Duo's Trusted Endpoints feature lets you define and manage trusted endpoints and grant secure access to your organization's applications with device certificate verification policies.
Duo helps you distinguish between unmanaged endpoints and managed endpoints that access your browser-based applications. The Trusted Endpoints policy tracks whether clients accessing the applications have the Duo device certificate present, or can block access to various applications from systems without the Duo certificate.
At a high level, Duo's certificate-based trusted endpoint verification works like this:
Duo's Trusted Endpoints feature is part of the Duo Beyond plan.
Most organizations perform a staged deployment of Duo's Trusted Endpoints policy. Beginning to end, your rollout should proceed like this:
Note that the Duo device certificate is not intended for use as a substitute for successful primary authentication to your protected service or application! This is poor security practice and should not be done under any circumstances.
Before you can use the Trusted Endpoints policy for reporting or controlling access to applications, you'll need to distribute the Duo certificate or configuration to your organization's managed devices. We've created guides for these deployment options:
You can use any or all of these deployment options in your environment. In fact, we recommend configuring more than one to ensure that you enroll as many trusted endpoints as possible.
Create a new policy with the Trusted Endpoints setting. At first, configure the policy to check for management status.
Navigate to the details page on the application you'll use to pilot the Trusted Endpoints policy.
Click the Apply a policy to groups of users link to assign the new Trusted Endpoints policy to just the pilot group.
Your organization may want to apply different Duo trusted endpoint policies to computer endpoints and mobile devices. For instance, you may want to track the status of application access by unmanaged workstations without blocking access, while at the same time preventing application access from unmanaged mobile endpoints.
Accomplish this by clicking the Enable Custom Options for Mobile Endpoints option within the Trusted Endpoints policy setting to expose the mobile-only selections. Once the mobile options for trusted endpoints have been enabled, Duo uses the accessing browser's user agent string to distinguish between mobile and traditional endpoints and apply the configured policy setting based on the endpoint's platform.
Since the user agent is self-reported by the browser, it's possible to manipulate the user agent string contents from the client side to make it appear as a different browser or operating system to Duo, with the potential effect of bypassing a trusted endpoints policy intended to block access.
Duo generally recommends using the default trusted endpoints policy settings for all types of endpoints to protect against policy bypass due to user agent spoofing.
As users access the application that has the Trusted Endpoints policy, they see no difference in the Duo Prompt when authenticating but Duo notes whether the devices used are managed or not. When you view these endpoints in the Admin Panel (from the Endpoints page, from the details page for that device, or from an individual user's details page), the "Trusted Endpoint" column shows the device certificate status: "Yes" if the endpoint passed Duo's managed system check, or "No" if it did not. "Unknown" status in the Trusted Endpoint column usually indicates that the endpoint hasn't been used to access the application that has the Trusted Endpoints policy yet.
To include more of your users in the Trusted Endpoints pilot, return to the Duo Admin Panel and either add more users to the pilot Duo group or apply the test policy to additional groups from the test application's details page, You can also apply the Trusted Endpoints policy to additional applications.
Add even more users to your testing by switching from applying the Trusted Endpoints policy to specific groups on an application to applying the policy to all users of that application. Click the Apply a policy to all users link on an application's details page and select the Trusted Endpoints policy.
Eventually, you should add the Trusted Endpoints policy to your Duo Global Policy, so that all your browser-based application default to checking for the Duo device certificate.
When the majority of your devices have the Duo certificate and are reporting the certificate status back to Duo, you may wish to block access to your more sensitive applications from unmanaged devices. Accomplish this by applying a policy with the "Trusted Endpoints" policy option set to Block endpoints that do not have a Duo certificate.
Users accessing the applications with this policy who do have the Duo device certificate present on their devices continue to see no change in the Duo Prompt when authenticating. However, if the browser does not detect the Duo certificate, then Duo prevents the user from authenticating.
Clicking the "See what is allowed" link in the notification provides the user with some additional clarification about why their device isn't able to access the application.
Don't enable this policy setting before deploying the Duo device certificate to your trusted access devices, or you may inadvertently block users' access to applications.