Skip navigation
Documentation

Duo Device Health Application

Last Updated: May 25th, 2020

Duo helps you control access to your applications through the policy system by restricting access when devices do not meet particular security requirements.

Overview

The Duo Device Health application gives Duo Beyond and Duo Access customers more control over which laptop and desktop devices can access corporate applications based on the security posture of the device.

There are three key components:

  1. New Duo access policies that enforce application access based on device health.

  2. A native client application for Windows 10 or macOS 10.13 or later that checks the security posture of the device when a user authenticates to an application protected by Duo's browser-based prompt with an applied device health access policy.

  3. Additional endpoint information provided in the Duo Admin Panel.

The first time users log in to an application protected by the web-based Duo Prompt with the Device Health Application policy enabled, they are prompted to download and install the Duo Device Health application. Once the Device Health application is installed, Duo blocks access to applications through the Duo browser--based authentication prompt if the device is unhealthy based on the Duo policy definition and informs the user of the reason the authentication was denied.

When a user's device doesn't meet the security requirements of the device health policy, the Duo Device Health application provides the user with steps they can take to remediate their security posture as to align with the device health policy on the application.

Note: While the information that is collected by the Duo Device Health application is transmitted securely, this information is not uniquely identified. This means that a bad actor could intercept the Duo prompt and create their own response to the Duo prompt’s request for device health information and send that response up to Duo servers. Every authentication is uniquely identified, however, so a user cannot reasonably impersonate another user’s device information.

Video Overview

Understanding the Device Health Application Policy Options

The Device Health Application policy has three operating modes:

  • Don’t require users to have the app: When this option is selected the policy is not in effect and has no impact on end user access. As a result, end users are not prompted to install the Duo Device Health application when accessing a Duo-protected application. Data will not be collected from the Duo Device Health application, even when it is present on the machine.

  • Require users to have the app: When this option is selected, but none of the "Block access" options below it are selected, having the Device Health application installed and reporting information to Duo is required for access.

    End users running devices that can install the app (Windows 10 and macOS 10.13+) are prompted to download the app from the Duo prompt when attempting to access a Duo-protected application associated with the policy if they do not already have the app installed. Devices that are capable of running the app but do not have it installed and running will be blocked.

    The app will collect health information from the device, but Duo will not block the user from getting access if it does not pass the specific firewall, encryption, and password health checks. This means that the device will be able to access the application even if the device would not pass each health check.

    Devices that cannot run the app, including older versions of Windows, Linux, etc., will not be prompted to install the app and are effectively allowed to bypass the Device Health Application policy.

  • Require users to have the app, plus any of the "Block access" options: When this option is selected and one or more of the "Block access" options are selected, the Device Health application must be installed and reporting information to Duo, and the device must satisfy the specified health requirements for access.

    End users running devices that can install the app (Windows 10 and macOS 10.13+) are prompted to download the app from the Duo prompt when attempting to access a Duo-protected application associated with the policy if they do not already have the application installed. Devices that are capable of running the app but do not have it installed and running will be blocked.

    The app collects health information from the device, and Duo will allow or block access to the protected application based on the device health options selected.

    Devices that cannot run the app, including older versions of Windows, Linux etc. will not be prompted to install the app and are effectively allowed to bypass the Device Health Application policy.

Device Health Application Settings

Note that the default “fail-open” Device Health Application policy allows you to enforce health checks for supported macOS and Windows 10 devices, while not blocking users who need to access an application using a non-supported device. You can optionally use Duo's Operating Systems policy to restrict other device types from accessing the application.

Agent Verification

Duo Beyond plan customers can use the Device Health application's antivirus/anti-malware agent check and policy options to verify that endpoints have one of these supported security solutions listed below in place before accessing an application:

  • Cisco AMP for Endpoints
  • CrowdStrike Falcon Sensor
  • Symantec Endpoint Protection
  • Windows Defender

Device Health Agent Verification Policy Options

Enabling the Device Health Application Policy

Create a new policy with the Device Health Application setting. We recommend targeting a test group of users and a pilot application to start, with the Duo Device Health policy configured to require installation of the Device Health application but not to block access based on security posture. This collects information about access devices to see how deployment of both the application and policy would affect a sample population of your overall user base.

After deployment, you can review the states of devices accessing Duo-protected applications in the Admin Panel and then make assessments to identify the policy that will protect all of your users.

  1. Log on to the Duo Admin Panel as an administrator with the Owner or Administrator admin role.

  2. Navigate to the details page of the application you'll use to pilot the Device Health Application policy. This must be an application that features the inline Duo Prompt.

  3. Click the Apply a policy to groups of users link to assign the new Device Health Application policy to just the pilot group.

