Skip navigation
Documentation

Trusted Endpoints - Generic Certificate Deployment

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the presence of a Duo device certificate on that endpoint. You can monitor access to your applications from devices with and without the Duo certificate, and optionally block access from devices without the Duo certificate.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate to your managed devices. We've documented this process for some popular endpoint management systems. If you're using a different tool to manage your endpoints, use our generic Windows and Mac management integrations to deploy the Duo device certificate package.

Once a client authenticates to Duo with this certificate, it becomes associated with that particular endpoint. Therefore, you'll need to repeat the process of downloading and installing a unique Duo certificate from the Duo Admin Panel for each individual system.

Duo's trusted endpoints certificate check works in Google Chrome, Apple Safari, and Internet Explorer browsers.

Prerequisites

  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • Access to your endpoint management system console as an administrator with the rights to create new software distribution packages and scheduled tasks.

Create the Mac OS X Enterprise Asset Management Tool or Windows Enterprise Asset Management Tool Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Select Management Tools Integration" page, locate Mac OS X Enterprise Asset Management Tool or Windows Enterprise Asset Management Tool in the listed integrations and click the Select this integration link to the right.

The new Mac OS X Enterprise Asset Management Tool or Windows Enterprise Asset Management Tool integration is created in the "Off" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Admin Panel open in your browser to complete the rest of your Duo certificate deployment.

Mac OS X Enterprise Asset Management Tool

  1. Click the Enrollment Script.py download link in the the "Download the Deployment Files" section of the Mac OS X Enterprise Asset Management Tool page (step 1). The actual name of the downloaded Python script will be similar to duo_cert_enrollment-2.0.py.

  2. Copy the downloaded script to your Mac endpoint management system.

  3. Create a software package for your macOS endpoints to run the Duo certificate enrollment Python script with sudo privileges.

  4. Create a deployment job to run the Duo Python package on your macOS endpoints. It should run on the endpoint in the context of the logged-in user, not the workstation, so that the certificate gets added to the user's keychain.

    This script enrolls the Mac OS client as a Duo trusted endpoint by obtaining a device certificate from Duo, and also configures Safari and Chrome (if present) to automatically select the Duo certificate during authentication.

    We recommend running the script on your managed workstations at each user's logon, and also on a regular daily or weekly schedule to ensure timely renewal of the client's Duo certificate.

  5. IMPORTANT! Make sure that your distribution job or scheduled task doesn't leave the Duo script behind on the Mac OS client in an easily-found location when done. If your end user has access to the script they could run it on other devices to obtain Duo certificates for those endpoints without your knowledge.

Verify the Certificate

To confirm that the Duo enrollment script deployed via your Mac endpoint management system worked, launch the Mac OS Keychain Access application and make sure the Duo Device Authentication certificate exists in the "duo-auth" keychain.

Duo macOS Certificate Verification

Windows Enterprise Asset Management Tool

  1. Click the Executable File.exe and Cert Deployment Batch Script.bat download links in the the "Download the Deployment Files" section of the page (step 1). The downloaded file names will be similar to duo_cert_enrollment.bat and duo_cert_enrollment-2.0.exe.

  2. Copy the downloaded batch script and executable file to your Windows endpoint management system.

  3. Create a software package for your Windows endpoints to run the Duo certificate enrollment batch script (which calls the Duo certificate enrollment executable). Your package should include both files.

  4. Create a deployment job to run the Duo certificate software package on your Windows endpoints. It should run on the endpoint in the context of the logged-in user, not the workstation, so that the certificate gets added to the user's Personal certificate store.

    This script enrolls the Windows client as a Duo trusted endpoint by obtaining a device certificate from Duo, and also configures Internet Explorer to automatically select the Duo certificate during authentication.

    We recommend running the script on your managed workstations at each user's logon, and also on a regular daily or weekly schedule to ensure timely renewal of the client's Duo certificate.

