Skip navigation
Documentation

Trusted Endpoints - Duo Mobile

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

There's no need to deploy a separate mobile device management (MDM) solution before you can create access policies for mobile device endpoints. The Duo Mobile app already installed on your users' phones can also serve as your Android and iOS managed device verification tool.

Whether the access request from the mobile device browser was approved with Duo Push or with a different authentication factor (like an SMS passcode), Duo prompts the user to open Duo Mobile to perform a device health check during authentication.

If the Duo Mobile check determines that the device satisfies your organization's access policies, such as screen lock enabled, updated OS version, or other configured policy requirements, then that mobile device used to access your Duo-protected application is "trusted".

Prerequisites

  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • End users must have Duo Mobile installed on their mobile access devices, activated for Duo Push authentication.

Create the Duo Mobile Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Select Management Tools Integration" page, locate Duo Mobile in the listed integrations and click the Select this integration link to the right.

The new Duo Mobile integration is created in the "Off" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Finish Trusted Endpoints Deployment

After creating the Duo Mobile management integration, set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Duo Mobile trusted endpoint management integration in the Admin Panel and and activate it either by changing the selection at the top of the page from "Off" to "On" (to immediately apply this to all your Duo users), or select "Test" and pick a target Duo group to verify your setup against a subset of users.

If you create the Duo Mobile trusted endpoints management integration alongside another mobile management integration (like AirWatch or MobileIron Cloud) then Duo Mobile acts as the default management integration and Duo no longer uses your other MDM management integrations for device verification.

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed and enrolled in Duo Mobile.

Verify Your Setup

Users on Android and iOS devices see a prompt to open Duo Mobile for the device check when authenticating to a protected resource via the Duo Prompt.

Duo Mobile Trusted Endpoint Verification

When the trusted endpoints policy is set to just check access devices, users receive access to the application (assuming the device passes all other policy verification), and Duo records the trusted or untrusted status of that device.

If the trusted endpoints policy blocks access from unmanaged devices and Duo successfully verifies the device information against the required policy settings then the user receives access to the protected application.

If the mobile device fails the configuration and policy checks then Duo denies application access.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free