New! Duo Device Health Application Available in Public Beta
We’re thrilled to announce the public beta of the Duo Device Health application, a new product capability that helps control which laptop and desktop devices can access corporate applications based on device security hygiene. It helps organizations adapt to a zero-trust security model providing IT security teams with the ability to:
Validate the health of a device at the time of authentication
Enable end users to proactively fix device security risks
Extend visibility and control for unmanaged / BYO devices
The Duo Device Health application provides additional control and endpoint visibility when users authenticate to Duo-protected applications. It enables a Duo Admin to create Duo policies which require a device meet specific requirements including disk encryption, host firewall, device password and OS patch.
What Problem Does It Solve?
When vulnerable endpoints access corporate resources, organizations are exposed to potential attacks, financial damage and compliance issues. To help reduce this risk, we focused on two key use-cases:
Ensure managed devices are compliant: Organizations issue and manage laptops and desktops for users. However, in certain cases, security features on these managed devices, such as encryption or firewall, can be turned off exposing that device to security risks. Duo Device Health Application can proactively help identify these security gaps and prevent access to applications until users fix the security gaps.
Provide visibility into unmanaged devices: Cloud applications such as Office 365 allow access on any device. With Duo Device Health application, Duo admins can get visibility into any BYOD (bring your own device) laptops and desktops accessing cloud applications, assess the security posture of these devices, and prevent risky/vulnerable devices from accessing applications.
What Inspired Us to Build It?
In a word: Customers.
Our customers have an important security problem for us to solve. Even though a user is authenticated with two factor authentication and allowed to access company applications and resources (through policy), the computer being used to do so may pose a security risk. One of the specific related challenges we heard early on from customers is that they needed a way to secure access to contractors, third-party vendors, remote workers and other types of users connecting from outside of the corporate network using laptops that the customers didn’t manage. As a result, they weren’t able to require end user enrollment in a traditional endpoint management system to push out required configuration profiles and make administrative changes.
We also discovered a larger challenge of device access: verifying device security hygiene and enabled security features during authentication. Some of the most common compliance standards (HIPAA, PCI DSS, NIST, etc.) require devices that access applications containing sensitive information (patient data, credit card numbers, etc.) to be encrypted or password-protected. Customers knew that we were in a unique position to solve this problem since Duo sits in the access path. Not only did our customers want more control, but they needed historical audit proof and wanted to be able to verify the state of device hygiene each time a user accesses a Duo-protected application.
As a result, we enabled our customers to make policy decisions that can be applied for specific applications and groups of users to limit access to their critical applications based on device hygiene.
In follow-up blog post closer to the release, we’ll describe how the new product relates to existing Duo Editions and go into more detail, including new capabilities that are currently in development.
How Does It Work?
The Duo Device Health application is based on three key components:
1.) New Duo device policies that enforce application access based on device health when a user authenticates to an application that is protected by the Duo Prompt.
2.) A native client application for macOS and Windows that checks the security posture of the device when a user authenticates to an application protected by the Duo access policy.
3.) Additional device health views in the Duo Admin UI.
When a user attempts to access an application, they are prompted to install the Duo Device Health application from the prompt if it is not already installed. After the user installs the application, it quickly checks the security settings defined by the access policy.
The application blocks access if the device doesn’t meet all the health checks. After a failed authentication due to device health, the application prompts the end user if they want the application to assist with remediating the issue(s) which caused the authentication to fail.
The next time the user accesses the application with the application running, it performs the health checks in the background as part of the authentication process. The views below are screenshots of the macOS client application homepage and Duo Admin Endpoint Details views that show device health items at the time of authentication.
What’s Next?
The beta program for Duo Device Health application is open to existing Duo Security customers and we plan to release the product in the upcoming months. To learn more and to join the beta program, please contact your account representative.