Skip navigation
Documentation

Duo Device Health Application

Last Updated: September 7th, 2022

Duo helps you control access to your applications through the policy system by restricting access when devices do not meet particular security requirements.

Overview

The Duo Device Health application gives Duo Beyond and Duo Access customers more control over which laptop and desktop devices can access corporate applications based on the security posture of the device.

There are three key components:

  1. New Duo access policies that enforce application access based on device health.

  2. A native client application for supported Windows and macOS clients that checks the security posture of the device when a user authenticates to an application protected by Duo's browser-based prompt with an applied device health access policy.

  3. Additional endpoint information provided in the Duo Admin Panel.

The first time users log in to an application protected by the web-based Duo Prompt with the Device Health Application policy set to require the app, Duo prompts them to download and install the Duo Device Health application. After installing the Device Health application, Duo blocks access to applications through the Duo browser-based authentication prompt (when displayed in a browser or in a supported thick client's embedded browser) if the device is unhealthy based on the Duo policy definition and informs the user of the reason for denying the authentication.

When a user's device doesn't meet the security requirements of the device health policy, the Duo Device Health application provides the user with steps they can take to remediate their security posture to align with the device health policy on the application.

Note: While Duo Device Health application transmits collected information securely, this information is not uniquely identified. This means that a bad actor could intercept the Duo prompt and create their own response to the Duo prompt’s request for device health information and send that response up to Duo servers. Every authentication is uniquely identified, so a user cannot reasonably impersonate another user’s device information.

Video Overview

Requirements

Ensure you have the following:

  • A Duo Access or Duo Beyond plan in order to set Device Health policy options.
  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • Windows 10 and later or macOS 10.13 and later endpoints with direct access or HTTP relay proxy connection to Duo Security's service on port 443. Proxy connections that perform HTTPS inspection or filtering from endpoints are not supported.
    • The Duo Device Health application does not support Windows Server (i.e. Windows Server 2022, Windows Server 2019, etc.) or earlier versions of Windows (like Windows 7 or Windows 8.1). Additionally, Duo Device Health does not support macOS beta versions or Windows or macOS virtual machines.

Understanding the Device Health Application Policy Options

The Device Health Application policy can apply to either macOS endpoints, Windows endpoints, or both, and has three operating modes:

  • Don’t require users to have the app: With this option selected, the policy is not in effect and has no impact on end user access. End users are not prompted to install the Duo Device Health application when accessing a Duo-protected application. Data will be collected from the Duo Device Health application if present and running on the machine.

    The Allow users to install the app during enrollment setting, enabled by default in a new policy, prompts your users to install Duo Device Health during their first-time Duo enrollment. If you don't want users seeing the option to install Duo Device Health during enrollment you can uncheck this option.

  • Require users to have the app: With this option selected, but none of the "Block access" options below it, having the Device Health application installed and reporting information to Duo is required for access.

    End users running devices that can install the app (Windows 10+ and macOS 10.13+) see a link to download the app from the Duo prompt when attempting to access a Duo-protected application associated with the policy if they do not already have the application installed. Devices that are capable of running the app but do not have it installed and running will be blocked.

    The app will collect health information from the device, but Duo will not block the user from getting access if it does not pass the specific firewall, encryption, and password health checks. This means that the device will be able to access the application even if the device would not pass each health check.

    Devices that cannot run the app, including older versions of Windows and macOS, Linux, etc., will not be prompted to install the app and are effectively allowed to bypass the Device Health Application policy.

  • Require users to have the app, plus any of the "Block access" options: With this option selected with one or more of the "Block access" options, the Device Health application must be installed, running, and reporting information to Duo, and the device must satisfy the specified health requirements for access.

    End users running devices that can install the app (Windows 10+ and macOS 10.13+) see a link to download the app from the Duo prompt when attempting to access a Duo-protected application associated with the policy if they do not already have the application installed. Devices that are capable of running the app but do not have it installed and running will be blocked.

