Contents
Certificate-based Trusted Endpoint verification will reach end-of-life on October 7, 2024. Review this document carefully as you plan your migration.
Overview
When Duo introduced Trusted Endpoints it relied on the presence of a certificate issued by Duo on endpoints accessing protected services. We have moved away from device certificates to alternative methods of identifying trusted devices that leverage Duo Mobile on Android and iOS devices, or Duo Desktop on Windows and macOS computers. This strategy provides the following benefits:
-
Reduced administrative tasks: Using Duo Desktop for Trusted Endpoints eliminates the work associated with managing certificate infrastructure and renewals.
-
Consistent and reliable experience: Get a more reliable Trusted Endpoints experience across a variety of web browsers and thick client applications by using Duo Desktop instead of certificates to report endpoint characteristics to Duo. Mobile device users will also receive a more uniform experience across iOS and Android when you migrate to an integration that uses Duo Mobile for trust in place of certificates.
-
Expanded browser support: Duo Desktop app supports authentications in all major browsers, including Firefox. Duo device certificate detection does not support Firefox.
-
Improvements for shared endpoints: With certificate-based management integrations, device certificates are associated with users rather than devices, preventing detection of the endpoint as a trusted device when shared by multiple people.
End-of-Life Information
As part of the shift away from certificates for identifying trusted endpoints, management integrations based on issuing Duo Device Trust certificates will reach end-of-life on October 7, 2024.
The following legacy integrations will become end-of-life after October 7, 2024:
-
Active Directory Domain Services (AD DS) - certificates on Windows
-
Cisco Meraki Systems Manager - certificates on iOS
-
Ivanti Endpoint Manager Mobile (formerly known as MobileIron Core) - certificates on iOS
-
Ivanti Neurons for MDM (formerly known as MobileIron Cloud) - certificates on iOS
-
Jamf Pro - certificates on macOS
-
LANDesk Management Suite (Ivanti) - certificates on Windows
-
Microsoft Intune - certificates on Windows and iOS
-
Sophos Mobile - certificates on iOS
-
Workspace ONE - certificates on iOS
-
Generic Certificate Deployment - certificates on macOS and Windows
-
Manual Certificate Enrollment - certificates on ChromeOS, iOS, Linux, macOS, and Windows
To prepare for this end-of-life milestone, we recommend planning to transition your existing integrations to use Duo Desktop for desktop or Duo Mobile for mobile device verification now. Some Trusted Endpoints integrations are ready to migrate to replacement solutions now while other integrations are in development. See the Device Trust Solution Availability section for details.
Device Trust Solution Availability
Continue with Your Current MDM
The following integrations, which previously supported certificates, can now be upgraded to use Duo Mobile or Duo Desktop for identifying trust. This is the easiest migration option as it only requires a configuration change in the Duo Admin Panel:
-
Active Directory Domain Services (AD DS) - replacing certificates with Duo Desktop on Windows
-
Cisco Meraki Systems Manager - replacing certificates on iOS with Duo Mobile
-
Ivanti Neurons for MDM (formerly known as MobileIron Cloud) - replacing certificates on iOS with Duo Mobile
-
Ivanti Endpoint Manager Mobile (formerly known as MobileIron Core) - replacing certificates on iOS with Duo Mobile
-
Jamf Pro - replacing certificates with Duo Desktop on macOS
-
Microsoft Intune - replacing certificates with Duo Desktop on Windows and Duo Mobile on iOS
-
Workspace ONE - replacing certificates on iOS with Duo Mobile; added support for Duo Desktop on macOS and Windows
Note that while Sophos Mobile does support replacing certificates on iOS with Duo Mobile, this MDM has reached end-of-life by the vendor and will subsequently reach end-of-support from Duo in a future release.
Switch to Alternative MDM
The following integrations require migrating to a different MDM solution that supports Duo Mobile or Duo Desktop:
-
Google Workspace (formerly known as G Suite) - offers integration with Duo Mobile on Android
-
Generic Duo Desktop Integrations - offers integration with Duo Desktop on Windows and macOS for organizations with an MDM that doesn't have a named integration or a custom integration with no MDM
Non-MDM Solutions
The following integrations use Duo Mobile or Duo Desktop for identifying trust and don't require an MDM:
-
Duo Mobile as Trusted - offers integration with Duo Mobile without an MDM based on the mobile access device successfully completing second-factor device registration
-
Generic Duo Desktop Integrations - offers integration with Duo Desktop on Windows and macOS for organizations with an MDM that doesn't have a named integration or a custom integration with no MDM.
-
Manual Enrollment with Duo Desktop - offers integration with Duo Desktop for small organizations without an MDM
Integrate Without Duo Mobile or Duo Desktop
The following integrations do not require Duo Desktop or Duo Mobile:
-
Chrome Device Trust Connector – offers integration on Windows, macOS, or ChromeOS when devices/browsers are managed by Chrome Enterprise
-
Google Verified Access - offers integration on ChromeOS devices when devices are managed by Chrome Enterprise
Additional Resources
Please refer to these additional resources to plan your migration from certificate-based management integrations: