Skip navigation
Documentation

Duo Trusted Endpoints - Microsoft Intune Managed Endpoint Device Deployment

Last Updated: August 11th, 2022

Certificate-based Trusted Endpoint verification for Intune will reach end-of-life in a future release. Migrate existing iOS Certificate Configuration management integrations to iOS Configuration and existing Windows Certificate Configuration management integrations to Windows Configuration. Learn more about the end-of-life timeline and migration options in the Duo Trusted Endpoints Certificate Migration Guide.

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Trusted Endpoints is part of the Duo Beyond plan.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices. This guide walks you through Intune configuration for Android and iOS mobile devices.

Prerequisites

Azure Configuration

Perform these Azure app registration steps prior to the specific Android, iOS, or Windows configuration steps. You only need to register one Azure app for Duo to use with all three client operating systems. These instructions create a single-tenant application where the application is intended to run within only one organization.

Create Azure Active Directory Application

1. Log in to the Microsoft Azure Administrator console as an Azure AD administrator with the "Global Administrator" role.

  1. Click Azure Active Directory and then click on the Azure Active Directory domain.

  2. Click on App registrations in the "Manage" section of your Azure domain's blade.

  3. Click New registration.

  4. Enter a descriptive name for the application and select Accounts in this organizational directory only under "Supported account types".

  5. Click Register. You'll be sent to the details page for the new app registration.

  6. On the newly-created application's page, click API Permissions in the "Manage" section, and then click Add a Permission.

  7. On the "Request API Permissions" page, select Microsoft Graph from the available Microsoft APIs, and then select Application Permissions.

  8. Select the following Microsoft Graph permission:

    • DeviceManagementManagedDevices.Read.All
  9. Click Add Permissions after selecting the Graph permission.

  10. Back on the API permissions page you should see the list of API permissions you selected. Click the Grant admin consent for button, and when asked if you want to grant consent for all accounts in your Azure domain click Yes.

Create an Application Secret

  1. In the Azure portal, return to Azure Active Directory and then click on the Azure Active Directory domain.

  2. Click on App registrations in the "Manage" section of your Azure domain's blade and select the Duo app registration you created earlier.

  3. Click Certificate & secrets in the "Manage" section.

  4. Under "Client secrets" click New client secret. In the Description leave a comment, then under "Expires" select 2 years (the permitted maximum). This creates a new secret, but the secret value is hidden until you save your changes. Click Add.

  5. The new secret's value is shown after you save. Do not leave or close this page! You will need to copy the secret VALUE from this page and paste it into your Intune management integration configuration page in the Duo Admin Panel once you create the management integration in the next set of steps below for your OS platform.

    This is your only chance to view the secret value! If you leave this area of the Azure portal before entering the secret Intune management integration configuration in the Duo Admin Panel, then you can't view the same key's value again and you'll have to create a new one.

    It's a good idea to save this Azure secret in a secure password manager in case you need it again after you finish setting up your Intune management integration, like if you want to add support for other OS platforms in the future.

Android Configuration

Duo determines trusted device status on Android devices by leveraging the installed and activated managed Duo Mobile application on a given device to verify device information.

Use the following instructions to complete setup of your Duo Intune management integration for Android devices.

Create the Intune Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate Intune in the listed integrations and click the Add this integration selector.
  4. Choose Android from the "Recommended" options, and then click the Add button.

The new Intune integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser while you access the Azure portal in a new window or tab. You'll need to return to the Intune management integration page to complete the Android configuration steps.

Register Azure Application for Android in Duo

  1. Scroll down on the configuration page for your Intune Trusted Endpoints management integration to the "Register Azure Application with Duo" section.

  2. Copy the Azure application client secret value that you created during the Azure configuration steps, and paste the copied secret as the Azure Secret value in the third step on your Intune management integration's config page in the Duo Admin Panel.

  3. Click Overview on the Duo Azure app registration's page. You'll see the Application (client) ID and Directory (tenant) ID listed at the top of the page.

  4. Copy the Application (client) ID value from Azure and paste it as the Azure Application ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.

  5. Copy the Directory (tenant) ID value from Azure and paste it as the Azure Directory ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.

  6. Click Test Configuration to verify Azure API access, and if successful click Save & Configure on the Duo Intune management integration page.

Setup Managed Google Play

  1. In the Azure Portal, navigate to IntuneDevice EnrollmentAndroid Enrollment.

  2. Select Manage Google Play in the "Prerequisites" section to connect to your organization's Google Play account.

  3. Grant Microsoft permission to send user/device information to Google, and click the Launch Google to connect now button to access Google.

  4. Sign in to Google using the account you use to manage and publish apps in Google Play and complete linking your managed Google Play account to Intune.

Approve Duo in the Managed Google Play Store

  1. In the Azure Portal, navigate to IntuneClient AppsManaged Google Play.

  2. Click the Open the Managed Google Play Store link.

  3. Search the Google Play Store for Duo Mobile and click the Duo Mobile app icon to select it from the search results.

  4. Click the Approve button on the Duo Mobile app page, and click Approve again after reviewing the requested app permissions.

  5. When asked "how to handle new app permission requests", select Keep approved when app requests new permissions and then click Done.

  6. After you've approved the Duo Mobile app in the Play store, return the Intune Managed Google Play page and click the Sync button.

Configure Managed Duo Mobile

  1. In the Azure Portal, navigate to IntuneClient appsApp configuration policies.

  2. Click the Add button and select Managed devices.

  3. Enter the following information on the "Create app configuration policy" page's "Basics" tab:

    Name Enter a descriptive name.
    Description Enter additional information about this new policy, if desired.
    Device Enrollment Type Select Managed Devices.
    Platform Select Android Enterprise.
    profile Select Work Profile only.
    1. Click the Select app link next to "Targeted app".

    2. In the "Associated App" search find and and choose Duo Mobile. Click OK to return to the "Basics" tab, and then click Next.

    3. On the "Settings" tab, under "Configuration settings format", choose Use configuration designer.

    4. Click Add+ and select Trusted Endpoint Identifier and Trusted Endpoints Configuration Key. The Trusted Endpoint Identifier should have value type "Variable" and Trusted Endpoints Configuration Key should have value type "String".

    5. Return to your Intune management integration page in the Duo Admin Panel and copy the information for these fields from Duo and paste into the corresponding configuration value fields in the Azure configuration designer:

      • Trusted Endpoint Identifier
      • Trusted Endpoints Configuration Key

      Click Next after entering the information for those two configuration settings.

    6. On the "Assignment" tab, choose the Azure group to which you would like to push Duo Mobile. We recommend starting with a test group. Click Next after selecting your target groups.

    7. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

    Assign Duo Mobile to Android Phones

    1. In the Azure Portal, navigate to IntuneClient AppsApps.

    2. Select the Duo Mobile app with type "Android Store App".

    3. Select Assignments and then click Add Group.

    4. Make the following selections:

      • Assignment Type: choose Required.
      • Group: choose the Azure group to which you would like to push Duo Mobile. We recommend starting with a test group.
    5. Click OK and then click Save.

    Duo Mobile should now be available to download from the Intune Work Profile App Store on Android devices.

    At this point the configured integration is disabled and applies to no users until you finish your deployment.

    iOS Configuration

    Duo determines trusted device status on iOS devices by leveraging the installed and activated managed Duo Mobile application on a given device to verify device information.

    Use the following instructions to complete setup of your Duo Intune management integration for iOS devices.

    Create the Intune with App Config Integration

    1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
    2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
    3. On the "Add Management Tools Integration" page, locate Intune in the listed integrations and click the Add this integration selector.
    4. Choose iOS from the "Recommended" options, and then click the Add button.

    The new Intune with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

    Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Intune with App Config management integration page to complete the configuration steps.

    Register Azure Application for iOS in Duo

    1. Scroll down on the configuration page for your Intune with App Config Trusted Endpoints management integration to the "Register Azure Application with Duo" section.