    The app collects health information from the device, and Duo will allow or block access to the protected application based on the device health options selected.

    Devices that cannot run the app, including older versions of Windows and macOS, Linux etc. will not be prompted to install the app and are effectively allowed to bypass the Device Health Application policy.

Device Health Application Settings

When you configure any of the policy settings for an operating system, the collapsed policy view reflects the effective configuration:

  • Reporting when you don't require users to have the Device Health app, or when you require users to have the Device Health app installed, but don't block access based on health check status.
  • Enforcing when you require users have the Device Health app installed and block access when devices don't comply with your selected options.
Configured Enforcing Device Health Application Policy

Note that the default “fail-open” Device Health Application policy allows you to enforce health checks for supported macOS and Windows devices, while not blocking users who need to access an application using a non-supported device. You can optionally use Duo's Operating Systems policy to restrict other device types from accessing the application.

Agent Verification

Duo Beyond plan customers can use the Device Health application's antivirus/anti-malware agent check and policy options to verify that endpoints have one of these supported security solutions listed below in place before accessing an application:

  • BitDefender Endpoint Security
  • Cisco Secure Endpoint (previously known as Cisco AMP for Endpoints)
  • CrowdStrike Falcon Sensor
  • CylancePROTECT
  • McAfee Endpoint Security
  • SentinelOne
  • Sophos AV
  • Symantec Endpoint Protection
  • Trend Micro Apex One
  • VMWare Carbon Black Cloud
  • Windows Defender (only shown in the list for Windows)
Device Health Agent Verification Policy Options

Enabling the Device Health Application Policy

Duo automatically collects information from devices when the Device Health application is installed and running with no need for you to configure a policy to do so. Start your rollout by deploying the Device Health app to managed devices, or inviting your end users to install the app by emailing them installation links and instructions. Once the application is installed and running, Duo collects Device Health information every time a user encounters the Duo prompt. You can monitor your authentication logs in Duo to see how enforcing Device Health policy settings would affect your organization.

When you're ready to begin requiring the presence of the Device Health app during authentication, create a new policy targeting a test group of users and a pilot application to start, with the Duo Device Health policy configured to require installation of the Device Health application but not to block access based on security posture. This continues collecting information about access devices to see how deployment of both the application and policy affects a sample population of your overall user base, while requiring that the targeted users accessing Duo-protected applications install Device Health if they have not already done so.

After deployment, you can review the states of devices accessing Duo-protected applications in the Admin Panel and then make assessments to identify the policy that will protect all your users.

  1. Log on to the Duo Admin Panel as an administrator with the Owner or Administrator admin role.

  2. Navigate to the details page of the application you'll use to pilot the Device Health Application policy. This must be an application that features the inline Duo Prompt.

  3. Click the Apply a policy to groups of users link to assign the new Device Health Application policy to just the pilot group.

    Apply Group Policy
  4. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

    Create New Application Policy
  5. The policy editor launches with an empty policy.

    Empty Custom Policy
  6. Enter a descriptive Policy Name at the top of the left column, and then click the Device Health Application policy item on the left. Change the selected option for either macOS or Windows (or both) to Require users to have the app to require that the app is installed and running before permitting authentication for those configured operating systems.

    Creating the Device Health Application policy

    To prevent authentication based on an endpoint's security posture, select any or all of the "Block access" options for an operating system in the policy editor.

    Duo Beyond customers see additional options in the policy editor. To prevent authentication using the agent verification check, select the Block access if an endpoint security agent is not running option and select the required agent(s) from the list. If you select multiple agents, a device will pass the policy if it has any one of the required selected agents installed.

    After you select which security agents to allow, you can enter the remediation instructions that end users will see in the Device Health application client if they attempt to authenticate without the required security agent.

    Device Health Agent Verification Policy Options
  7. Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new Device Health Application policy selected. Start typing in the pilot group's name in the Groups field and select it from the suggested names.

