Skip navigation
Documentation

Duo Device Health FAQ

Last Updated: August 18th, 2022

Frequently Asked Questions about Duo's Device Health feature and application.

What macOS versions does Duo Device Health support?

The Duo Device Health application supports macOS 10.13 and newer with both Intel and M1 chipsets. If using an M1 device the application runs natively and won’t require that the end user install Rosetta 2. It is not necessary to reinstall the Duo Device Health application after a macOS update.

Beta macOS versions are not supported.

What Windows versions does Duo Device Health support?

The Duo Device Health application supports only client versions of Windows 10 and 11, including Home, Pro, and Enterprise editions. The Duo Device Health application is not supported on other Windows client OS versions or any Windows Server versions due to its use of the Windows 10 Security Center to detect client information.

To simplify the policy selection for all of our customers, while also supporting the most Windows 10 and 11 machines, the Windows version policy in the Admin Panel supports a subset of the currently supported builds of Windows 10 and 11. As Microsoft support for Home and Pro editions of Windows terminates earlier than the Enterprise edition, the Duo OS policy will support the most recent three Windows 10 and 11 builds to capture all Windows devices.

Does Duo Device Health support virtual machines?

Virtual machines may experience their own set of problems, for example, difficulty with unique system identification. Because of these issues, the Duo Device Health application does not officially support Windows or macOS virtual machines.

Can I install the Device Health application via scripted or managed install?

If you'd like to deploy the Device Health application via a scripted install or an endpoint management tool, download the installers here:

macOS: https://dl.duosecurity.com/DuoDeviceHealth-latest.dmg

Windows: https://dl.duosecurity.com/DuoDeviceHealth-latest.msi

View checksums for Duo downloads here.

Then, use the following syntax to automate installation:

macOS: Extract the PKG installer from the downloaded DMG file first.

sudo installer -pkg /Volumes/DuoDeviceHealth/Install-DuoDeviceHealth.pkg -target /

Windows: Replace the example MSI file name with your actual MSI filename.

msiexec /i DuoDeviceHealth-1.0.0.msi

Does the Duo Device Health application require elevated or administrative privileges?

Duo Device Health installation requires administrator privileges on both Windows and macOS. During installation if the user doesn't have admin rights they'll get prompted to provide credentials of an account that is able to install software on the client.

Once installed, the application should run in the normal user context, and perform health checks and posture reporting to Duo during authentication without administrator rights.

Modifying some Device Health app preferences after installation, like disabling automatic silent updates, will require administrator privileges.

In older Device Health application versions, if the application was mistakenly set to run as an administrator on a Windows system, it wouldn't launch or report device status at Duo authentication. This is corrected in version 2.2.0. If you are experiencing this issue please update to the latest application version.

Which browsers support Duo Device Health during authentication?

We recommend Google Chrome for the most seamless user experience. Edge Chromium, Internet Explorer 11, Safari, and Opera are also known to work without issues.

Why might the "Download Now" button shown in the Duo prompt not work?

There are two known situations where users may not be able to use the Download Now button shown in the Duo prompt during authentication to download the Device Health app:

  • The user is attempting to download the installer from a non-browser client (e.g. Outlook).
  • The application hosting the Duo prompt has applied a sandbox attribute, which can prevent pop-ups or downloads triggered from the prompt.

As a workaround, suggest your thick-client users switch to a browser or that they try a different Duo-protected application without those limitations to install the Device Health app for the first time, or distribute the app directly to your users via emailed download links or scripted or managed deployment.

Why do users see repeated prompts to switch apps with Microsoft Edge and Device Health?

Microsoft Edge has a caveat where the user is not presented with an option to remember the choice of allowing the Duo Prompt to communicate with the Duo Device Health application. This can result in a frustrating experience if the user continually closes the Duo Device Health application, as the Duo Prompt will use our fallback method of system URI communication which opens up the dialog that asks if the user intended to switch apps.

Leaving the Duo Device Health application running, even in the background, will prevent most of these dialogs from appearing. There could be cases where embedded web views within other software have issues communicating with the application over HTTPS, which will cause this dialog to appear even while the application is running.

Why might users have a poor experience with Firefox 67+ and Device Health?

Firefox has implemented a feature as of version 67 that limits the rate at which you can attempt to open URLs from links, impacting communication between the Device Health application and Duo's service. If the end user is required to remediate, Duo must to open up to three custom URI links, each of which may be delayed for 10 seconds after the previous link is opened. Additionally. limitations in the way that Firefox examines certificate stores on the local system prevents the Device Health secure web server from functioning as expected. These factors result in poor end users experience when using Firefox.

End users can work around these issues by navigating to the Firefox about:config page, searching for enterprise_roots, double-clicking the security.enterprise_roots.enabled settings row to toggle the value to true.

Firefox version 69 and later make changes that need an exception set in order to trust the Device Health v0.9.x application's self-signed certificate. This is fixed in Device Health v1.0.x, so ensure that users have the latest version.

If you need to add an exception for an older Device Health app version, you can do this in one of two ways:

Add Exception from Browser Warning

  1. Make sure the Duo Device Health app is running. Look for the Duo status icon in the macOS menu bar at the top right of the desktop, or in the Windows system tray at the bottom left of the desktop.

    If the Duo Device Health application isn't running, start it.

  2. Open Firefox and go to https://127.0.0.1:53100/ in a new tab. The page will show a warning which will look like this:

    Firefox Security Warning
  3. Click the Advanced button and scroll down to the warning details about the certificate. Click the Accept the Risk and Continue button to permanently add an exception for the Duo Device Health certificate.

