Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the presence of a Duo device certificate on that endpoint. You can monitor access to your applications from devices with and without the Duo certificate, and optionally block access from devices without the Duo certificate.
Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate to your managed devices. This guide walks you through using Jamf Pro to distribute a certificate enrollment script to your managed devices.
The new Jamf Pro integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Keep the Admin Panel open in your browser to complete the next step of importing a script from Duo into Jamf Pro.
Duo provides you with a certificate enrollment script you can import to a Jamf Pro policy. This script installs the Duo device certificate on targeted systems. The Duo script also configures Safari and Google Chrome browsers to automatically select Duo's device certificate during the authentication process.
To create the Duo policy in Jamf Pro:
Log on to the Jamf Pro dashboard as an administrator and navigate to Computers → Management Settings.
Click the Scripts icon under Computer Management, and then click the + New button on the "Scripts" page.
Enter the following information on the General options tab:
|Display Name||Enter a descriptive name for the new script, like "Duo Enrollment Script".|
|Category||(Optional) Categorize the script if you wish.|
|Information||(Optional) Enter identifying information about the Duo script.|
|Notes||(Optional) Enter notes about the Duo script.|
Click the Script tab in Jamf Pro.
|1 year certificates||These certificates expire one year from issuance. This is the best option for most Duo deployments.|
|7 days certificates||These certificates expire one week (seven days) from issuance. Select this option when you have users who need certificates reissued more frequently than the one year default. For example, you have virtual desktop users whose VDI endpoints are redeployed periodically, or a group of contractors who aren't expected to use the same workstations for a year.|
Click the Copy Script to Clipboard button in the "Copy the Jamf Enrollment Script" section of the page (step 1).
Return to the Jamf Pro dashboard and paste the Duo script you just copied from the Admin Panel into the Script Contents box.
Click the Save button once you paste the Duo script contents. The script doesn't require any changes to "Options" or "Limitations".
Click the Done button.
To add the new Duo script to a new or existing computer policy:
Navigate to Computers → Policies in the Jamf Pro console. Click the + New button (or click on an existing policy and click the Edit button, then skip to step 3 below).
To begin creating a new policy, enter the following information on the General options tab:
|Display Name||Enter a descriptive name for the new policy, like "Duo Certificate Policy".|
|Enabled||Leave this option checked.|
|Trigger||Choose the options that make sense for your environment. We recommend Login and Recurring Check-in at minimum.|
|Execution Frequency||This policy should run again periodically to ensure timely renewal of the client's Duo certificate. We recommend Once every day as the minimum frequency.|
Click the Scripts item on the left, and then click the Configure button on the "Configure Scripts" page.
Locate the Duo enrollment script you imported earlier in the list of scripts and click the Add button next to it. It is not necessary to change the script priority or add any parameters.
If you created a new policy, then you need to apply it to target systems. Click the Scope tab.
Determine whether you want to target all computers or just a subset with the Target Computers drop-down menu.
If you selected Specific Computers in the previous step, click the Add button and then select your desired target computers or computer groups by clicking the Add button next to their names. Click the Done button after you've selected all the targets.
Click the Save button at the bottom of the page once you've added the script and defined the scope.
To see the status of this policy on the dashboard, check the Show in JSS Dashboard option on the far right of the policy editor. Click the Done button at the bottom of the page.
Monitor the status of your Duo certificate policy by returning to the Jamf Pro dashboard periodically.
You can use the this command from a Terminal window on a target device to force a policy update:
sudo jamf policy
To confirm that your Jamf Pro policy worked, you can open the macOS Keychain Access application on a computer that successfully processed the Duo Jamf policy and make sure the Duo Device Authentication certificate is present in the "duo-auth" keychain.
Once your managed computers start receiving the Duo certificate you can configure the Trusted Endpoints policy to start checking for the certificate as users authenticate to Duo-protected services and applications.
When your trusted endpoints policy is applied to your Duo applications, return to the Jamf Pro trusted endpoint management integration in the Admin Panel and enable it by clicking the Change link at the top of the page next to "Integration is disabled". You can choose to either activate this management integration for just members of a specified test group or groups, or activate for all users.
As more of your devices receive the Duo certificate you can change the integration activation to apply to all users (if you just targeted test groups before), adjust your trusted endpoints policy to expand the target group, apply it to additional protected services, or start blocking access to applications from devices that do not have the Duo certificate. See the Trusted Endpoints documentation for more information.
Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Jamf Pro integration from "Trusted Endpoints Configuration". You should also disable your Duo policy in Jamf.
Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.