Skip navigation

Trusted Endpoints - Duo Mobile Verification

Last Updated: December 9th, 2020

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Duo's Trusted Endpoints feature is part of the Duo Beyond plan.

There's no need to deploy a separate mobile device management (MDM) solution before you can create access policies for mobile device endpoints. The Duo Mobile app already installed and activated for Duo Push on your users' phones can also serve as your Android and iOS managed device verification tool.

Whether the access request from the mobile device browser was approved with Duo Push or with a different authentication factor (like an SMS passcode), Duo prompts the user to open Duo Mobile to perform a device health check during authentication.

If the Duo Mobile check determines that the device satisfies your organization's access policies, such as screen lock enabled, updated OS version, or other configured policy requirements, then that mobile device used to access your Duo-protected application is "trusted".


  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • End users must have Duo Mobile installed on their mobile access devices, activated for Duo Push authentication.

Create the Duo Mobile Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Select Management Tools Integration" page, locate Duo Mobile in the listed integrations and click the Select this integration link to the right.

The new Duo Mobile integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Enable for iOS and Android

You can choose whether you want to enable this new Duo Mobile management integration for iOS devices, Android devices, or both platforms. This is useful if you want phase in device management support for a particular mobile OS.

To enable Duo Mobile trust for a given platform:

  1. Click on the Android (Disabled) or iOS (Disabled) tab on the Duo Mobile management integration.

  2. Click the Android is disabled or iOS is disabled toggle to enable checking for that platform. The page updates to indicate the new setting.

  3. Optionally repeat the process for the other mobile platform.

Note that enabling a specific mobile operating system does not also enable the Duo Mobile management integration itself. You'll do that in the next set of steps.

Finish Trusted Endpoints Deployment

After creating the Duo Mobile management integration, set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Duo Mobile trusted endpoint management integration in the Admin Panel and enable it by clicking the Change link at the top of the page next to "Integration is disabled". You can choose to either activate this management integration for just members of a specified test group or groups, or activate for all users.

Enable Trusted Endpoints Management Integration

If you create the Duo Mobile trusted endpoints management integration alongside another mobile management integration (like AirWatch/Workspace ONE or MobileIron Cloud) then Duo Mobile acts as the default management integration and Duo no longer uses your other MDM management integrations for device verification.

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed and enrolled in Duo Mobile.

Verify Your Setup

Users with Duo Mobile installed and activated for Duo Push on Android and iOS devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.

Android Trusted Endpoint Inline Verification - Step 1

The prompt opens Duo Mobile on the device for verification.

Android Trusted Endpoint Verification - Step 2

If Duo successfully verifies the device information with Duo Mobile, and the user has Duo Mobile activated for Duo Push, then then the user receives a login request on their phone. On Android devices, approving the request grants access and returns the user to the protected application.

Android Trusted Endpoint Verification - Step 3

On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login.

iOSTrusted Endpoint Verification - Step 3

If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

When the trusted endpoints policy is set to just check access devices, users receive access to the application (assuming the device passes all other policy verification), and Duo records the trusted or untrusted status of that device.

If the trusted endpoints policy blocks access from unmanaged devices and Duo successfully verifies the device information against the required policy settings then the user receives access to the protected application.

If the mobile device fails the configuration and policy checks then Duo denies application access.


Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.