Skip navigation

Trusted Endpoints

Duo's Trusted Endpoints feature lets you secure access to your organization's applications with device certificate verification policies.


Duo helps you distinguish between unmanaged endpoints and managed endpoints that access your browser-based applications. The Trusted Endpoints policy tracks whether clients accessing the applications have the Duo device certificate present, or can block access to various applications from systems without the Duo certificate.

At a high level, Duo's trusted endpoint verification works like this:

Trusted Endpoints Overview

  1. Duo issues certificates for client authentication to your managed endpoints from our cloud-based public key infrastructure (PKI).
  2. A user logs into a browser-based, Duo-protected application that shows the inline Duo prompt.
  3. Successful primary login to the web application redirects the client to Duo.
  4. Duo's cloud service applies the Trusted Endpoints policy setting to the access attempt.
  5. The Duo prompt checks for the Duo device certificate in the user's personal store. If present. Duo reports the endpoint as trusted.
  6. If the Duo certificate isn't present we report that the endpoint does not have a certificate (and is therefore not a managed endpoint). Application access may be blocked from that device.

Duo's Trusted Endpoints feature is part of the Duo Beyond plan.

Best Practices for Implementing Trusted Endpoints

Most organizations perform a staged deployment of Duo's Trusted Endpoints policy. Beginning to end, your rollout should proceed like this:

  1. Identify an application for testing. Applications must use Duo's inline browser authentication prompt to report managed/unmanaged status.
  2. Identify (or create) a Duo group containing your pilot users. If AD or Azure directory sync manages your users and groups then you need to create the pilot group in your source directory and add the test users first. Then, add that new group to your Duo directory sync configuration and perform a manual sync to import the pilot group to Duo.
  3. Create a new Trusted Endpoints policy that enables detection and reporting of devices without a Duo certificate.
  4. Apply the new policy to the pilot group on the test application.
  5. Monitor Device Insight and Endpoints in the Duo Admin Panel. As the pilot users receive the Duo certificate their endpoints will start reporting their managed status to Duo.
  6. Start deploying the Duo certificates widely throughout your organization, and expand the Duo Trusted Endpoints policy to all users and applications by adding it to the Global Policy.
  7. Start using the Trusted Endpoints policy to block access to your sensitive applications (optional).

Note that the Duo device certificate is not intended for use as a substitute for successful primary authentication to your protected service or application! This is poor security practice and should not be done under any circumstances.

Duo Device Certificate Deployment

Before you can use the Trusted Endpoints policy for reporting or controlling access to applications, you'll need to distribute the Duo certificate to your organization's managed devices. We've created guides for these deployment options:

Trusted Endpoints Management Integrations

You can use any or all of these deployment options in your environment. In fact, we recommend configuring more than one to ensure that you enroll as many trusted endpoints as possible.

Applying the Trusted Endpoints Policy to Applications and Groups

Create a new policy with the Trusted Endpoints setting. At first, configure the policy to check for the Duo certificate.

  1. Log on to the Duo Admin Panel as an administrator with the Owner or Administrator admin role.

  2. Navigate to the details page on the application you'll use to pilot the Trusted Endpoints policy.

  3. Click the Apply a policy to groups of users link to assign the new Trusted Endpoints policy to just the pilot group.

    Apply Group Policy

  4. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

    Create New Application Policy

  5. The policy editor launches with an empty policy.

    Empty Custom Policy

  6. Enter a descriptive Policy Name at the top of the left column, and then click the Trusted Endpoints policy item on the left. Change the selected option to Allow all endpoints.

    Creating the Trusted Endpoints Policy

  7. Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new Trusted Endpoints policy selected. Start typing in the pilot group's name in the Groups field and select it from the suggested names.

    Apply the New Trusted Endpoints Group Policy

  8. Click the Apply Policy button. The application page shows the new group policy assignment.

    Applied Trusted Endpoints Group Policy

For more information about creating and applying group policies, see the Policy documentation.

Monitoring Trusted Endpoints

As users access the application that has the Trusted Endpoints policy, they see no difference in the Duo Prompt when authenticating but Duo notes whether the devices used have the Duo certificate or not. When you view these endpoints in the Admin Panel (from the Endpoints page, from the details page for that device, or from an individual user's details page), the "Trusted Endpoint" column shows the device certificate status: "Yes" if the Duo device certificate exists on that endpoint, or "No" if it does not exist.

Trusted Endpoints Reporting

"Unknown" status in the Trusted Endpoint column usually indicates that the endpoint hasn't been used to access the application that has the Trusted Endpoints policy yet.

Expand the Trusted Endpoints Policy Scope

To include more of your users in the Trusted Endpoints pilot, return to the Duo Admin Panel and either add more users to the pilot Duo group or apply the test policy to additional groups from the test application's details page, You can also apply the Trusted Endpoints policy to additional applications.

Add even more users to your testing by switching from applying the Trusted Endpoints policy to specific groups on an application to applying the policy to all users of that application. Click the Apply a policy to all users link on an application's details page and select the Trusted Endpoints policy.

Apply Application Policy

Eventually, you should add the Trusted Endpoints policy to your Duo Global Policy, so that all your browser-based application default to checking for the Duo device certificate.

Apply Application Policy

Controlling Application Access with the Trusted Endpoints Policy

When the majority of your devices have the Duo certificate and are reporting the certificate status back to Duo, you may wish to block access to your more sensitive applications from unmanaged devices. Accomplish this by applying a policy with the "Trusted Endpoints" policy option set to Block endpoints that do not have a Duo certificate.

Trusted Endpoints Policy to Block Unmanaged Device Access

Users accessing the applications with this policy who do have the Duo device certificate present on their devices continue to see no change in the Duo Prompt when authenticating. However, if the browser does not detect the Duo certificate, then Duo prevents the user from authenticating.

Trusted Endpoints Policy to Block Unmanaged Device Access

Clicking the "See what is allowed" link in the notification provides the user with some additional clarification about why their device isn't able to access the application.

Trusted Endpoints Policy to Block Unmanaged Device Access

Don't enable this policy setting before deploying the Duo device certificate to your trusted access devices, or you may inadvertently block users' access to applications.


Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free