    2. Copy the Azure application client secret value that you created during the Azure configuration steps, and paste the copied secret as the Azure Secret value in the third step on your Intune management integration's config page in the Duo Admin Panel.

    3. Click Overview on the Duo Azure app registration's page. You'll see the Application (client) ID and Directory (tenant) ID listed at the top of the page.

    4. Copy the Application (client) ID value from Azure and paste it as the Azure Application ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.

    5. Copy the Directory (tenant) ID value from Azure and paste it as the Azure Directory ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.

    6. Click Test Configuration to verify Azure API access, and if successful click Save & Configure on the Duo Intune with App Config management integration page.

    Approve Duo in the App Store

    1. In the Azure portal, navigate to AppsAll apps+Add.

    2. Select iOS store app in the "App Type" drop-down, and then click Select.

    3. Click on Search the App Store, and type Duo Mobile in the app search bar.

    4. Click on Duo Mobile in the search results and then click Select.

    5. On the "App information" page, complete any other sections as needed and then click Next.

    6. On the "Assignments" page, assign the Duo Mobile app as needed and then click Next.

    7. Review the settings for Duo Mobile and then click Create.

    Configure Managed Duo Mobile

    1. In the Azure portal, navigate to AppsApp configuration policies.

    2. Click the Add button and select Managed devices.

    3. Enter the following information on the "Basics" tab of the "Create app configuration policy" page:

      Name Enter a descriptive name for the app configuration policy.
      Description Enter additional information about this new policy, if desired.
      Device Enrollment Type Select Managed Devices.
      Platform Select iOS/iPadOS.
    4. Click the Select app link next to "Targeted app".

    5. In the "Associated App" search, find and choose Duo Mobile. Click OK to return to the "Basics" tab, and then click Next.

    6. On the "Settings" tab, use the "Configuration settings format" drop-down to choose Enter XML data.

    7. Return to your Intune with App Config management integration page in the Duo Admin Panel and copy the AppConfig XML provided in step 3.7. Paste this into the XML property list field within the Intune app configuration policy page.

    8. Click Next after entering the information for the configuration settings.

    9. On the "Assignment" tab, choose the Azure group or groups to which you would like to push Duo Mobile. We recommend starting with a test group. Click Next after selecting your target groups.

    10. Verify the information on the "Review + Create" tab, and if correct then click Create.

    At this point the configured integration is disabled and applies to no users until you finish your deployment.

    iOS Certificate Configuration

    End of Life Information

    New Intune iOS certificate deployment management integrations may no longer be created as of October 2021. Consider migrating your certificate-based iOS Intune integration to Intune with App Config. See the Duo Knowledge Base article Guide to updating Trusted Endpoints iOS integrations from certificates to AppConfig for more information about migrating your iOS certificate-based management integrations to App Config.

    These instructions remain available for customers who created these integrations before October 2021 and may need to reconfigure them. Duo continues to support existing Intune iOS certificate deployments and will do so until the integration reaches end-of-life status in a future update.

    Create the Intune Integration

    1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
    2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
    3. On the "Add Management Tools Integration" page, locate Intune in the listed integrations and click the Add this integration selector.
    4. Choose Certs for iOS from the "Legacy" options, and then click the Add button.

    The new Intune integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

    Keep the Duo Admin Panel open in your browser while you access the Azure portal in a new window or tab. You'll need to return to the Intune management integration page to complete the iOS configuration steps.

    Create the Duo Root Certificate Profile

    1. Download the Duo Endpoint Root Certificate from the iOS tab of the Intune management integration page in the Duo Admin Panel.

    2. In the Azure portal, navigate to IntuneDevice ConfigurationProfiles.

    3. Click Create profile and make these selections on the "Create a profile" blade:

      • Platform: select iOS/iPadOS
      • Profile: select Trusted Certificate.

      Click Create.

    4. Enter this information in the "Trusted Certificate" profile editor:

      • Name: provide a name for the Duo Trusted Root Certificate profile.
      • Description: optionally add a description.

      Click Next.