    Apply the New Device Health Application Group Policy
  8. Click the Apply Policy button. The application page shows the new group policy assignment.

    Applied Device Health Application Group Policy

For more information about creating and applying group policies, see the Policy documentation.

Policy Interactions

You can combine a Device Health Application policy in combination with most other existing Duo policies including Browsers, Plugins and Operating Systems policies.

For example, you can create a custom policy that only allows access if the device:

  • Has an encrypted drive (using FileVault for macOS or BitLocker for Windows 10+)
  • Has the host firewall enabled (using Application Firewall for macOS or Windows Defender Firewall for Windows 10+)
  • Is protected by a password
  • Is accessing the application using a Chrome browser

In that case, enforce the first three conditions with the Device Health Application policy's "Block access if system password is not set.", "Block access if disk encryption is off.", and "Block access if firewall is off." options. Enforce the fourth condition in the same custom policy by checking all browsers except Chrome in the Browser policy's "Always block" option.

Note: Duo does not use information gathered by the Device Health App to enforce browser policy.

Device Health Application and Browser Policy

Operating System Granular Policy

In order to enforce access based on operating system (OS) version, you can use the existing OS policy in combination with the Device Health application policy. The Duo Device Health application will be the preferred source of information about an endpoint when evaluating OS policy. This means that we will trust information provided by the installed Duo Device Health application more than the browser user agent provided by the web requests to Duo.

macOS 11 and Later

The Operating Systems policy settings for macOS remain the same as when the Duo Device Health Application policy is not enabled, and continue to look for a macOS version similar to “10.14.6”. The Duo Device Health application provides information that is more trustworthy than the user agent reported by a browser or embedded web view.

As of macOS 11, up-to-date versions of major browsers (Safari, Chrome, Firefox, and Edge) have frozen the OS version reported via the browser user agent string as 10.15.6, 10.15.7, or 10.16, impacting the ability to detect whether macOS is truly up to date when relying only on information reported to Duo by the browser.

The Duo Device Health app detects and reports the actual macOS version, enabling reliable OS version verification during Duo authentication. Duo recommends using the Device Health app on macOS 11 or newer clients to enable accurate checking and reporting, especially if you choose to apply a Duo operating systems policy with the "If less than the latest" option selected, or pick a static version of 11.0 or greater.

macOS OS Policy Changes

Windows 10 and Later

Windows OS has some additional changes in the Operating Systems policy when the Duo Device Health application is present. A browser user agent provides a limited amount of information about the Windows version. The Duo Device Health application is able to retrieve the Windows build version and the security patch version for a device. This allows you to make policy decisions on specific Windows versions to keep users up to date.

You’ll notice these changes under the Operating Systems policy section under the “Allow Windows devices” header. Open the dropdown under the “Encourage users to update” or “Block versions” label and you’ll see new Windows version options.

When you select these options, additional information appears on the right side of the policy screen containing the details of activating an Operating Systems policy with this setting.

Windows OS Policy Changes

If the Duo Device Health application is not enabled, then the policy engine will fallback to simply “Windows 10” when assessing the windows version of the device accessing a Duo protected application.

Major browsers will not accurately report the OS version in the browser user agent string on Windows 11, so the detection of and policy enforcement against Windows 11 will require the Duo Device Health app.

Help Desk Text

The Duo Device Health application displays the same help message text configured in the first listed Help Desk custom message in global Settings.

The application shows this information in the "Need Help?" area whenever the Action Required dialog is displayed to help the user remediate authentication issues.

Duo Prompt with Device Health - Access Blocked

Device Health Reporting

Information reported from the Duo Device Health application is shown in the Admin Panel along with existing Endpoint information. The Authentication Log report, Endpoints page list and endpoint details, and endpoint information shown for Users will be augmented with details from the Duo Device Health application.

