Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.
Duo's Trusted Endpoints feature is part of the Duo Beyond plan.
There's no need to deploy a separate mobile device management (MDM) solution before you can create access policies for mobile device endpoints. The Duo Mobile app already installed and activated for Duo Push on your users' phones can also serve as your Android and iOS managed device verification tool.
Whether the access request from the mobile device browser was approved with Duo Push or with a different authentication factor (like an SMS passcode), Duo prompts the user to open Duo Mobile to perform a device health check during authentication.
If the Duo Mobile check determines that the device satisfies your organization's access policies, such as screen lock enabled, updated OS version, or other configured policy requirements, then that mobile device used to access your Duo-protected application is "trusted".
The new Duo Mobile integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
You can choose whether you want to enable this new Duo Mobile management integration for iOS devices, Android devices, or both platforms. This is useful if you want phase in device management support for a particular mobile OS.
To enable Duo Mobile trust for a given platform:
Click on the Android (Disabled) or iOS (Disabled) tab on the Duo Mobile management integration.
Click the Android is disabled or iOS is disabled toggle to enable checking for that platform. The page updates to indicate the new setting.
Optionally repeat the process for the other mobile platform.
Note that enabling a specific mobile operating system does not also enable the Duo Mobile management integration itself. You'll do that in the next set of steps.
After creating the Duo Mobile management integration, set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.
When your trusted endpoints policy is applied to your Duo applications, return to the Duo Mobile trusted endpoint management integration in the Admin Panel and enable it by clicking the Change link at the top of the page next to "Integration is disabled". You can choose to either activate this management integration for just members of a specified test group or groups, or activate for all users.
If you create the Duo Mobile trusted endpoints management integration alongside another mobile management integration (like AirWatch/Workspace ONE or MobileIron Cloud) then Duo Mobile acts as the default management integration and Duo no longer uses your other MDM management integrations for device verification.
Users with Duo Mobile installed and activated for Duo Push on Android and iOS devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.
The prompt opens Duo Mobile on the device for verification.
If Duo successfully verifies the device information with Duo Mobile, and the user has Duo Mobile activated for Duo Push, then then the user receives a login request on their phone. On Android devices, approving the request grants access and returns the user to the protected application.
On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login.
If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.
When the trusted endpoints policy is set to just check access devices, users receive access to the application (assuming the device passes all other policy verification), and Duo records the trusted or untrusted status of that device.
If the trusted endpoints policy blocks access from unmanaged devices and Duo successfully verifies the device information against the required policy settings then the user receives access to the protected application.
If the mobile device fails the configuration and policy checks then Duo denies application access.