Skip navigation

Duo Security is now a part of Cisco

About Cisco

Documentation

Trusted Endpoints - Duo Certifier

Last Updated: April 3rd, 2019

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the presence of a Duo device certificate on that endpoint. You can monitor access to your applications from devices with and without the Duo certificate, and optionally block access from devices without the Duo certificate.

The Duo Certifier is an optional software component you can install on your macOS managed systems to assist with identification and reporting of Duo trusted endpoints. We recommend use of the Duo Certifier if your macOS systems have issues reporting trusted status to Duo, whether via web browsers or third-party client applications which feature Duo authentication. You can install the Duo Certifier manually on individual systems, or deploy it using your regular software management system.

The Duo Certifier doesn't require any additional action from your users and runs silently in the background, becoming active only when a user logs into an application that displays the interactive Duo Prompt.

If the endpoint needs to be checked for Duo trusted status then the Duo authentication prompt shown in the browser or client application connects to the Duo Certifier running locally on the device via HTTPS. The Duo Certifier then accesses the Duo trust certificate in the user's macOS Keychain and sends the certificate information to Duo's service for verification.

Duo then performs the trusted endpoints check as specified in your configured "Trusted Devices" policy, along with verification that both the device and user comply with your other Duo policy settings, and then proceeds to Duo two-factor authentication.

If for some reason the Duo Certifier certificate request fails then Duo falls back on the regular method of obtaining the Duo certificate from the macOS Keychain via the browser itself.

System Requirements

  • The Duo Certifier supports macOS 10.11 (El Capitan) or later systems.
  • The Duo Certifier listens for HTTPS connections on port 15310, so ensure this port is available.
  • The Duo certificate enrollment script must be version 3.5 or later. Visit the details page for your trusted endpoints management integration in the Duo Admin Panel to download the most recent certificate enrollment script, and update your deployment configuration accordingly (this may entail replacing your current script with the new version in Jamf or another endpoint management system, or manually running the updated script on your macOS endpoints).

Duo Certifier Install

  1. Download the Duo Certifier .pkg installer. You can also download the Duo Certifier installer from your macOS management integration's page in the Duo Admin Panel. The downloaded file name is similar to macos_certifier-1.0.4.pkg. View checksums for Duo downloads here.

  2. Run the Duo Certifier .pkg installer on a macOS endpoint, or deploy it to client systems using your device management application.

Verify Your Setup

Complete the Trusted Endpoints client certificate deployment and configure a policy to start checking for the certificate as users authenticate to Duo-protected services and applications. You must have access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles to configure a trusted endpoints management integration.

Removing the Duo Certifier

  1. Download the Duo Certifier .pkg uninstaller. You can also download the Duo Certifier uninstaller from your macOS management integration's page in the Duo Admin Panel. The downloaded file name is similar to macos_certifier_uninstaller-1.0.4.pkg. View checksums for Duo downloads here.

  2. Run the Duo Certifier .pkg uninstaller on a macOS endpoint to remove the software, or deploy the uninstaller to client systems using your device management application.

Application Whitelisting

If you use application or binary whitelisting on your endpoints, you'll need to whitelist the Duo Certifier. We recommending whitelisting the SHA-256 signature for Duo's software signing certificate, to avoid having to update your whitelist settings for each release of the Duo Certifier.

The Duo signing certificate information is:

SHA-256             : 089c9b2b28b738354c43a11486651ca33266e2b7454477d6b351df09c2e97fae
       SHA-1               : 018da99c0e7062af5cc14dbc0d628c3c9bf25ce5
       Common Name         : Developer ID Application: Duo Security, Inc. (FNN8Z5JMFP)
       Organization        : Duo Security, Inc.
       Organizational Unit : FNN8Z5JMFP
       Valid From          : 2017/04/12 11:20:08 -0400
       Valid Until         : 2022/04/13 11:20:08 -0400

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.