Application Log

With the Device Health Application app installed, authentication log events show checks related to the Duo Device Health application in the "Access Device" information. Operating system version information includes the build version for macOS and the build and revision versions for Windows.

Device Health Information in Authentication Log

Endpoints List and Details

The Endpoints list receives additional filters that allow you to search for devices that have Duo Device Health installed, or a particular state or OS version and build as reported by the Device Health application. The device warning information for a given device now includes Device Health reasons, if present.

Device Health Information on Endpoints List

An endpoint's details page shows information about and from the Duo Device Health application.

Device Health Endpoint Details

Device Health Client Application

The Duo Device Health application analyzes a device to assess the status of its security posture and reports the results of this scan to Duo. During authentication, Duo applies and enforces access policies using the device security posture information. When access is denied by Duo due to the state of security posture on the device, the Duo Device Health application receives the results of the policy check and presents guidance for the user to remediate the issue and successfully login the next time.

Supported Operating Systems

Duo Device Health supports the following:

  • Windows 10 and 11 Enterprise, Pro, and Home client editions (and the "Education" variants of these editions)
  • macOS 10.13 and later, including macOS 12

The Duo Device Health application relies on the Windows Security Center present in client versions of the OS, so it does not support Windows Server (i.e. Windows Server 2022, Windows Server 2019, etc.) or earlier versions of Windows (like Windows 7 or Windows 8.1) as they lack this feature. Additionally, Duo Device Health does not support macOS beta versions.

Standalone Health Check

The home screen of the Duo Device Health application performs a health check on the system and reports information to the user about the state of the device. This information is Duo’s basis of a secure device and does not apply directly to the evaluation of policy or authentication to an application protected by Duo. While the status of a local security agent (collected if you've configured agent verification) isn't shown on the Duo Device Health app home screen, the app will raise an "Action Required" screen with the agent status if access gets blocked for that reason.

The health check will be performed anytime the application is opened from the menu bar (macOS) or the system tray (Windows).

macOS Example App Icon and Health Check

Device Health Check - macOS

Windows Example App Icon in System Tray

Device Health Check - Windows

Windows Example Health Check

Device Health Check - Windows

This health check provides your preferred Duo device security posture. By keeping all of these health checks green, Duo helps users keep a secure system and alleviates issues that may arise before an authentication is required. If this check reports an issue, such as the firewall turned off or OS out of date, users have the opportunity to perform remediation before attempting to authenticate.

macOS Example Health Check Alert with Remediation Guidance Device Health Check Failed - macOS

Device Health Check Remediation Guidance

Duo Prompt Authentication

When a user first lands at a Duo Prompt with Device Health enabled, a loading spinner appears while Duo performs the health check. If the Device Health application is already installed and running this spinner should only appear for a few seconds and the user will continue with authentication. In the event of a failed authentication, the user will be directed to remediate these issues.

When the Device Health application is not already installed and running users see a notice indicating that the Duo Prompt is attempting to launch the Device Health application.

Traditional Duo Prompt

Duo Prompt with Device Health App Notice

Duo Universal Prompt

Duo Prompt with Device Health App Notice

If the application was already installed and the browser has been told to remember it, the application launches and the health check will be performed without any need for interaction.

Otherwise, the user will be asked to download and install the application if it isn't currently installed.

Traditional Duo Prompt

Duo Prompt with Device Health Install Prompt

Duo Universal Prompt

Duo Prompt with Device Health Install Prompt

Duo Prompt, Device Health, and Thick Clients

When accessing Duo-protected applications with rich client applications that display the Duo prompt in an embedded browser (i.e. thick clients such as Cisco AnyConnect, Outlook, and others), the endpoint health checks function only when the Device Health Application is already running during a Duo authentication. Thick client embedded browsers cannot launch Duo Device Health from the Duo prompt, unlike standalone browsers, which can launch Duo Device Health app in the background during authentication.

If Duo Device Health isn't running it can be started manually; see Starting the Device Health Application.