    5. Upload the Duo Endpoint Root Certificate you downloaded earlier and click Next, and then click Next again without adding any scope tags.

    6. On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices. Click Next.

    7. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

    Create the SCEP Certificate Profile

    1. In the Azure Portal, navigate to IntuneDevice ConfigurationProfiles.

    2. Click Create profile and make these selections on the "Create a profile" blade:

      • Platform: select iOS/iPadOS
      • Profile: select SCEP Certificate.

      Click Create.

    3. Enter this information in the "SCEP Certificate" profile editor:

      • Name: provide a name for the Duo SCEP Certificate profile.
      • Description: optionally add a description.

      Click Next.

    4. Create a new profile with the values below:

      • Certificate Type: select User.
      • Subject Name Format: select Common Name.
      • Subject Name Format: enter CN=Duo Endpoint Validation Issuing CA 1.
      • Subject Alternative Name: select Email Address from the drop-down then type in for the value, and then also select User Principal Name (UPN) from the drop-down then type in for that value (so you have both attributes listed before proceeding).
      • Certificate Validity Period: select Years and enter 1.
      • Key Storage Provider (KSP): select Enroll to Software KSP.
      • Key Usage: select Digital Signature.
      • Key Size (bits): select 2048.
      • Root Certificate: Click the + Root certificate link, select the Duo Root Certificate Profile you created in the previous config section, and click OK to make the certificate selection.
      • Extended Key Usage: click the drop-down arrow under Predefined values and select Client Authentication (1.3.6.1.5.5.7.3.2) from the list. The "Name" and "Object Identifier" values will be automatically filled.
      • Renewal Threshold: enter 20.
      • SCEP Server URL: Paste in the SCEP Server URL from the "Create the SCEP Certificate Profile" section of the iOS configuration tab on the Intune management integration page in the Duo Admin Panel.

      Click Next, and then click Next again without adding any scope tags.

    5. On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices, in the same way you deploy device profiles for other purposes. When making your assignment selections, consider the following:

      • The SCEP certificate profile installs only on devices that run the platform you specified when you created the certificate profile, in this case iOS and iPadOS.
      • You can assign certificate profiles to user collections or to device collections.
      • To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group rather than to a device group. If you assign to a device group, a full device registration is required before the device receives policies.

      Click Next after selecting the policy assignment targets.

    6. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

    At this point the configured integration is disabled and applies to no users until you finish your deployment.

    Windows Configuration

    This integration relies on having the Duo Device Health app present on your Intune-managed Windows endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device information reported by Device Health app with managed device information obtained from Intune via API.

    Use the following instructions to complete setup of your Intune with Device Health management integration for Windows devices.

    Create the Intune with Device Health Integration

    1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
    2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
    3. On the "Add Management Tools Integration" page, locate Intune in the listed integrations and click the Add this integration selector.
    4. Choose Windows from the "Recommended" options, and then click the Add button.

    The new Intune with Device Health integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

    Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Intune with Device Health management integration page to complete the configuration steps.

    Register Azure Application for Windows in Duo

    1. Scroll down on the configuration page for your Intune Trusted Endpoints management integration to the "Register Azure Application with Duo" section.

    2. Copy the Azure application client secret value that you created during the Azure configuration steps, and paste the copied secret as the Azure Secret value in the third step on your Intune management integration's config page in the Duo Admin Panel.

    3. Click Overview on the Duo Azure app registration's page. You'll see the Application (client) ID and Directory (tenant) ID listed at the top of the page.

    4. Copy the Application (client) ID value from Azure and paste it as the Azure Application ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.

    5. Copy the Directory (tenant) ID value from Azure and paste it as the Azure Directory ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.

    6. Click Test Configuration to verify Azure API access, and if successful click Save & Configure on the Intune with Device Health management integration page.

    At this point the configured integration is disabled and applies to no users until you finish your deployment.

