Skip navigation
Documentation

Trusted Endpoints - Cisco AMP for Endpoints

Last Updated: February 18th, 2020

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's security posture in Cisco AMP for Endpoints.

When Duo and Cisco AMP for Endpoints have shared visibility into a Windows or macOS endpoint, Duo can block user access to applications protected by Duo from endpoints deemed compromised by AMP. This is accomplished by:

  1. Deploying one of Duo's Trusted Endpoints management integrations that supports the AMP integration to the endpoint.
  2. Deploying the AMP for Endpoints Connector application to the endpoint.
  3. Connecting your Duo service to your AMP for Endpoints service.

These instructions assume you already have AMP for Endpoints already deployed and actively monitoring your Windows endpoints. For instructions specific to deploying AMP for Endpoints please refer to the Cisco AMP for Endpoints support documentation.

Prerequisites

Create the Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. Click the Endpoint Detection & Response Systems tab.
  3. On the "Add Management Tools Integration" page, click the Endpoint Detection & Response Systems tab and locate AMP for Endpoints in the listed integrations and click the Add this integration link to the right.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the AMP for Endpoints page to complete the configuration steps.

Configure the AMP for Endpoints Integration

  1. Login to the Cisco Security AMP for Endpoints management console.

  2. Click the Accounts menu item at the top of the page and go to API Credentials.

  3. Click the New API Credential button, enter a name for the new API credential application (like "Duo"), and set the "Scope" to Read-only. Click Create when done.

    New AMP API Credential

  4. You'll see the API key details for the new credential you just created. Do not navigate away from this page before completing the rest of the AMP integration configuration in Duo. If you leave this page without saving the API key to enter in Duo, you may not view it again and will need to delete this API credential and create a new one to continue.

    AMP API Credential Information

  5. Return to your AMP for Endpoints integration page in the Duo Admin Panel.

  6. Copy the 3rd Party API Client ID from the AMP console and paste this in Duo as the Client ID value in the "Enter AMP Credentials" section.

  7. Copy the API Key from the AMP console and paste this in Duo as the API Key value in the "Enter AMP Credentials" section.

  8. Click the Test Integration button. If the provided API information is correct, the "Hostname" information automatically populates.

  9. Click Save Integration to complete the AMP configuration.

  10. Toggle the inetgration status to Enabled in the "Enable AMP Integration" section to start using this integration.

Configure the AMP Policy

Once you've configured the AMP for Endpoints integration, you can configure the Trusted Endpoints policy to start blocking compromised endpoints as users authenticate to Duo-protected services and applications.

  1. Determine if you want to enable AMP in the global policy or as a custom policy applied to specific applications (or select groups of users accessing specific applications). Review the Duo policy documentation to learn more.

  2. When editing or creating the Duo policy to which you want to add AMP for Endpoints checking, click Trusted Endpoints on the left side of the policy editor.

  3. Click the Allow AMP for Endpoints to block compromised endpoints checkbox and save the policy.

    Trusted Endpoints Policy with AMP

With the AMP for Endpoints policy setting enabled:

  • Windows and macOS client access devices that are identified as trusted endpoints in Duo but are compromised in AMP are blocked from accessing applications with this policy applied, regardless of whether the Trusted Endpoints policy is set to "Allow all endpoints" or "Require endpoints to be trusted".
  • Windows and macOS client access devices that are identified as trusted endpoints in Duo and aren't compromised in AMP are permitted access to applications with this policy applied, regardless of whether the Trusted Endpoints policy is set to "Allow all endpoints" or "Require endpoints to be trusted".
  • Windows and macOS client access devices that are not identified as trusted endpoints in Duo are permitted access to applications with this policy applied when the Trusted Endpoints policy is set to "Allow all endpoints", regardless of the endpoint's status in AMP.
  • Windows and macOS client access devices that are not identified as trusted endpoints in Duo are blocked from accessing applications with this policy applied when the Trusted Endpoints policy is set to "Require endpoints to be trusted", regardless of the endpoint's status in AMP.

Verify Your Setup

Once the above option is enabled for a Duo policy and an end-user attempts access to the associated application or is part of a user group from a compromised endpoint their request should be blocked and they will see an error message.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.