Duo's Trusted Endpoints feature lets you secure access to your organization's applications with device certificate verification policies.
Duo helps you distinguish between unmanaged endpoints and managed endpoints that access your browser-based applications. The Trusted Endpoints policy tracks whether clients accessing the applications have the Duo device certificate present, or can block access to various applications from systems without the Duo certificate.
At a high level, Duo's trusted endpoint verification works like this:
Most organizations perform a staged deployment of Duo's Trusted Endpoints policy. Beginning to end, your rollout should proceed like this:
Note that the Duo device certificate is not intended for use as a substitute for successful primary authentication to your protected service or application! This is poor security practice and should not be done under any circumstances.
Before you can use the Trusted Endpoints policy for reporting or controlling access to applications, you'll need to distribute the Duo certificate to your organization's managed devices. We've created guides for these deployment options:
You can use any or all of these deployment options in your environment. In fact, we recommend configuring more than one to ensure that you enroll as many trusted endpoints as possible.
Create a new policy with the Trusted Endpoints setting. At first, configure the policy to check for the Duo certificate.
Navigate to the details page on the application you'll use to pilot the Trusted Endpoints policy.
Click the Apply a policy to groups of users link to assign the new Trusted Endpoints policy to just the pilot group.
Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.
The policy editor launches with an empty policy.
Enter a descriptive Policy Name at the top of the left column, and then click the Trusted Endpoints policy item on the left. Change the selected option to Check for Duo certificate.
Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new Trusted Endpoints policy selected. Start typing in the pilot group's name in the Groups field and select it from the suggested names.
Click the Apply Policy button. The application page shows the new group policy assignment.
For more information about creating and applying group policies, see the Policy documentation.
As users access the application that has the Trusted Endpoints policy, they see no difference in the Duo Prompt when authenticating but Duo notes whether the devices used have the Duo certificate or not. When you view these endpoints in the Admin Panel (from the Endpoints page, from the details page for that device, or from an individual user's details page), a new "Trusted Endpoint" attribute shows the device certificate status.
"Unknown" status in the Trusted Endpoint column usually indicates that the endpoint hasn't been used to access the application that has the Trusted Endpoints policy yet.
To include more of your users in the Trusted Endpoints pilot, return to the Duo Admin Panel and either add more users to the pilot Duo group or apply the test policy to additional groups from the test application's details page, You can also apply the Trusted Endpoints policy to additional applications.
Add even more users to your testing by switching from applying the Trusted Endpoints policy to specific groups on an application to applying the policy to all users of that application. Click the Apply a policy to all users link on an application's details page and select the Trusted Endpoints policy.
Eventually, you should add the Trusted Endpoints policy to your Duo Global Policy, so that all your browser-based application default to checking for the Duo device certificate.
When the majority of your devices have the Duo certificate and are reporting the certificate status back to Duo, you may wish to block access to your more sensitive applications from unmanaged devices. Accomplish this by applying a policy with the "Trusted Endpoints" policy option set to Block endpoints that do not have a Duo certificate.
Users accessing the applications with this policy who do have the Duo device certificate present on their devices continue to see no change in the Duo Prompt when authenticating. However, if the Duo certificate is not detected by the browser, then Duo prevents the user from authenticating.
Clicking the "See what is allowed" link in the notification provides the user with some additional clarification about why their device isn't able to access the application.
Don't enable this policy setting before deploying the Duo device certificate to your trusted access devices, or your users may inadvertently lose access to applications.