Skip navigation

Duo Trusted Endpoints - Cisco AMP for Endpoints

Last Updated: August 27th, 2021

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's security posture in Cisco AMP for Endpoints.

Trusted Endpoints is part of the Duo Beyond plan.

When Duo and Cisco AMP for Endpoints have shared visibility into a Windows or macOS endpoint, Duo can block user access to applications protected by Duo from endpoints deemed compromised by AMP. This is accomplished by:

  1. Deploying one of Duo's Trusted Endpoints management integrations that supports the AMP integration to the endpoint.
  2. Deploying the AMP for Endpoints Connector application to the endpoint.
  3. Connecting your Duo service to your AMP for Endpoints service.

These instructions assume you already have AMP for Endpoints already deployed and actively monitoring your Windows and macOS endpoints. For instructions specific to deploying AMP for Endpoints please refer to the Cisco AMP for Endpoints support documentation.


Create the AMP for Endpoints Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. Click the Endpoint Detection & Response Systems tab.
  3. On the "Add Management Tools Integration" page, click the Endpoint Detection & Response Systems tab and locate AMP for Endpoints in the listed integrations and click the Add this integration link to the right.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the AMP for Endpoints page to complete the configuration steps.

Configure the AMP for Endpoints Integration

  1. Login to the Cisco Security AMP for Endpoints management console.

  2. Click the Accounts menu item at the top of the page and go to API Credentials.

  3. Click the New API Credential button, enter a name for the new API credential application (like "Duo"), and set the "Scope" to Read-only. Click Create when done.

    New AMP API Credential
  4. You'll see the API key details for the new credential you just created. Do not navigate away from this page before completing the rest of the AMP integration configuration in Duo. If you leave this page without saving the API key to enter in Duo, you may not view it again and will need to delete this API credential and create a new one to continue.

    AMP API Credential Information
  5. Return to your AMP for Endpoints integration page in the Duo Admin Panel.

  6. Copy the 3rd Party API Client ID from the AMP console and paste this in Duo as the Client ID value in the "Enter AMP Credentials" section.

  7. Copy the API Key from the AMP console and paste this in Duo as the API Key value in the "Enter AMP Credentials" section.

  8. Click the Test Integration button. If the provided API information is correct, the "Hostname" information automatically populates.

  9. Click Save Integration to complete the AMP configuration.

  10. Toggle the integration status to Enabled in the "Enable AMP Integration" section to start using this integration.

Configure the AMP Policy

Once you've configured the AMP for Endpoints integration, you can configure the Trusted Endpoints policy to start blocking compromised endpoints as users authenticate to Duo-protected services and applications. Your client devices must be identified as trusted endpoints in Duo in order for Duo to utilize AMP compromise information to permit or deny access to applications. Duo uses identifiers present in the Duo certificate present on trusted endpoints to match devices in AMP and check their state.

  1. Determine if you want to enable AMP in the global policy or as a custom policy applied to specific applications (or select groups of users accessing specific applications). Review the Duo policy documentation to learn more.

  2. When editing or creating the Duo policy to which you want to add AMP for Endpoints checking, click Trusted Endpoints on the left side of the policy editor.

  3. Ensure that Require endpoints to be trusted is selected and click the Allow AMP for Endpoints to block compromised endpoints checkbox, and then save the policy.

    Trusted Endpoints Policy with AMP

With the AMP for Endpoints blocking policy setting enabled, Duo determines application access for Windows and macOS clients as follows:

Trusted Endpoints policy:
Require endpoints to be trusted
Trusted Endpoints policy:
Allow all endpoints
AMP device status:
Application access blocked ** Application access allowed
AMP device status:
Not compromised
Application access allowed if device is trusted Application access allowed
** Devices not identified as trusted endpoints are blocked from access regardless of their status in AMP.

Verify Your Setup

Once the above option is enabled for a Duo policy and an end-user attempts access to the associated application or is part of a user group from a compromised endpoint their request should be blocked and they will see an error message.


Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.