complicated due to the mix of managed and unmanaged devices that access corporate applications. And the latter is made up of personal devices used by employees and devices used by partners and contractors that typically are not managed by the IT department.
In today’s world of hybrid and remote work, administrators must not only verify the user’s identity but also verify the posture of the device before granting access to minimize the risk of unauthorized access. Typically, organizations deploy device management solutions to gain visibility and control of corporate owned devices. And certain VPN clients or remote access agents perform posture checks to enforce device-based access policies. But organizations are moving their applications to the cloud, allowing BYOD and contractor devices for work, and reducing their reliance on VPN for remote access. To secure this modern remote access workflow, administrators need a mechanism to perform posture checks on devices and enforce access policies based on the device security posture.
Enter Duo’s Device Health application. The lightweight application collects device health information such as Operating System (OS) version, firewall status, disk encryption status, presence of Endpoint Detection and Response (EDR) agents and password status. Administrators can set access policies based on device health. For example, users can access their email only from devices that have the latest version of Operating System and security patches installed, and host firewall is enabled.
Duo’s Device Health application also collects unique device identifiers (UUIDs) to verify whether that the device is enrolled in the enterprise management system. Administrators can enforce Trusted Endpoints policy to distinguish between managed and unmanaged devices and block access to critical applications from unmanaged devices.
Easily Integrate Duo with Device Management Solution of Your Choice
For organizations that have deployed device management solutions, Duo provides out of box integrations with Unified Endpoint Management (UEM) solutions such as Active Directory domain-joined devices, Microsoft Intune, Jamf Pro and VMware Workspace ONE.
For organizations that have deployed a solution that is not listed above, Duo provides a Device API that allows administrators to upload a list of unique device identifiers from your enterprise device management systems to Duo. At the time of authentication, the Trusted Endpoint policy verifies that the device identifiers collected by the Device Health application are present in the identifiers stored in Duo and allows access only from trusted Windows and macOS devices. This API is available to all paying Duo Beyond customers.
With our efforts to simplify secure access to any application from any device, we are eliminating the requirement to deploy and manage device certificates to enforce the Trusted Endpoints policy. Using Device Health app instead, lowers administrative overhead while offering a simpler mechanism to enforce device trust. Check out this blog on how you can enable Trusted Endpoints policy using Device Health application in three simple steps.
Sign-up for a 30 day trial and experience how Duo can simplify secure access for your workforce.
Check out this on-demand #CiscoChat panel discussion with real-world security practitioners on how they have implemented secure access best practices for hybrid work using Duo.