Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's security posture in Cisco AMP for Endpoints.
When Duo and Cisco AMP for Endpoints have shared visibility into a Windows or macOS endpoint, Duo can block user access to applications protected by Duo from endpoints deemed compromised by AMP. This is accomplished by:
These instructions assume you already have AMP for Endpoints already deployed and actively monitoring your Windows and macOS endpoints. For instructions specific to deploying AMP for Endpoints please refer to the Cisco AMP for Endpoints support documentation.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the AMP for Endpoints page to complete the configuration steps.
Login to the Cisco Security AMP for Endpoints management console.
Click the Accounts menu item at the top of the page and go to API Credentials.
Click the New API Credential button, enter a name for the new API credential application (like "Duo"), and set the "Scope" to Read-only. Click Create when done.
You'll see the API key details for the new credential you just created. Do not navigate away from this page before completing the rest of the AMP integration configuration in Duo. If you leave this page without saving the API key to enter in Duo, you may not view it again and will need to delete this API credential and create a new one to continue.
Return to your AMP for Endpoints integration page in the Duo Admin Panel.
Copy the 3rd Party API Client ID from the AMP console and paste this in Duo as the Client ID value in the "Enter AMP Credentials" section.
Copy the API Key from the AMP console and paste this in Duo as the API Key value in the "Enter AMP Credentials" section.
Click the Test Integration button. If the provided API information is correct, the "Hostname" information automatically populates.
Click Save Integration to complete the AMP configuration.
Toggle the inetgration status to Enabled in the "Enable AMP Integration" section to start using this integration.
Once you've configured the AMP for Endpoints integration, you can configure the Trusted Endpoints policy to start blocking compromised endpoints as users authenticate to Duo-protected services and applications.
Determine if you want to enable AMP in the global policy or as a custom policy applied to specific applications (or select groups of users accessing specific applications). Review the Duo policy documentation to learn more.
When editing or creating the Duo policy to which you want to add AMP for Endpoints checking, click Trusted Endpoints on the left side of the policy editor.
Click the Allow AMP for Endpoints to block compromised endpoints checkbox and save the policy.
With the AMP for Endpoints policy setting enabled:
Once the above option is enabled for a Duo policy and an end-user attempts access to the associated application or is part of a user group from a compromised endpoint their request should be blocked and they will see an error message.