Duo's Endpoints analysis shows at a glance the security status of operating systems, browsers, and plugins used when connecting to your Duo protected applications and services.
In Duo, Endpoints are both the laptops, desktops, tablets, mobile phones, and other devices where your end users access Duo protected applications and services, as well as 2FA Devices, which are the enrolled phones and other mobile devices where users approve Duo authentication requests. You can now see information about the security status of your endpoints accessing your applications and approving application access from the top-level Endpoints tab in the Duo Admin Panel.
Duo gathers mobile device and computer operating system platform and versions, browser types and versions, and Java and Flash plugin versions if detected in the browser. Duo Beyond customers can also determine whether a device is managed or BYOD with the Trusted Endpoints feature.
Information for a given endpoint is purged after 30 days of inactivity.
You can filter the Endpoints list by operating system and version, browser type and version, installed plugins, Trusted Endpoint status, and Trusted Endpoint certificate expiration. For example, checking the boxes next to "Windows ", "8.1", "Firefox", and "Java" on the left side of the Devices page then displays all PCs running Windows 8.1 that accessed your application using Firefox with the Java plugin enabled. Checking the Out of date filter option for browsers or plugins shows you all browsers and plugins not at the latest generally available version.
The "Trusted Endpoint" column shows the device certificate status: "Yes" if the endpoint passed Duo's managed system check, or "No" if it did not. "Unknown" status in the Trusted Endpoint column usually indicates that the endpoint hasn't been used to access the application that has the Trusted Endpoints policy yet.
If Duo can determine the when the certificate was issued that information is shown along with the other information for that endpoint. When filtering the Endpoints table by certificate expiration, "soon" means that the certificate has reached its renewal window: three days before expiration for 1-week certificates or two weeks before expiration for one year certificates.
Clicking on an endpoint's operating system takes you to that endpoint's details page. You can view which users have authenticated to Duo using that endpoint, as well as the operating system, browser, plugin, and trusted endpoint information.
When the endpoint browsers and plugins are up to date, the various details are green. Information shown in red indicates a less secure status.
Click the out-of-date link to see the current version of the affected software.
Clicking on the username shown in the Endpoints table, or on the user tile on the endpoint's details page, takes you to the properties page for that user. Scroll down to the Phones and Endpoints tables to see platform, version, security warnings, trusted endpoint status, and other information about access and authentication endpoint devices associated with that user.
Use the Operating Systems, Browsers, Plugins, and Trusted Endpoints policy settings to restrict access and authentication from certain operating systems and versions, inform your users when their web browser or select plugins are out of date, and optionally block access to applications protected with Duo from unmanaged devices or devices with outdated software. Users authenticating via the Duo Prompt see a notification when the selected software is older than the current release version. If you choose to block access to users with outdated software or selected operating systems, users are unable to complete authentication to access your applications.
Self-remediation notifications and access controls are available for the following:
See the Policy & Control documentation for more information.
Role required: Owner, Administrator, User Manager, or Help Desk.
You can selectively block access to applications that have a Trusted Endpoints policy from endpoints managed with Duo Trusted Endpoints certificates. This is useful, for example, when a user loses their laptop and you want to make sure that it can't be used to log into applications unless it's recovered.
In order to block a blacklisted endpoint, the Duo application should be configured via policy to block access from untrusted endpoints with the "Require endpoints to be trusted" setting.
To blacklist an endpoint:
Log in to the Duo Admin Panel.
Click Endpoints on the left and locate the trusted endpoint you want to blacklist. Filter the list of devices by typing in the username associated with the endpoint to block in the filter box above the table.
You can also go to the Users page to locate the user account whose endpoint(s) need blacklisting. Click on the username to view their details page, and scroll down to the "Endpoints" section. Click on the endpoint to block.
When viewing the trusted endpoint's details, scroll down to the "Settings" section. If you don't see this option, scroll back up to the "Device Info" section to verify that the endpoint is in fact a Duo trusted endpoint ("Trusted Endpoint" shows yes with valid certificate information).
Change the endpoint's status to Blacklist and click Save Changes.
The endpoint's blacklisted status shows up at the top of the endpoint's details page.