Certificate-based Trusted Endpoint verification reaches end of life on September 1, 2022. Migrate existing management integrations to solutions that verify endpoint status with Duo Mobile or Duo Device Health. Learn more about migration options in the Duo Trusted Endpoints Certificate Migration Guide.
Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.
Trusted Endpoints is part of the Duo Beyond plan.
The Duo Certifier is an optional software component you can install on your macOS managed systems to assist with identification and reporting of Duo trusted endpoints using certificate verification. We recommend use of the Duo Certifier if your macOS systems have issues reporting trusted status to Duo, whether via web browsers or third-party client applications which feature Duo authentication. You can install the Duo Certifier manually on individual systems, or deploy it using your regular software management system.
The Duo Certifier doesn't require any additional action from your users and runs silently in the background, becoming active only when a user logs into an application that displays the interactive Duo Prompt.
If the endpoint needs to be checked for Duo trusted status then the Duo authentication prompt shown in the browser or client application connects to the Duo Certifier running locally on the device via HTTPS. The Duo Certifier then accesses the Duo trust certificate in the user's macOS Keychain and sends the certificate information to Duo's service for verification.
Duo then performs the trusted endpoints check as specified in your configured "Trusted Devices" policy, along with verification that both the device and user comply with your other Duo policy settings, and then proceeds to Duo two-factor authentication.
If for some reason the Duo Certifier certificate request fails then Duo falls back on the regular method of obtaining the Duo certificate from the macOS Keychain via the browser itself.
If you choose to distribute the Duo Certifier to your users be aware that some mobile device management (MDM) systems might not properly install the certificate into the target user's keychain. The workaround for this is to have users install the Duo Certifier manually.
Download the Duo Certifier .pkg installer. You can also download the Duo Certifier installer from your macOS management integration's page in the Duo Admin Panel. The downloaded file name is similar to
macos_certifier-1.0.4.pkg. View checksums for Duo downloads here.
Run the Duo Certifier .pkg installer on a macOS endpoint, or deploy it to client systems using your device management application.
Complete the Trusted Endpoints client certificate deployment and configure a policy to start checking for the certificate as users authenticate to Duo-protected services and applications. You must have access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles to configure a trusted endpoints management integration.
Download the Duo Certifier .pkg uninstaller. You can also download the Duo Certifier uninstaller from your macOS management integration's page in the Duo Admin Panel. The downloaded file name is similar to
macos_certifier_uninstaller-1.0.4.pkg. View checksums for Duo downloads here.
Run the Duo Certifier .pkg uninstaller on a macOS endpoint to remove the software, or deploy the uninstaller to client systems using your device management application.
If you use application or binary block lists on your endpoints, you'll need to permit the Duo Certifier. We recommending using the SHA-256 signature for Duo's software signing certificate, to avoid having to update your application allow list settings for each release of the Duo Certifier.
The Duo signing certificate information is:
SHA-256 : 089c9b2b28b738354c43a11486651ca33266e2b7454477d6b351df09c2e97fae SHA-1 : 018da99c0e7062af5cc14dbc0d628c3c9bf25ce5 Common Name : Developer ID Application: Duo Security LLC (FNN8Z5JMFP) Organization : Duo Security LLC Organizational Unit : FNN8Z5JMFP Valid From : 2017/04/12 11:20:08 -0400 Valid Until : 2022/04/13 11:20:08 -0400