Duo Trusted Endpoints - Google Workspace (formerly known as G Suite) Managed Device Deployment

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from devices not trusted by your organization.

Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.

Before enabling the Trusted Endpoints policy on your applications, you'll need to configure your managed mobile devices. This guide walks you through Google Workspace configuration for Android mobile devices.

Note that this Duo G Suite management integration and the Duo Mobile management integration for verifying endpoints are mutually exclusive. You won't be able to use G Suite for verification if a management integration for Duo Mobile exists.

Prerequisites

• Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
• A Google Workspace Business or Enterprise plan.
• Access to the Google Workspace console as an administrator with the rights to manage apps on Android devices

Create the G Suite Integration

1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate G Suite in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose Android from the "Recommended" options, and then click the Add button.

The new G Suite integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the G Suite management integration page to complete the configuration steps.

Enable Advanced Mobile Management

1. Log on to the Workspace Admin console as an administrator and click on Device management.

2. Click the Setup link under "MOBILE" on the left side of the console and then click Mobile Management.

3. Enable the Enable Mobile Management option and then select the Advanced option.

   

4. Click Save to apply the new mobile settings.

5. Scroll down to "Android App Management" and verify that the status of "Manage Android Apps" is Enabled.

Add Duo Mobile as a Managed Application

1. Return to the Workspace Device management page.

2. Click the App Management link under "MOBILE" on the left side of the console.

3. Click on Manage apps for Android devices and then click MANAGE WHITELISTED APPS.

4. Click the + "Add Application" icon on the bottom right of the Workspace admin console to add a new managed application.

5. Search for Duo Mobile. Click on the search result for Duo Mobile and then click APPROVE. Click APPROVE again to accept the app permissions.

6. You may change the approval and notification options if you wish. Click Save when done to add Duo Mobile to the set of approved managed applications.

   

Create a Managed Configuration for Duo Mobile

1. Click on Duo Mobile in the list of managed applications.

2. Click Managed Configurations at the bottom of the Duo Mobile page, and then click CREATE A NEW MANAGED CONFIGURATION. Give the configuration a name.

3. Return to your G Suite management integration page in the Duo Admin Panel.

4. Copy the "Secret Key" value from the "Create a Managed Configuration" section of your G Suite management integration (it will look similar to DBpyowo7l1dXaPdljkoYsRhBtorOoylaltj1ovsH). Paste this in Workspace as the Trusted Endpoint Identifier value.

5. Copy the "Trusted Endpoints Configuration Key" value from the "Create a Managed Configuration" section of your G Suite management integration (it will look similar to DPK0W0KLPJLOGSKHTDD). Paste this in Workspace as the Trusted Endpoints Configuration Key value. Click Save after filling in both fields.

   

6. Click App Distribution and Configuration on the Duo Mobile page.

7. Click the menu button on the right side of the table to open the menu, then click Edit Configuration.

8. In the "Managed Configuration" section, select the managed configuration you just created and then click UPDATE.

   

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Finish Trusted Endpoints Deployment

Once your Workspace managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the G Suite trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group, or activate for all users.

Duo Premier and Duo Advantage plans: The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

Users on Android devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.

Duo uses the Google managed device configuration to perform a permissions check to verify device information.

If Duo successfully verifies the device information, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone. Approving the request grants access to the protected application. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.

Removing the Google G Suite Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Google G Suite integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Google Workspace.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.