    Windows Certificate Configuration

    End of Life Information

    New Intune certificate deployment management integrations may no longer be created as of December 2021. Consider migrating your certificate-based Windows Intune integration to Intune with Device Health. See the Duo Knowledge Base article How do I migrate from Duo Trusted Endpoints certificates to Trusted Endpoints with the Device Health Application? for guidance that you may find useful in migrating Intune certificate-based management integrations to Device Health.

    Use of the Duo Device Health app for trust attestation provides several advantages over the use of device certificates:

    • It provides a more accurate asssessment of your managed devices, and removes concerns about long-lived certificates present on devices no longer managed by your organization.
    • It extends support to Firefox users. Trusted Endpoint certificate detection only works with Chrome, Edge, Safari, and Internet Explorer (depending on the management system).
    • Improves trust detection for web browsers and thick client applications.

    These instructions remain available for customers who created these integrations before December 2021 and may need to reconfigure them. Duo continues to support existing Intune Windows certificate deployments and will do so until the integration reaches end-of-life status in a future update.

    Duo verifies the trusted status of Windows devices by checking for the presence of a Duo device certificate. You'll use Intune to push the Duo CA information to your Windows devices so they can obtain a Duo certificate.

    Create the Intune Integration

    1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
    2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
    3. On the "Add Management Tools Integration" page, locate Intune in the listed integrations and click the Add this integration selector.
    4. Choose Certs for Windows from the "Legacy" options, and then click the Add button.

    The new Intune integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

    Keep the Duo Admin Panel open in your browser while you access the Azure portal in a new window or tab. You'll need to return to the Intune management integration page to complete the Windows configuration steps.

    Create the Duo Root Certificate Profile

    1. Download the Duo Endpoint Root Certificate from the Windows tab of the Intune management integration page in the Duo Admin Panel.

    2. In the Azure portal, navigate to IntuneDevice ConfigurationProfiles.

    3. Click Create profile and make these selections on the "Create a profile" blade:

      • Platform: select Windows 8.1 and later
      • Profile: select Trusted Certificate.

      Click Create.

    4. Enter this information in the "Trusted Certificate" profile editor:

      • Name: provide a name for the Duo Trusted Root Certificate profile.
      • Description: optionally add a description.

      Click Next.

    5. Upload the Duo Endpoint Root Certificate you downloaded earlier, leave the "Destination Store" set to Computer certificate store - Root, and click Next, and then click Next again without adding any scope tags.

    6. On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices. Click Next.

    7. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

    Create the SCEP Certificate Profile

    1. In the Azure Portal, navigate to IntuneDevice ConfigurationProfiles.

    2. Click Create profile and make these selections on the "Create a profile" blade:

      • Platform: select Windows 8.1 and later
      • Profile: select SCEP Certificate.

      Click Create.

    3. Enter this information in the "SCEP Certificate" profile editor:

      • Name: provide a name for the Duo SCEP Certificate profile.
      • Description: optionally add a description.

      Click Next.

    4. Enter the following configuration information Create a new profile with the values below.

      • Certificate Type: select User.
      • Subject Name Format: enter CN=Duo Endpoint Validation Issuing CA 1.
      • Subject Alternative Name: select Email Address from the drop-down then type in for the value, and then also select User Principal Name (UPN) from the drop-down then type in for that value (so you have both attributes listed before proceeding).
      • Certificate Validity Period: select Years and enter 1.
      • Key Storage Provider (KSP): select Enroll to Software KSP.
      • Key Usage: select Digital Signature.
      • Key Size (bits): select 2048.
      • Hash algorithm: select SHA-2.
      • Root Certificate: Click the + Root certificate link, select the Duo Root Certificate Profile you created in the previous config section, and click OK to make the certificate selection.
      • Extended Key Usage: click the drop-down arrow under Predefined values and select Client Authentication (1.3.6.1.5.5.7.3.2) from the list. The "Name" and "Object Identifier" values will be automatically filled.
      • Renewal Threshold: enter 20.
      • SCEP Server URL: Paste in the SCEP Server URL from the "Create the SCEP Certificate Profile" section of the Windows configuration tab on the Intune management integration page in the Duo Admin Panel.

