Skip navigation
Documentation

Duo Trusted Endpoints - Sophos Mobile Managed Device Deployment

Last Updated: June 16th, 2023

Certificate-based Trusted Endpoint verification for Sophos Mobile will reach end-of-life in a future release. Migrate existing iOS Certificate Configuration management integrations to iOS Configuration. Learn more about the end-of-life timeline and migration options in the Duo Trusted Endpoints Certificate Migration Guide.

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from devices not trusted by your organization.

Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.

Before enabling the Trusted Endpoints policy on your applications, you'll need to configure REST API access for Duo to your managed mobile devices or apply a compliance policy which includes Duo Mobile. This guide walks you through Sophos Mobile configuration for Android and iOS mobile devices.

Mobile Trusted Endpoints and Verified Duo Push: Trusted endpoint verification of iOS and Android devices with Duo Mobile uses the standard Duo Push approval process and will not prompt for a Duo Push verification code, even if the effective authentication methods policy for the user and application has "Verified Duo Push" enabled.

Compatibility

This trusted endpoints integration supports Sophos Mobile version 8.0 and later when managed by Sophos Mobile Admin. It is not compatible with Sophos Central solutions.

Prerequisites

Android Configuration

Duo determines trusted device status on Android devices with Duo Mobile installed and activated for Duo Push using the Sophos Mobile API to verify device information. To enable this verification you'll need to grant Duo's service API access in Sophos Mobile.

Create the Sophos Mobile Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
  3. On the "Add Management Tools Integration" page, locate Sophos Mobile in the list of "Device Management Tools" and click the Add this integration selector.
  4. Choose Android from the "Recommended" options, and then click the Add button.

The new Sophos Mobile integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Sophos Mobile management integration page to complete the Android configuration steps.

Configure Duo Mobile Distribution

  1. If you did not previously set up Android enterprise you must complete it now to continue.

  2. Next, configure Android enterprise device enrollment.

  3. View Duo Mobile in the managed Google Play store and click Approve.

  4. Log on to Sophos Mobile Admin and go to ConfigureAppsAndroid.

  5. Once on the Android "Approved apps" page, click on the Retrieve app list from Google button. When prompted, click Yes to proceed with importing your approved apps (including Duo Mobile).

  6. Click on Duo Mobile in the approved apps list to edit the app's properties, and then expand the "Managed Configuration" section.

  7. Locate the "Trusted Endpoint Identifier" managed configuration field and enter %CLIENTPROP(ANDROID_ID)% as the value.

  8. Return to your Sophos Mobile management integration page in the Duo Admin Panel.

  9. Copy the "Trusted Endpoints Configuration Key" value from the Android Configuration Instructions tab of your Sophos Mobile management integration (it will look similar to DJPO0S0HLJD0ASDHTDD). Paste this in Sophos Mobile Admin as the Trusted Endpoints Configuration Key value.

    Duo Mobile App Configuration
  10. Click Save to return to the "Approved apps" page.

  11. Click the Send app settings to Google button, then click Yes when prompted to send your new Duo Mobile app configuration.

Modify Firewall Rules for Duo

If using an on-premises installation of Sophos Mobile you may need to modify your firewall rules so that Sophos Mobile can communicate with Duo's service.

Use the IP ranges shown on the "Sophos Mobile - Android Configuration Instructions" management integration page in the Duo Admin Panel when updating your firewall rules and verifying connectivity.

Create an Administrator for Duo

  1. While still logged into Sophos Mobile Admin, go to Settings SetupAdministrators.

  2. Click on Create administrator.

  3. Enter the following information:

    Username Enter the desired Duo account username.
    Role Set to Duo API Administrator
    First Name and Last Name Enter a first and last name for the Duo admin user (e.g. "Duo" "Admin").
    Email Address Enter an email address for your Duo admin user.
    Password and Confirm Password Enter and confirm a strong password for the Duo admin user. You will enter this password in the Duo Admin Panel in the next steps.
  4. Click Save.

    Create Duo API Administrator

Enter Sophos Mobile Info in Duo

  1. Return to your Sophos Mobile management integration page in the Duo Admin Panel.

  2. Enter the following information into the blank fields under step 3 of the Sophos Mobile "Android Configuration Instructions" section:

    Enter the Duo API Administrator username you created in Sophos Mobile.
    Password Enter the password for the Duo API Administrator you created in Sophos Mobile.
    Customer Enter your organization's Sophos Mobile customer name, used when logging into Sophos Mobile Admin..
    Domain Name Enter your organization's Sophos Mobile domain. For example, if you access the Sophos Mobile console at https://abc123.sophosmc.com then you'd enter abc123.sophosmc.com as the domain name.
  3. Click the Test Configuration button to verify Duo's API access to your Sophos Mobile instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Sophos Mobile configuration steps and entered the right information in the Duo Admin Panel.