    Apply Group Policy

  4. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

    Create New Application Policy

  5. The policy editor launches with an empty policy.

    Empty Custom Policy

  6. Enter a descriptive Policy Name at the top of the left column, and then click the Device Health Application policy item on the left. Change the selected option to Require users to have the app to require that the app is installed and running before permitting authentication.

    Creating the Device Health Application policy

    To prevent authentication based on an endpoint's security posture, select any or all of the "Block access" options in the policy editor.

    Duo Beyond customers see additional options in the policy editor. To prevent authentication using the agent verification check, select the Block access if an endpoint security agent is not running option and select the required agent(s) from the list. If you select multiple agents, a device will pass the policy if it has any one of the required selected agents installed.

    After you select which security agents are allowed, you can enter the remediation instructions that end users will see in the Device Health application client if they attempt to authenticate without the required security agent.

    Device Health Agent Verification Policy Options

  7. Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new Device Health Application policy selected. Start typing in the pilot group's name in the Groups field and select it from the suggested names.

    Apply the New Device Health Application Group Policy

  8. Click the Apply Policy button. The application page shows the new group policy assignment.

    Applied Device Health Application Group Policy

For more information about creating and applying group policies, see the Policy documentation.

Policy Interactions

You can combine a Device Health Application policy in combination with most other existing Duo policies including Browsers, Plugins and Operating Systems policies.

For example, you can create a custom policy that only allows access if the device:

  • Has an encrypted drive (using FileVault for macOS or BitLocker for Windows 10)
  • Has the host firewall enabled (using Application Firewall for macOS or Windows Defender Firewall for Windows 10)
  • Is protected by a password
  • Is accessing the application using a Chrome browser

In that case, enforce the first three conditions with the Device Health Application policy's "Block access if system password is not set.", "Block access if disk encryption is off.", and "Block access if firewall is off." options. Enforce the fourth condition in the same custom policy by checking all browsers except Chrome in the Browser policy's "Always block" option.

Device Health Application and Browser Policy

Operating System Granular Policy

In order to enforce access based on operating system (OS) version, you can use the existing OS policy in combination with the Device Health Application policy. When OS policy is applied to an application in combination with Duo Device Health policy, the Duo Device Health application will be the preferred source of information about an endpoint. This means that we will trust Duo Device Health application more than the user agent that is provided by the web requests to Duo.

The Operating Systems policy settings for macOS remain the same as when the Duo Device Health Application policy is not enabled, and continue to look for a macOS version similar to “10.14.6”. The Duo Device Health application provides information that is more trustworthy than the user agent reported by a browser or embedded web view.

Windows 10, however, has some additional changes in the OS policy when the Duo Device Health application is present. A browser user agent provides only a very limited amount of information about the Windows 10 version. The Duo Device Health application is able to retrieve the Windows 10 build version and the security patch version. This allows you to make policy decisions on specific Windows 10 versions to keep users up to date.

You’ll notice these changes under the Operating Systems policy section under the “Allow Windows devices” header. Open the dropdown under the “Encourage users to update” or “Block versions” label and you’ll see new Windows 10 version options.

When you select these options, additional information appears on the right side of the policy screen containing the details of activating an Operating Systems policy with this setting.

Windows OS Policy Changes

If the Duo Device Health application is not enabled, then the policy engine will fallback to simply “Windows 10” when assessing the windows version of the device accessing a Duo protected application.

Help Desk Text

The Duo Device Health application displays the same help message text configured in the Help Desk global setting.

The application shows this information in the "Need Help?" area whenever the Action Required dialog is displayed to help the user remediate authentication issues.

Duo Prompt with Device Health - Access Blocked

Device Health Reporting

Information reported from the Duo Device Health application is shown in the Admin Panel along with existing Endpoint information. The Authentication Log report, Endpoints page list and endpoint details, and endpoint information shown for Users will be augmented with details from the Duo Device Health application.

Application Log

With the Device Health Application policy and app installed, authentication log events show checks related to the Duo Device Health application in the "Access Device" information. Operating system version information includes the build version for macOS and the build and revision versions for Windows 10.

Device Health Information in Authentication Log

Endpoints List and Details

The Endpoints list receives additional filters that allow you to search for devices that have a particular state or OS version and build as reported by the Duo Device Health application. The device warning information for a given device now includes Device Health reasons, if present.

Device Health Information on Endpoints List

An endpoint's details page shows information from the Duo Device Health application.