Installing the Device Health Application from the Duo Prompt

To install the Device Health application:

  1. Click the Download Now button to download the installer.

    Note that if your users find that the download button isn't functional, they may be authenticating from a non-browser client application (like Outlook), or the page displaying the Duo prompt prevents the download. If this is the case, suggest the users try a different Duo-protected application without those limitations, or distribute the app directly to your users via emailed download links or managed deployment.

  2. Windows users: Double-click the MSI file and follow the installer prompts.

    macOS users: Double-click the DMG file to extract the installer. Then double-click the extracted installer and follow the installer prompts.

Note that installation requires administrator privileges on both Windows and macOS. During installation if the user doesn't have admin rights they'll get prompted to provide credentials of an account that is able to install software on the client.

The user may be prompted to launch the application if it is already installed and just not running. For some browsers, this prompt may include a “Remember my choice” option (actual dialog format varies by browser and operating system). Having the application already running or checking the “Remember my choice”/”Always open these types of links” checkbox skips this prompt for future health checks.

If the Device Health application was uninstalled after selecting the “Remember my choice” checkbox, the operating system may still try to handle the request. On macOS this results in a “Search the App Store” dialog and on Windows this results in a “Look for an app in the Store” dialog.

On macOS click Cancel to close the dialog, and on Windows click OK to close it. After a short timeout the Duo Prompt in the browser loads the download prompt for the Device Health application.

When the Device Health application is running it analyzes the user’s system and report the state of the device to Duo. Policy will then be applied to the information received from the device, and if there is a problem with the health posture it will be reported back to the user. If the health posture is acceptable under the policy, no further interaction is required from the user and the Duo Device Health application.

Device Remediation

When an issue is reported by the Duo Device Health application, a red exclamation point will be shown next to the item that has an issue. This can happen as part of the standalone health check or as a report from an authentication failure due to device health.

If a user is attempting to access an application with a Device Health blocking policy, and their endpoint's security posture does not comply with the policy requirements, then the Duo Prompt notifies the user that they must take action before they can access the application and the Duo Device Health application automatically opens with with information about why the authentication was denied.

Traditional Duo Prompt

Duo Prompt with Device Health - Access Blocked

Duo Universal Prompt

Duo Prompt with Device Health - Access Blocked

Each non-compliant setting shown is a clickable item, that directs the user to instructions on how to fix the problem. Additionally, there is a link at the bottom that will take the user to a page in the application that briefly explains why keeping the device healthy is important.

Duo Prompt with Device Health - Remediation Instructions

Installing the Device Health Application

The easiest way to distribute the Device Health application is to apply a Device Health policy to a web-based application that features Duo's inline authentication prompt, and then let users self-install the client when prompted during Duo authentication or enrollment.

Note that installation requires administrator privileges on both Windows and macOS.

User Self-install During Enrollment

When the effective Device Health application policy has "Allow users to install the app during enrollment" enabled, then new Duo users have the chance to download and install Duo Device Health as the first step of Duo self-enrollment. Users can choose to download and install Duo Device Health before enrolling their first second-factor authentication device. A user who wants to complete 2FA enrollment without installing Duo Device Health can skip the step to proceed.

Traditional Duo Prompt

Duo Prompt with Device Health Install Prompt

Duo Universal Prompt

Duo Prompt with Device Health Install Prompt

If the application accessed by the new Duo user has an effective Device Health application policy of "Require users to have the app", then the option to skip Duo Device Health installation during enrollment does not appear, and users must install the Device Health app to continue with 2FA device enrollment.

User Self-install During Authentication

When the effective Device Health application policy is set to "Require users to have the app" enabled, then new Duo users must download and install Duo Device Health to continue to Duo two-factor authentication and access the destination application.