    Firefox Security Warning - Advanced
  4. Close the 127.0.0.1 Firefox tab and navigate to the Duo Prompt. Make sure the Duo Device Health app is running. You should not receive any security warning from Firefox.

Add Exception from Settings

  1. Make sure the Duo Device Health app is running. Look for the Duo status icon in the macOS menu bar at the top right of the desktop, or in the Windows system tray at the bottom left of the desktop.

    If the Duo Device Health application isn't running, start it.

  2. Open Firefox preferences and go to the Privacy & Security panel.

  3. Scroll down to the "Certificates" section. Click View Certificates, then click the Servers tab in the Firefox Certificate Manager, and then click the Add Exception button.

  4. Enter https://127.0.0.1:53100/ in the "Location" field, and then click Get Certificate.

  5. Verify that the Permanently store this exception option is checked, and then click the Confirm Security Exception button.

    Firefox Site Exception
  6. You should now see an entry for "Duo Security LLC" for the server "127.0.0.1:53100" with a permanent lifetime in the Certificate Manager server list. Click OK then exit the Preferences panel.

  7. Navigate to the Duo Prompt. Make sure the Duo Device Health app is running. You should not receive any security warning from Firefox.

How do I upgrade the Device Health app?

Duo Device Health app automatically checks for updates at app launch, during each Duo authentication, and at the interval specified in the Device Health app preferences. To manually check for updates, open the Device Health app's preferences and click the Check Now button.

If a newer version of Device Health app was detected during app launch or Duo aauthentication, the Device Health app icon in the menubar or systray changes to notify you of the available update. If the scheduled or manual check finds a newer version available, it will pop-up a prompt to install the update.

Device Health app version 3.0.0 supports automatic silent updates, meaning that the app will automatically update to a newer available release without prompting the user. Learn more about silent updates in the Device Health documentation.

To perform a manual upgrade, download and install the new version over the existing one.

How do I uninstall the Device Health app?

Uninstalling the application requires administrator privileges on both Windows and macOS. See the uninstall instructions in the Device Health documentation.

How do I enable and view diagnostic logs for the Duo Device Health application?

To enable diagnostic logging:

  1. Open the Duo Device Health application.

  2. Click on the menu icon and select Preferences.

  3. Check the box next to "Enable detailed diagnostic reports".

The logs can be found in the following locations:

macOS: ~/Library/Logs/Duo Device Health/*.log

Windows: %LOCALAPPDATA%\DuoDeviceHealth\Logs\*.log

How do I use the Duo Device Health App Support Tool?

If you open a case with Duo Support for an issue involving the Duo Device Health app you may need to submit some additional information to assist with troubleshooting. We've made collecting troubleshooting information easy with a script that gathers all the necessary files, scrubs them of sensitive information, and creates a zip package ready for you to send to Duo Support.

The script is included in Duo Device Health version 2.26.1 and later in the following locations:

macOS: /Applications/Duo\ Device\ Health.app/Contents/Resources/device_health_support.sh

Windows: C:\Program Files (x86)\Duo Device Health\DeviceHealth-Support.ps1

Support Tool on macOS

The Support Tool performs the following actions:

  1. Creates a zip file that will contain all of the collected information.

  2. Runs curl to determine if a connection to Duo is available.

  3. Captures the following information:

    • System proxy settings
    • install.log
    • system.log
    • Duo-related crash logs
    • Operating system and kernel version
  4. Copies /Users/user_name/Library/Logs/Duo Device Health to zip file.

  5. Copies certificates associated with the loopback adapter (127.0.0.1).

  6. Optional: Exports all User and Kernel logs to zip file.

  7. Saves the zip file to the signed in user’s Desktop in the format DHA_Support_year-month-day-time.zip.

Running the Support Tool

  1. Open a Terminal session on the system where Duo Device Health is installed.

  2. Enable debug.

  3. Reproduce the Duo issue you are experiencing.

  4. Run the following script to export the logs. In this example, all User and Kernel panic logs will be exported.

% ./device_health_support.sh -a

Additional Terminal command options

Setting Description
-a Exports all User and Kernel panic logs.
-h Displays a help message.

Support Tool on Windows

The Support Tool performs the following actions:

  1. Creates a zip file that will contain all of the collected information.

  2. Runs Invoke-Webrequest to determine if a connection to Duo is available.

  3. Captures the following information:

    • System proxy settings
    • Operating system version, build and bit
    • Bitlocker status
    • Timezone
    • Duo-related Application event logs
  4. Copies C:\Users\user_name\AppData\Local\DuoDeviceHealth\Logs to zip file.

  5. Exports Duo Registry keys from HKLM\SOFTWARE\Duo and HKCU\SOFTWARE\Duo Device Health to system_info.txt in zip file.

  6. Copies certificates associated with the loopback adapter (127.0.0.1).

  7. Optional: Export System Event logs to zip file.

  8. Saves the zip file to the signed-in user’s Desktop in the format DHA_Support_year-month-day-time.zip.

Running the Support Tool

  1. Open an administrative PowerShell command-line session on the system where Duo Device Health is installed.

  2. Enable debug.

  3. Reproduce the Duo issue you are experiencing.

  4. Run the following script to export the logs. In this example, system event logs from the last two days are exported.

PS C:\>.\DeviceHealth-Support.ps1 -eventlogs system -days 2

Additional PowerShell command options

Setting Description
-eventlogs Exports System logs. Options: system
-days Defines a selected number of days to export from Security event logs.
-user Specify the username for whom to gather logs. This is necessary if PowerShell is run with administrative privileges and the admin username is different than the affected user.
Get-Help Displays a help message. Note: This is a built-in PowerShell cmdlet and must be called before the script.
PS C:> Get-Help .\DeviceHealth-Support.ps1