      Click Next, and then click Next again without adding any scope tags.

    5. On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices, in the same way you deploy device profiles for other purposes. When making your assignment selections, consider the following:

      • The SCEP certificate profile installs only on devices that run the platform you specified when you created the certificate profile, in this case Windows 8.1 and later.
      • You can assign certificate profiles to user collections or to device collections.
      • To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group rather than to a device group. If you assign to a device group, a full device registration is required before the device receives policies.

      Click Next after selecting the policy assignment targets.

    6. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

    Upload the PowerShell Script to Update Registry Settings

    The PowerShell script configures automatic selection of the Duo certificate by Internet Explorer, and by Edge Chromium and Chrome as long as those browsers are installed on the client before the script runs. If Chrome or Edge Chromium get installed on the client afterwards, you'll need to make sure the PowerShell script runs on those clients again after installation to configure automatic Duo certificate selection.

    1. Download the Duo PowerShell Script from the Windows tab of the Intune management integration page in the Duo Admin Panel.

    2. In the Azure Portal, navigate to IntuneDevice ConfigurationScripts and click Add.

    3. Enter a Name for the script and a Description, if desired. Click Next.

    4. Enter the following information on the "Script settings" page:

      • Script Location: upload the Duo PowerShell script you downloaded from the Duo Admin Panel.
      • Run this script using the logged on credentials: select No.
      • Enforce script signature check: select No.
      • Run script in 64 bit PowerShell Host: select No.

      Click Next.

    5. On the "Assignments" tab, assign the profile to your desired Azure users, or the users receiving a Trusted Endpoint Configuration from Intune. Click Next.

    6. Verify the information on the "Review + Create" tab, and click Create if it looks correct.

    At this point the configured integration is disabled and applies to no users until you finish your deployment.

    Finish Trusted Endpoints Deployment

    After creating the Duo Mobile management integration, set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

    When your trusted endpoints policy is applied to your Duo applications, return to the Intune, Intune with App Config, or Intune with Device Health trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group or groups, or activate for all users. If you created more than one Intune management integration, you must activate each one individually.

    Enable Trusted Endpoints Management Integration

    The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed and enrolled in Duo Mobile.

    Verify Your Setup

    iOS App Config and Android

    Users with Duo Mobile installed and activated for Duo Push on Android and iOS devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.

    iOS Trusted Endpoint Inline Verification - Step 1

    Duo uses the Azure application you created to perform a permissions check to verify device information.

    iOS Trusted Endpoint Verification - Step 2

    If Duo successfully verifies the Intune device information, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone.

    iOS Trusted Endpoint Verification - Step 3

    On Android devices, approving the request grants access and returns the user to the protected application. On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

    iOS Trusted Endpoint Verification - Step 4

    If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.

    Windows with Device Health

    When Windows users access Duo-protected resources, the installed Duo Device Health app provides device information to Duo. If the information from the device matches the information in Azure, Duo grants access to the trusted device.

    iOS and Windows with Certificates

    With the legacy iOS certificate configuration, iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

    Legacy Windows certificate configuration users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

    Expanding to Additional Client Platforms

    You only need to perform the Azure app registration and configuration in Duo once. The same Azure app is used for Android, iOS, and Windows Intune clients. After completing the full setup for one client platform in Duo, you need only complete the OS-specific setup steps for additional client operating systems.

    Saving the Azure application secret you created for future reuse in a secure password manager lets you use the same Azure AD application registered while setting up your first Intune trusted endpoints management integration for future Intune management integrations.

    Removing Devices from Intune

    If you need to remove a device from Intune so that Duo no longer recognizes it as a managed, trusted device, do not use the "Retire" action in Intune. Instead, delete the device from the Intune portal. If you "retire" the managed device in Intune instead of deleting the device, Duo continues to recognize the device as managed and permit a user to authenticate from that still trusted device. If you use the "Wipe" action that will also delete the device from Intune, and wipe the device as well.

    Removing the Intune Management Integration

    Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Intune integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Intune.

    Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

    Troubleshooting

    Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.