Skip navigation
Documentation

Trusted Endpoints - Sophos Mobile Managed Device Deployment

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices. This guide walks you through Sophos Mobile configuration for Android and iOS mobile devices.

Please note that Duo supports Sophos Mobile version 8.0 and later.

Prerequisites

  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • Access to the Sophos Mobile Admin as an administrator with the rights to create administrators, modify system setup settings, and create and apply profiles and policies.

Create the Sophos Mobile Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Select Management Tools Integration" page, locate Sophos Mobile in the listed integrations and click the Select this integration link to the right.

The new Sophos Mobile integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Sophos Mobile management integration page to complete the Android and/or iOS configuration steps.

Android Configuration

Duo determines trusted device status on Android devices using the Sophos Mobile API to verify device information. To enable this verification you'll need to grant Duo's service API access in Sophos Mobile.

Modify Firewall Rules for Duo

If using an on-premises installation of Sophos Mobile you may need to modify your firewall rules so that Sophos Mobile can communicate with Duo's service.

Use the IP ranges shown on the "Sophos Mobile - Android Configuration Instructions" management integration page in the Duo Admin Panel when updating your firewall rules and verifying connectivity.

Create an Administrator for Duo

  1. Log on to Sophos Mobile Admin and go to SetupAdministrators.

  2. Click on Create administrator.

  3. Enter the following information:

    Username Enter the desired Duo account username.
    Role Set to Duo API Administrator
    First Name and Last Name Enter a first and last name for the Duo admin user (e.g. "Duo" "Admin").
    Email Address Enter an email address for your Duo admin user.
    Password and Confirm Password Enter and confirm a strong password for the Duo admin user. You will enter this password in the Duo Admin Panel in the next steps.
  4. Click Save.

    Create Duo API Administrator

Enter Sophos Mobile Info in Duo

  1. Return to your Sophos Mobile management integration page in the Duo Admin Panel.

  2. Enter the following information into the blank fields under step 3 of the Sophos Mobile "Android Configuration Instructions" section:

    Enter the Duo API Administrator username you created in Sophos Mobile.
    Password Enter the password for the Duo API Administrator you created in Sophos Mobile.
    Customer Enter your organization's Sophos Mobile customer name, used when logging into Sophos Mobile Admin..
    Domain Name Enter your organization's Sophos Mobile domain. For example, if you access the Sophos Mobile console at https://abc123.sophosmc.com then you'd enter abc123.sophosmc.com as the domain name.
  3. Click the Test Configuration button to verify Duo's API access to your Sophos Mobile instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the Sophos Mobile configuration steps and entered the right information in the Duo Admin Panel.

  4. After you successfully test your configuration, click the Save & Configure Android Devices button.

iOS Configuration

Duo verifies the trusted status of iOS devices by checking for the presence of a Duo device certificate. You'll use Sophos Mobile to push the Duo CA information to your mobile devices so they can obtain a Duo certificate.

Modify Firewall Rules for Duo

If using an on-premises installation of Sophos Mobile you may need to modify your firewall rules so that Sophos Mobile can communicate with Duo's service.

Use the IP ranges shown on the "Sophos Mobile - iOS Configuration Instructions" management integration page in the Duo Admin Panel when updating your firewall rules and verifying connectivity.

Add the Duo Certificate Authority

  1. Log on to Sophos Mobile Admin and navigate to SetupSystem SetupDuo Security.

  2. Enter the User and Password from the SCEP information on the Sophos Mobile management integration page in the Duo Admin Panel into Sophos Mobile. Do not modify the "SCEP server URL" or "Challenge URL" from the preconfigured values.

    Add Duo CA

Add a Device Profile

  1. Navigate to Profiles, policiesiOS and click CreateDevice profile in Sophos Mobile Admin.

  2. Enter a Name, Organization, and Description for the new profile on the "Edit profile" page.

  3. Click Add configuration and scroll down the page until you locate Duo device certificate. Select it, and then click Next.

  4. Enter a CA name and click Apply. This returns you to the "Edit profile" page.

  5. Click Save to finish and return to the

    Create Duo Device Profile

Deploy a Device Profile to iOS Devices

  1. Navigate to Profiles, policiesiOS in Sophos Mobile Admin.

  2. Locate the Duo device profile you created earlier in the list, click the down arrow next to the name to expose additional options, and click on Show.

  3. Click Transfer on the "Show Profile" page.

  4. Select the iOS devices or device groups to which you'd like to apply the Duo certificate profile and click Next.

  5. Choose whether you want to execute the policy assignment now or at a future date or time, and then click Finish.

You can monitor the profile's installation status on the selected iOS devices under from the "Tasks" page.

Finish Trusted Endpoints Deployment

Once your Sophos Mobile managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Sophos Mobile trusted endpoint management integration in the Admin Panel and activate it either by changing the selection at the top of the page from "Off" to "On" (to immediately apply this to all your Duo users), or select "Test" and pick a target Duo group to verify your setup against a subset of users.

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

Users on Android devices see a prompt to "check your permissions" when authenticating to a protected resource via the Duo Prompt.

Android Trusted Endpoint Verification - Step 1

Duo uses the API access you granted in Sophos Mobile to verify device information.

Android Trusted Endpoint Verification - Step 2

If Duo successfully verifies the device information using the Sophos Mobile API access then the user receives access to the protected application.

Android Trusted Endpoint Verification Failed

iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

Removing the Sophos Mobile Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Sophos Mobile integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Sophos Mobile.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free