Traditional Duo Prompt

Duo Prompt with Device Health Install Prompt

Duo Universal Prompt

Duo Prompt with Device Health Install Prompt

Send Download Links to Users

If you'd like to notify your users of the new Device Health application requirement and give them the chance to install the application ahead of time, you can send these client download links to your users:

macOS: https://dl.duosecurity.com/DuoDeviceHealth-latest.dmg

Windows: https://dl.duosecurity.com/DuoDeviceHealth-latest.msi

View checksums for Duo downloads here.

Note that installation requires administrator privileges on both Windows and macOS. During installation if the user doesn't have admin rights they'll get prompted to provide credentials of an account that is able to install software on the client.

Scripted or Managed Deployment

If you'd like to deploy the Device Health application via a scripted install or an endpoint management tool, download the installers using the links above, and use the following information to automate installation:

macOS 11 and Later

MDM silent deployments on macOS as of version 11 require installation of a trusted certificate in the user's keychain, with full access to the private key, before installing the application. The steps to a managed deployment of Duo Device Health to macOS 11+ clients are:

  1. Download the Duo_Device_Health_App_Identity_Generation_Script.sh script.

  2. Run the script, choosing to create a .mobileconfig profile or a PFX certificate.

    Choose to create a PFX certificate if you want more control over the deployment process and your MDM has an option to set the private key access level. Run the script without any options to create a .PFX file. Note the PFX password output by the script, as you'll need it when configuring your MDM to distribute the PFX certificate.

    sh Duo_Device_Health_App_Identity_Generation_Script.sh

    Otherwise, choose to create a .mobileconfig profile with the -m option.

    sh Duo_Device_Health_App_Identity_Generation_Script.sh -m

    This creates both a .mobileconfig and a .PFX file, but you can delete the .PFX as it's not needed for your .mobileconfig deployment.

  3. Distribute an empty file named DisableMacOS11CertManagement in the directory /Library/Application Support/Duo/Duo Device Health/ to your managed endpoints via MDM (so the full path to the file is /Library/Application Support/Duo/Duo Device Health/DisableMacOS11CertManagement).

  4. Distribute the certificate to your managed endpoints via MDM. If you opted to use a .PFX, ensure that the private key is set to allow access from all applications. The Device Health application will not function properly if the private key is not set to allow access from all applications. If distributing via a .mobileconfig profile, the private key access configuration will be set for you automatically.

  5. Distribute the Device Health application to your managed endpoints via MDM.

Refer to the Guide to Duo Device Health App certificate deployment for macOS 11+ users for more details about deploying the device health certificate.

To install the application (after adding the required certificate to your users' keychains):

  1. Extract the .pkg installer file from the downloaded .dmg file first. Ensure that you have downloaded version 2.17.0.0 or later when deploying to macOS 11 or 12.

  2. Use this syntax to install the app:

    sudo installer -pkg /Volumes/DuoDeviceHealth/Install-DuoDeviceHealth.pkg -target /

macOS 10 releases:

  1. Extract the .pkg installer file from the downloaded .dmg file first.

  2. Use this syntax to install the app:

    sudo installer -pkg /Volumes/DuoDeviceHealth/Install-DuoDeviceHealth.pkg -target /

Windows: Replace the example MSI file name with your actual MSI filename.

msiexec /i /path/to/installer DuoDeviceHealth-2.18.0.msi

After the initial installation, the Duo Device Health application will check your device health at the time of authentication. You can verify installation by looking for the Duo Device Health application icon in the menu bar. When you click on the app icon, you will be able to view device health status.

Installation Stalled on macOS

The Duo Device Health Application installer should complete quickly, with the progress bar step taking a matter of seconds for most users. However, it's possible the installation process could stall for several minutes due to macOS prioritizing another process on the system. In that case, our installation will pause until the other process completes. Large, slow-installing applications, such as XCode, are most likely to trigger this behavior.

If the installation or upgrade process appears to have hung and is not completing, we recommend canceling it and resuming later when other processes have completed.

Start the Device Health Application

The Duo Device Health application starts automatically after an interactive installation to enable users pass the health check as quickly and easily as possible. If it is not running when a user lands on the Duo Prompt in a browser, the prompt attempts to launch the application.