Device Health Endpoint Details

Device Health Client Application

The Duo Device Health application analyzes a device to assess the status of its security posture and reports the results of this scan to Duo. During authentication, Duo applies and enforces access policies using the device security posture information. When access is denied by Duo due to the state of security posture on the device, the Duo Device Health application receives the results of the policy check and presents guidance for the user to remediate the issue and successfully login the next time.

Standalone Health Check

The home page of the Duo Device Health application will perform a health check on the system and report information to the user about the state of the device. This information is Duo’s basis of a secure device and does not apply directly to the evaluation of policy or authentication to an application protected by Duo.

The health check will be performed anytime the application is opened from the menu bar (macOS) or the system tray (Windows).

macOS Example App Icon and Health Check

Device Health Check - macOS

Windows 10 Example App Icon in System Tray

Device Health Check - Windows

Windows 10 Example Health Check

Device Health Check - Windows

This health check provides your preferred Duo device security posture. By keeping all of these health checks green, Duo helps users keep a secure system and alleviates issues that may arise before an authentication is required. If this check reports an issue, such as the firewall turned off or OS out of date, users have the opportunity to perform remediation before attempting to authenticate.

macOS Example Health Check Alert with Remediation Guidance Device Health Check Failed - macOS

Device Health Check Remediation Guidance

Duo Prompt Authentication

When a user first lands at a Duo Prompt with Device Health enabled, a loading spinner appears while Duo performs the health check. If the Device Health application is already installed and running this spinner should only appear for a few seconds and the user will continue with authentication. In the event of a failed authentication, the user will be directed to remediate these issues.

When the Device Health application is not already installed and running users see a notice indicating that the Duo Prompt is attempting to launch the Device Health application.

Duo Prompt with Device Health App Notice

If the application was already installed and the browser has been told to remember it, the application launches and the health check will be performed without any need for interaction.

Otherwise, the user will be asked to download and install the application if it isn't currently installed. Duo Prompt with Device Health Install Prompt

Installing the Device Health Application from the Duo Prompt

To install the Device Health application:

  1. Click the Download Now button to download the installer.

  2. Windows users: Double-click the MSI file and follow the installer prompts.

    macOS users: Double-click the DMG file to extract the installer. Then double-click the extracted installer and follow the installer prompts.

Note that installation requires administrator privileges on both Windows and macOS. During installation if the user doesn't have admin rights they'll get prompted to provide credentials of an account that is able to install software on the client.

The user may be prompted to launch the application if it is already installed and just not running. For some browsers, this prompt may include a “Remember my choice” option (actual dialog format varies by browser and operating system). Having the application already running or checking the “Remember my choice”/”Always open these types of links” checkbox skips this prompt for future health checks.

If the Device Health application was uninstalled after selecting the “Remember my choice” checkbox, the operating system may still try to handle the request. On macOS this results in a “Search the App Store” dialog and on Windows this results in a “Look for an app in the Store” dialog.

On macOS click Cancel to close the dialog, and on Windows click OK to close it. After a short timeout the Duo Prompt in the browser loads the download prompt for the Device Health application.

When the Device Health application is running it analyzes the user’s system and report the state of the device to Duo. Policy will then be applied to the information received from the device, and if there is a problem with the health posture it will be reported back to the user. If the health posture is acceptable under the policy, no further interaction is required from the user and the Duo Device Health application.

Device Remediation

When an issue is reported by the Duo Device Health application, a red exclamation point will be shown next to the item that has an issue. This can happen as part of the standalone health check or as a report from an authentication failure due to device health.

If a user is attempting to access an application with a Device Health blocking policy, and their endpoint's security posture does not comply with the policy requirements, then the Duo Prompt notifies the user that they must take action before they can access the application.

Duo Prompt with Device Health - Access Blocked

The Duo Device Health application automatically opens with with information about why the authentication was denied.

Duo Prompt with Device Health - Access Blocked

Each non-compliant setting shown is a clickable item, that directs the user to instructions on how to fix the problem. Additionally, there is a link at the bottom that will take the user to a page in the application that briefly explains why keeping the device healthy is important.

Duo Prompt with Device Health - Remediation Instructions

Installing the Device Health Application

User Self-install During Authentication

The easiest way to distribute the Device Health application is to apply a Device Health policy to a web-based application that features Duo's inline authentication prompt, and then let users self-install the client when prompted during Duo authentication. Note that installation requires administrator privileges on both Windows and macOS.

Duo Prompt with Device Health Install Prompt

Send Download Links to Users

If you'd like to notify your users of the new Device Health application requirement and give them the chance to install the application ahead of time, you can send these client download links to your users:

macOS: https://dl.duosecurity.com/DuoDeviceHealth-latest.dmg

Windows 10: https://dl.duosecurity.com/DuoDeviceHealth-latest.msi

View checksums for Duo downloads here.

