Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.
Duo's Trusted Endpoints feature is part of the Duo Beyond plan.
Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices. This guide walks you through AirWatch/Workspace ONE configuration for Android and iOS mobile devices.
The new AirWatch integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the AirWatch management integration page to complete the Android and/or iOS configuration steps.
Duo determines trusted device status on Android devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your AirWatch MDM's API access.
Log on to the AirWatch console as an administrator. Click the Add drop down at the top of the page, then click Public Application.
On the "Add Application" page, set the "Platform" to Android.
Set the "Source" to SEARCH APP STORE.
Enter Duo Mobile in the "Name" field and click Next to search for it in the Google Play Store.
Click on Duo Mobile in the Google Play Store search results, and then click Approve for the Duo Mobile app.
Configure app options like "Categories" on the "Details" tab if desired. Click SAVE & ASSIGN when done.
Go to the "Assignments" tab for the Duo Mobile app and click Add Assignment.
On the "Duo Mobile - Add Assignment" page, select your desired assignment group or groups.
Go to the "Application Configuration" section. Set it to ENABLED to reveal the Duo Mobile Trusted Endpoints configuration fields..
Locate the "Trusted Endpoint Identifier" managed configuration field and enter {DeviceUid} as the value.
Return to your AirWatch management integration page in the Duo Admin Panel.
Copy the "Trusted Endpoints Configuration Key" value from the Android Configuration Instructions tab of your AirWatch management integration (it will look similar to DJPO0S0HLJD0ASDHTDD). Paste this into AirWatch as the Trusted Endpoints Configuration Key value.
Click Add and then click Save and Publish to complete the app publishing process.
While still logged on to the AirWatch console, go to Accounts → Administrators → Roles.
Click the Add Role button. Enter a Name (like "Duo API") and Description for the new role on the "Create Role" page.
Click on the "API" category on the left and then locate REST - Devices - REST APIs for device management in the API category list. Check the box in the "Read" column to grant the new Duo API role read access to devices. Click Save to create the role.
Navigate to Accounts → Administrators → List View in the AirWatch console.
Click the Add button and choose Add Admin on the pop-up menu.
Enter the following information on the "Basic" tab form:
| User Type | Directory |
| Username | Search for an account in your directory to use. |
| First Name and Last Name | Enter a first and last name for the Duo admin user (e.g. "Duo" "Admin"). |
| Email Address | Enter an email address for the Duo admin user. |
| Time Zone and Last Name | Select your time zone. |
| Locale and Last Name | Select your language/region. |
| Initial Landing Page and Last Name | Leave as the default option |
Do not make any changes to the "Two-factor Authentication Method" or "Notification" options.
If you do not have your Directory synced with Airwatch, then you may create a new admin with the "User Type" set to Basic and a specified username and password. Please be aware that Airwatch enforces password expiration for "Basic" user types every 30 days. While the password is expired, your Trusted Endpoint Integration with Airwatch will not work, and you will need to reset the password to restore functionality. Using a directory account obviates this 30 day expiration.
Click the "Roles" tab then click the Add Role button. Choose your Organization Group from the list presented. Locate and select the "Duo API" read-only role you created earlier in the Role list. Click the checkbox at the far left to enable the Duo role for the Duo admin user.
Click the "API" tab and ensure that the User Credentials option is selected.
Click Save to create the Duo admin user.
Navigate to Groups & Settings → All Settings → System → Advanced → API → Rest API in the AirWatch console.
Click Add to generate a new REST API key. This appends a new row in the existing API keys table.
Click into the blank Service field for the newly-generated API key to type in a service name for this API key (like "Duo API"). You can also enter additional identifying information in the Description field.
Leave the "Account Type" set to Admin and click Save.
Return to your AirWatch management integration page in the Duo Admin Panel.
Enter the following information into the blank fields under step 4 of the AirWatch "Android Configuration Instructions" section:
| Admin Username | Enter the Duo admin username you created in AirWatch. |
| Admin Password | Enter the password for the Duo admin user you created in AirWatch. |
| API Key | Enter the REST API key you created for Duo in AirWatch. |
| Domain Name | Enter your organization's AirWatch domain. For example, if you access the AirWatch console at https://acmecorp.awmdm.com then you'd enter acmecorp.awmdm.com as the domain name. |
Click the Test Configuration button to verify Duo's API access to your AirWatch instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the AirWatch configuration steps and entered the right information in the Duo Admin Panel.