The Device Health application may also be started manually. This could be necessary when you've installed Device Health silently via endpoint management tools or scripted install, or when authenticating with a thick client application and Device Health app is not already running.

macOS Users:

  1. Open Spotlight with Command key ⌘ + Space bar.

  2. Type Duo Device Health and click the application search result.

Windows Users:

  1. Open the Start Menu with Windows key ⊞ key or click the Windows logo on the far left of the taskbar, or click the search icon in the task bar.

  2. Type DuoDeviceHealth and click the application search result.

Suppress Automatic Launch of the Device Health Application

In some circumstances you may wish to perform an installation (e.g. mass rollouts to managed devices) without automatically launching the application immediately after installation completes. You can prevent automatic launch of the Device Health application until you're ready to use it across your organization.

Windows:

When installing the Windows application from the command line include the LAUNCH parameter set to False:

msiexec /i /path/to/installer DuoDeviceHealth-2.17.0.msi LAUNCH=False

macOS:

The macOS installer is unable to utilize custom arguments or environment variables, so indicating you wish to suppress the autolaunch must be done via the filesystem.

Create the folder /Library/Application Support/Duo/Duo Device Health and then create a file in that folder called NoAutoLaunchAfterInstall before installing Duo Device Health. The existence of this file prevents automatic launch of the application by the installer. Then run the installer, and remove the NoAutoLaunchAfterInstall file when done.

If you do not remove the NoAutoLaunchAfterInstall file after installation, future installs and upgrades will skip auto-launching the application as well. This may be the desired behavior if you will always roll out upgrades to your users in a managed environment. However, if your users may upgrade the application themselves, we recommend removing the file to preserve the default behavior.

The following set of example commands creates the /Library/Application Support/Duo/Duo Device Health folder and the NoAutoLaunchAfterInstall file, runs the Device Health app installer that you extracted from the downloaded .dmg file, and removes the NoAutoLaunchAfterInstall file when done:

sudo mkdir -p "/Library/Application Support/Duo/Duo Device Health"
sudo touch "/Library/Application Support/Duo/Duo Device Health/NoAutoLaunchAfterInstall"
sudo /usr/sbin/installer -pkg /path/to/installer/package/Install-DuoDeviceHealth.pkg -target /
sudo rm "/Library/Application Support/Duo/Duo Device Health/NoAutoLaunchAfterInstall"

Here are the same commands, but in a single line:

sudo mkdir -p "/Library/Application Support/Duo/Duo Device Health" && sudo touch "/Library/Application Support/Duo/Duo Device Health/NoAutoLaunchAfterInstall" && sudo /usr/sbin/installer -pkg /path/to/installer/package/Install-DuoDeviceHealth.pkg -target / && sudo rm "/Library/Application Support/Duo/Duo Device Health/NoAutoLaunchAfterInstall"

Update the Device Health Application

Duo Device Health app automatically checks for updates at app launch, during each Duo authentication, and at the interval specified in the Device Health app preferences. To manually check for updates, open the Device Health app's preferences and click the Check Now button.

If a newer version of Device Health app was detected during app launch or Duo authentication, the Device Health app icon in the menubar or systray changes to notify you of the available update. If the scheduled or manual check finds a newer version available, it will pop-up a prompt to install the update.

Update at any time by downloading a newer version of the app and manually installing it on a workstation. Managed devices can have the new installer pushed to them via your endpoint management system.

Device Health App Silent Updates

Duo Device Health now offers the option of silent app updates as of version 3.0.0. This means that after the initial installation of Duo Device Health with administrator privileges, the app will silently self-update to future releases without user action or requiring the end-user to have elevated rights on their workstation.

An updater service runs in the background, checking for new versions of Duo Device Health every four hours. If a new version of Duo Device Health is available, the updater service downloads and installs it without interrupting the user to request approval.

