Documentation
Duo Trusted Endpoints - Generic Certificate Deployment
Last Updated: October 31st, 2024Contents
Certificate-based Trusted Endpoint verification for Generic endpoint managed reached end-of-life on October 7, 2024. Duo device certificates will no longer renew after October 2024. Migrate existing Generic Certificate management integrations to Generic with Duo Desktop. Learn more about the end-of-life timeline and migration options in the Duo Trusted Endpoints Certificate Migration Guide.
Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the presence of a Duo device certificate on that endpoint. You can monitor access to your applications from devices with and without the Duo certificate, and optionally block access from devices without the Duo certificate.
Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.
End of Life Information
Certificate-based Trusted Endpoint verification reached end-of-life status on October 7, 2024. Duo device certificates will no longer renew after October 2024. New Trusted Endpoints deployments must use a supported Duo Desktop trust integration.
Customers with existing Duo device certificate configurations must migrate your certificate-based generic integrations to Generic Management with Duo Desktop.
Use of Duo Desktop for trust attestation provides several advantages over the use of device certificates:
- It provides a more accurate assessment of your domain member computers, and removes concerns about long-lived certificates present on devices no longer managed by your organization.
- It extends support to Firefox users. Trusted Endpoint certificate detection only works with Chrome, Edge, Safari, and Internet Explorer (depending on the management system).
- Improves trust detection for web browsers and thick client applications.
See the Duo Trusted Endpoints Certificate Migration Guide for more information.
Removing the Generic Certificate Management Integration
Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing generic certificate management integration from "Trusted Endpoints Configuration".
Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.
Troubleshooting
Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.