After you successfully test your configuration, click the Save & Configure Android Devices button.
Duo verifies the trusted status of iOS devices by checking for the presence of a Duo device certificate. You'll use AirWatch to push the Duo CA information to your mobile devices so they can obtain a Duo certificate.
Log on to the AirWatch console as an administrator and navigate to Devices → Certificates → Certificate Authorities.
Click the Add button and enter the Duo Certificate Authority (CA) information from the AirWatch management integration page in the Duo Admin Panel as follows:
| Name | Enter a descriptive name, like "Duo CA". |
| Description | Enter additional information about this new Duo CA, if desired. |
| Authority Type | Microsoft ADCS |
| Protocol | SCEP |
| Version | NDES 2008/2012 |
| SCEP URL | Paste in the SCEP URL from the "Add a Certificate Authority" section of the iOS instructions on the AirWatch management integration page in the Duo Admin Panel. |
| Challenge Type | Dynamic |
| Challenge Username | Paste in the Username from the "Add a Certificate Authority" section of the iOS instructions on the AirWatch management integration page in the Duo Admin Panel. |
| Challenge Password | Paste in the Password from the "Add a Certificate Authority" section of the iOS instructions on the AirWatch management integration page in the Duo Admin Panel. |
| SCEP Challenge URL | Paste in the Challenge URL from the "Add a Certificate Authority" section of the iOS instructions on the AirWatch management integration page in the Duo Admin Panel. |
| Enable Proxy | Disabled |
You do not need to set any advanced options for this CA. Click Save and Add Template after entering all the required information to move to the next steps of adding a new device certificate template.
If you didn't get to the "Certificate Template - Add/Edit" page from the new CA page then navigate to Devices → Certificates → Certificate Authorities → Request Templates and click the Add button.
Enter the Certificate Template information from the AirWatch management integration page in the Duo Admin Panel as follows:
| Name | Enter a descriptive name, like "Duo CA Template". |
| Description | Enter additional information about this new certificate template, if desired. |
| Certificate Authority | Select the Duo CA you added earlier. |
| Subject Name | Paste in the Subject Name from the "Add a Certificate Template" section of the iOS instructions on the AirWatch management integration page in the Duo Admin Panel. |
| Private Key Length | 2048 |
| Private Key Type | Signing |
| Auto Renewal Period (days) | 14 |
Click Save after entering all the required information.
Navigate to Devices → Profiles & Resources → Profiles in the AirWatch console.
Click Add and choose Add Profile on the pop-up menu.
Click Apple iOS.
Fill out the General form on the "Add a New Apple iOS Profile" page with the following information:
| Name | Enter a descriptive name, like "Duo iOS Profile". |
| Description | Enter additional information about this new profile, if desired. |
| Deployment Type | Leave as "Managed". |
| Assignment Type | Leave as "Auto". |
| Allow Removal | Change to Never or With Authorization to prevent end users removing the Duo profile from their devices. If you select With Authorization then you'll need to enter an authorization password as well. |
| Assigned Groups | Select the device groups to which you want to assign the Duo CA profile. |
The remaining options may be left at their default values. You still need to configure SCEP before saving the new iOS profile.
Click the SCEP link on the left and then click Configure.
Configure the new SCEP as follows:
| Credential Source | Leave as "Defined CA". |
| Certificate Authority | Select the Duo CA you added earlier. |
| Certificate Template | Select the Duo CA Template you added earlier. |
Click the Save & Publish button after filling out the General and SCEP information.
You can monitor the profile's deployment status under Devices → Profiles & Resources → Profiles.
Once your AirWatch managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.
When your trusted endpoints policy is applied to your Duo applications, return to the AirWatch trusted endpoint management integration in the Admin Panel and enable it by clicking the Change link at the top of the page next to "Integration is disabled". You can choose to either activate this management integration for just members of a specified test group or groups, or activate for all users.
The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.
Users on Android devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.
Duo uses the API access you granted in AirWatch to perform a permissions check to verify device information.
If Duo successfully verifies the device information using the AirWatch API access, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone. Approving the request grants access to the protected application. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.
If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.
iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.
Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing AirWatch integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in AirWatch.
Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.
Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.