Note that installation requires administrator privileges on both Windows and macOS. During installation if the user doesn't have admin rights they'll get prompted to provide credentials of an account that is able to install software on the client.

Scripted or Managed Deployment

If you'd like to deploy the Device Health application via a scripted install or an endpoint management tool, download the installers using the links above, and use the following syntax to automate installation:

macOS: Extract the .pkg installer file from the downloaded .dmg file first.

sudo installer -pkg /Volumes/DuoDeviceHealth/Install-DuoDeviceHealth.pkg -target /

Windows 10: Replace the example MSI file name with your actual MSI filename.

msiexec /i /path/to/installer DuoDeviceHealth-2.4.0.msi

After the initial installation, the Duo Device Health application will check your device health at the time of authentication. You can verify installation by looking for the Duo Device Health application icon in the menu bar. When you click on the app icon, you will be able to view device health status.

Installation Stalled on macOS

The Duo Device Health Application installer should usually complete quickly, with the progress bar step taking a matter of seconds for most users. However, it's possible the installation process could stall for several minutes due to macOS prioritizing another process on the system. In that case, our installation will pause until the other process completes. Large, slow-installing applications, such as XCode, are most likely to trigger this behavior.

If the installation or upgrade process appears to have hung and is not completing, we recommend canceling it and resuming later when other processes have completed.

Starting the Device Health Application

The Duo Device Health application starts automatically after installation to enable users pass the health check as quickly and easily as possible. If it is not running when a user lands on the Duo Prompt, the prompt attempts to launch the application.

The Device Health application may also be started manually.

macOS Users:

  1. Open Spotlight with Command key ⌘ + Space bar.

  2. Type Duo Device Health and click the application search result.

Windows 10 Users:

  1. Open the Start Menu with Windows key ⊞ key or click the Windows logo on the far left of the taskbar.

  2. Type DuoDeviceHealth and click the application search result.

Suppressing Automatic Launch of the Device Health Application

In some circumstances you may wish to perform an installation (e.g. mass rollouts to managed devices) without automatically launching the application immediately after installation completes. You can prevent automatic launch of the Device Health application until you're ready to use it across your organization.

Windows:

When installing the Windows application from the command line include the LAUNCH parameter set to False:

msiexec /i /path/to/installer DuoDeviceHealth-2.4.0.msi LAUNCH=False

macOS:

The macOS installer is unable to utilize custom arguments or environment variables, so indicating you wish to suppress the autolaunch must be done via the filesystem.

Create a file in your /tmp folder called duo-no-launch before installing Duo Device Health. The existence of this file prevents automatic launch of the application by the installer. Then run the installer, and remove the duo-no-launch file when done.

If you do not remove the duo-no-launch file after installation, future installs and upgrades will skip auto-launching the application as well. This may be the desired behavior if you will always roll out upgrades to your users in a managed environment. However, if your users may upgrade the application themselves, we recommend removing the file to preserve the default behavior.

The following set of example commands creates the duo-no-launch file, runs the Device Health app installer that you extracted from the downloaded .dmg file, and removes the duo-no-launch file when done:

touch /tmp/duo-no-launch
sudo /usr/sbin/installer -pkg /path/to/installer/package/Install-DuoDeviceHealth.pkg
rm /tmp/duo-no-launch

Here are the same commands, but in a single line:

touch /tmp/duo-no-launch && sudo /usr/sbin/installer -pkg /path/to/installer/package/Install-DuoDeviceHealth.pkg -target / && rm /tmp/duo-no-launch

Uninstalling the Device Health Application

macOS Users (10.14.4 or later):

  1. Click on the Duo Device Health menu bar icon to open the Duo Device Health application.

  2. Click the menu icon (three stacked horizontal lines) in the upper right.

  3. Click Preferences.

  4. Click the Uninstall button under "Uninstall Duo Device Health Application".

macOS Users (10.14.3 or earlier):

  1. Press Command + space bar and type in Terminal to open a command line shell session.

  2. Enter the following command in the Terminal window:

    sudo /Applications/Duo\ Device\ Health.app/Contents/Library/LaunchServices/com.duosecurity.UninstallDuoDeviceHealth
  3. Enter your macOS password when prompted to allow the uninstaller to run with elevated privileges.

Windows 10 users:

  1. Go to StartSettings.

  2. Click Apps & Features.

  3. From the list, select the "Duo Device Health" application and click Uninstall.

Troubleshooting

Need some help? Take a look at the Device Health Frequently Asked Questions (FAQ) page or try searching our Device Health Knowledge Base articles or Community discussions. For further assistance, contact Support.