If the new release contains significant changes, a pop-up notification appears after installation inviting the user to learn more by reading the release notes. The release notes are also linked from the Duo Device Health app's "Preferences" menu item.

If you manage your Device Health app client installations and do not want silent updates enabled when your user endpoints update from Duo Device Health v2.x to v3.0.0, then we recommend performing the steps to disable automatic updates in the next section before installing v3.0.0.

Disable Automatic Updates

Users with administrator privileges on their system can disable silent automatic updates by opening the Device Health app's preferences and toggling the Automatically download and install updates option. Disabling this option from the app stops the updater service from running. This setting may not be changed by users without administrator rights.

Administrators can also disable automatic updates across multiple systems by pushing a configuration option to workstations before installing Duo Device Health. Choosing to disable automatic updates means that you will need to manually push updates to your users' endpoints in the future.

In rare situations running an out-of-date version of Duo Device Health could cause users to get blocked if a new blocking policy is added that is not supported on a user's machine. We recommend that you push Device Health app updates frequently if you will not permit automatic silent updates.

macOS

Disable automatic updates on macOS systems by creating a plist entry with the following command prior to Duo Device Health app installation:

sudo /usr/libexec/PlistBuddy -c "add :DisabledByAdministrator bool true" /Library/Application\ Support/Duo/Duo\ Device\ Health/Config.plist

To enable automatic updates after using this method, follow this process:

  1. Use this command to delete the previously created "DisabledByAdministrator" plist entry:

    sudo /usr/libexec/PlistBuddy -c "delete :DisabledByAdministrator" /Library/Application\ Support/Duo/Duo\ Device\ Health/Config.plist
  2. Reinstall Duo Device Health over the existing installation, which defaults to enabling automatic updates.

Windows

Disable automatic updates on Windows systems by creating the string registry value HKLM\Software\Duo\Duo Device Health\AutoUpdater\DisabledByAdministrator set to 1 prior to Duo Device Health app installation. Example reg command to create this value:

reg add "HKEY_LOCAL_MACHINE\Software\Duo\Duo Device Health\AutoUpdater" /v DisabledByAdministrator /d 1 /f

To enable automatic updates after using this method, follow this process:

  1. Uninstall Duo Device Health from the Windows systems.

  2. Delete the previously created DisabledByAdministrator registry value. Example reg command to delete this value:

    reg delete "HKEY_LOCAL_MACHINE\Software\Duo\Duo Device Health\AutoUpdater" /v DisabledByAdministrator /f
  3. Reinstall Duo Device Health, which defaults to enabling automatic updates.

Uninstall the Device Health Application

macOS Users (10.14.4 or later):

  1. Click on the Duo Device Health menu bar icon to open the Duo Device Health application.

  2. Click the menu icon (three stacked horizontal lines) in the upper right.

  3. Click Preferences.

  4. Click the Uninstall button under "Uninstall Duo Device Health Application".

macOS Users (10.14.3 or earlier):

  1. Press Command + space bar and type in Terminal to open a command line shell session.

  2. Enter the following command in the Terminal window:

    sudo /Applications/Duo\ Device\ Health.app/Contents/Library/LaunchServices/com.duosecurity.UninstallDuoDeviceHealth
  3. Enter your macOS password when prompted to allow the uninstaller to run with elevated privileges.

Windows users:

  1. Go to StartSettings.

  2. Click Apps & Features.

  3. From the list, select the "Duo Device Health" application and click Uninstall.

Troubleshooting

Need some help? Take a look at the Device Health Frequently Asked Questions (FAQ) page or try searching our Device Health Knowledge Base articles or Community discussions. For further assistance, contact Support.

All Duo customers have access to Level Up, our online learning platform offering courses on a variety of Duo administration topics. To access Level Up content, sign in with the same email address you use to sign in to the Duo Admin Panel.

Level Up course: Improving End-User Security with Duo Device Health Application