  5. IMPORTANT! Make sure that your distribution job or scheduled task doesn't leave the Duo script and executable behind on the Windows client in an easily-found location when done. If your end user has access to the script and executable they could run it on other devices to obtain Duo certificates for those endpoints without your knowledge.

Verify the Certificate

To confirm that the Duo enrollment package deployed via your Windows endpoint management system worked, launch the User Certificate Manager ()certmgr.msc) and Expand Certificates - Current User\Personal\Certificates. Look for the Duo Device Authentication certificate in the list.

AD DS Certificate Verification

Chrome Browser Configuration

Duo's certificate package for Windows configures Internet Explorer to automatically select the Duo device certificate when requested by the Duo authentication prompt. Google Chrome requires additional steps to make the same change. Without this, users are prompted to select the Duo device certificate when they authenticate. You can distribute the Chrome browser configuration via AD Group Policy to PC clients joined to a domain. Standalone clients must be configured with Microsoft's LGPO utility.

Configure Chrome with EAM and LGPO

  1. Visit the "Local Group Policy Object Utility" page on Microsoft TechNet and download lgpo.zip using the link at the bottom of the page.

  2. Click the Chrome Policy File.pol and Chrome Batch Script.bat download links in the the "Download Files to Configure Google Chrome" section of the Windows Enterprise Asset Management Tool page (step 1). The downloaded file names will be similar to chrome_cert_lgpo_policy-1.0.pol and duo_chrome_configuration.bat.

  3. Extract the LGPO.exe executable from the zip file downloaded in step 1 and copy it and the .pol and .bat files downloaded from Duo in step 2 to your Windows endpoint management system.

  4. Create a software package for your Windows endpoints to run the Chrome configuration batch script (which calls LGPO.exe and the Chrome policy .pol file). Your package should include all three files.

  5. Create a deployment job to run the Duo certificate software package on your Windows endpoints. Unlike the Duo Certificate scheduled task, the Chrome configuration only needs to run once on a computer.

Configure Chrome with GPO

  1. On your domain controller or another system with the Windows Remote Server Administration Tools installed, launch the Group Policy Management console (GPMC).

  2. Expand your forest and navigate down the tree to Group Policy Objects. Right-click the Group Policy Objects folder and click New. Enter a name for the new GPO (such as "Duo Chrome Certificate Policy") and click OK.

  3. Right-click the new GPO created in step 2 and click Edit.

  4. Navigate to User Configuration\Preferences\Windows Settings\Registry.

  5. Download the Chrome Configuration.xml file, which contains the GPO registry settings necessary to configure Chrome to select the Duo certificate automatically. Save this file in a location accessible from the GPMC console. The downloaded file name will be similar to chrome_cert_gpo_config-1.xml.

  6. Return to the Group Policy editor window and copy/paste the downloaded Chrome XML file (from an Explorer window — not the file contents) into the "Registry" pane on the right of the GPO editor window. Confirm import of the pasted document by clicking Yes.

    This adds registry settings under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls key to the GPO.

    AD DS Chrome Registry Settings in GPO

    This registry value lets Chrome automatically select the Duo device certificate when requested by the Duo browser prompt without prompting the user interactively to select the certificate.

  7. When you've finished configuring all settings, close the Group Policy editor window.

  8. Apply the newly created Duo Chrome certificate GPO by linking it to OUs containing the domain client computers used to access Duo resources.

Finish Trusted Endpoints Deployment

Once your managed computers start receiving the Duo certificate you can configure the Trusted Endpoints policy to start checking for the certificate as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the generic trusted endpoint management integration in the Admin Panel and turn it On with the Off/On setting at the top of the page.

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices have the Duo certificate present.

Next Steps

As more of your devices receive the Duo certificate you can adjust your trusted endpoints policy to expand the target group, apply it to additional protected services, or start blocking access to applications from devices that do not have the Duo certificate. See the Trusted Endpoints documentation for more information.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free