Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from devices not trusted by your organization.
Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.
Before enabling the Trusted Endpoints policy on your applications, you'll need to configure your managed mobile devices. This guide walks you through Google Workspace configuration for Android mobile devices.
Note that this Duo G Suite management integration and the Duo Mobile management integration for verifying endpoints are mutually exclusive. You won't be able to use G Suite for verification if a management integration for Duo Mobile exists.
Mobile Trusted Endpoints and Verified Duo Push: Trusted endpoint verification of Android devices with Duo Mobile uses the standard Duo Push approval process and will not prompt for a Duo Push verification code, even if the effective authentication methods policy for the user and application has "Verified Duo Push" enabled.
The new G Suite integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the G Suite management integration page to complete the configuration steps.
Log on to the Workspace Admin console as an administrator and click on Device management.
Click the Setup link under "MOBILE" on the left side of the console and then click Mobile Management.
Enable the Enable Mobile Management option and then select the Advanced option.
Click Save to apply the new mobile settings.
Scroll down to "Android App Management" and verify that the status of "Manage Android Apps" is Enabled.
Return to the Workspace Device management page.
Click the App Management link under "MOBILE" on the left side of the console.
Click on Manage apps for Android devices and then click MANAGE WHITELISTED APPS.
Click the + "Add Application" icon on the bottom right of the Workspace admin console to add a new managed application.
Search for Duo Mobile. Click on the search result for Duo Mobile and then click APPROVE. Click APPROVE again to accept the app permissions.
You may change the approval and notification options if you wish. Click Save when done to add Duo Mobile to the set of approved managed applications.
Click on Duo Mobile in the list of managed applications.
Click Managed Configurations at the bottom of the Duo Mobile page, and then click CREATE A NEW MANAGED CONFIGURATION. Give the configuration a name.
Return to your G Suite management integration page in the Duo Admin Panel.
Copy the "Secret Key" value from the "Create a Managed Configuration" section of your G Suite management integration (it will look similar to DBpyowo7l1dXaPdljkoYsRhBtorOoylaltj1ovsH). Paste this in Workspace as the Trusted Endpoint Identifier value.
Copy the "Trusted Endpoints Configuration Key" value from the "Create a Managed Configuration" section of your G Suite management integration (it will look similar to DPK0W0KLPJLOGSKHTDD). Paste this in Workspace as the Trusted Endpoints Configuration Key value. Click Save after filling in both fields.
Click App Distribution and Configuration on the Duo Mobile page.
Click the menu button on the right side of the table to open the menu, then click Edit Configuration.
In the "Managed Configuration" section, select the managed configuration you just created and then click UPDATE.
At this point the configured integration is disabled and applies to no users until you finish your deployment.
Once your Workspace managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.
When your trusted endpoints policy is applied to your Duo applications, return to the G Suite trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group or groups, or activate for all users.
Users on Android devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.
Duo uses the Google managed device configuration to perform a permissions check to verify device information.
If Duo successfully verifies the device information, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone. Approving the request grants access to the protected application. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.
If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.
Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Google G Suite integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Google Workspace.
Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.