  4. After you successfully test your configuration, click the Save & Configure Android Devices button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

iOS Configuration

Duo determines trusted device status on iOS devices with Duo Mobile installed and activated for Duo Push using Sophos Mobile to push information to mobile devices, which Duo collects at time of authentication.

Create the Sophos Mobile with App Config Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
  3. On the "Add Management Tools Integration" page, locate Sophos Mobile in the list of "Device Management Tools" and click the Add this integration selector.
  4. Choose iOS from the "Recommended" options, and then click the Add button.

The new Sophos Mobile with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Sophos Mobile with App Config management integration page to complete the configuration steps.

Configure Duo Mobile Distribution

  1. If you did not previously set up Apple Push Notification service certificates in Sophos Mobile you must complete it now to continue.

  2. In the Sophos Mobile Management dashboard, navigate to ConfigureAppsiOS & iPadOS.

  3. Click + Add app and choose iOS link.

    Find and select Duo Mobile in Sophos Mobile
  4. On the "Edit iOS app" page, click the Search in App Store button. Search for and select Duo Mobile. Ensure that the Sophos Mobile managed installation option is enabled (checked).

    Add iOS Link in Sophos Mobile
  5. Locate the "Settings and VPN" item and click the Show button to the right.

  6. In the "Managed configuration" section of the "Edit settings and VPN page", click the + Add parameter button. Return to your Sophos Mobile with App Config management integration in the Duo Admin panel, and use the information there to add a new key parameter in Sophos Mobile:

    Name Paste in trustedEndpointConfigurationKey from the "Trusted Endpoints configuration key" section of the Sophos Mobile with App Config management integration page in the Duo Admin Panel.
    Value Paste in value from the "Trusted Endpoints configuration key" section of the Sophos Mobile with App Config management integration page in the Duo Admin Panel.
    Type select String

    Click Apply when done.

    Add iOS Link in Sophos Mobile
  7. Click the + Add parameter button again to add a second parameter, using information from the Sophos Mobile with App Config management integration in the Duo Admin panel:

    Name Paste in trustedEndpointIdentifier from the "Trusted Endpoints identifier" section of the Sophos Mobile with App Config management integration page in the Duo Admin Panel.
    Value Paste in value from the "Trusted Endpoints identifier" section of the Sophos Mobile with App Config management integration page in the Duo Admin Panel. Protect the Duo Trusted Endpoint Identifier value as a secret and do not share it with anyone.
    Type select String

    Click Apply when done.

    Add iOS Link in Sophos Mobile
  8. Click Apply on the "Edit settings and VPN page, and then click Save.

Automate Duo Mobile Installation

To auto-deploy the Duo Application to Sophos managed devices, create and apply a Sophos compliance policy to a device group. Before you can do this, you'll need to first create an App Group and Task Bundle.

Configure Sophos App Group

For more information about Sophos App Groups, please refer to the Sophos Mobile on Premise documentation or the Sophos Mobile documentation.

  1. In the Sophos Mobile Management dashboard, navigate to SettingsApp GroupsiOS & iPadOS.

  2. Click Create to create a new app group, or select an existing app group. If you're creating a new app group, give it a descriptive name, like "Duo Mobile App Group".

  3. Click Add App, and then search for and select Duo Mobile. Click Add.

    Add Duo Mobile to Sophos Mobile App Group
  4. Review the "Edit app group" page to verify the app information, and then click Save.

    Duo Mobile in Sophos Mobile App Group

Configure Sophos Task Bundle

For more information about Sophos Task Bundles please visit the Sophos Mobile on Premise documentation or the Sophos Mobile documentation.

  1. In the Sophos Mobile Management dashboard, navigate to ConfigureTask BundlesiOS & iPadOS.

  2. Click Create to create a new task bundle, or select an existing bundle to which you'll add the Duo task.

  3. On the "Edit task bundle" page, give the new task bundle a name and enable the Selectable for compliance actions option by checking the box.

  4. Click Add task and select Install app from the options.

  5. Give the new task a descriptive name, like "Install Duo Mobile app", and then search for and select Duo Mobile.

    Duo Mobile in Sophos Mobile App Group
  6. Click Apply to add the new task to the bundle, and then click Save to save the change to the task bundle.

Configure Sophos Compliance Policy

For more information about the Sophos Compliance Policies please visit the Sophos Mobile on Premise documentation or the Sophos Mobile documentation.

  1. In the Sophos Mobile Management dashboard, navigate to ConfigureCompliance policies.

  2. Click Create compliance policy to create a new compliance policy, or select an existing policy to edit for Duo. If you're creating a new policy, select Default Template from the drop-down options.

    New Sophos Mobile Compliance Policy
  3. Give the new policy a name, and click the iOS & iPadOS tab.

  4. Locate the Mandatory apps rule in the list, and use the drop-down to select the app group you created or updated to add Duo Mobile.

  5. Set the Transfer task bundle in the "Mandatory apps" row to the task bundle you configured to install Duo Mobile.

  6. If you created a new policy, disable the Enable platform option on each of the operating system tabs other than the "iOS & iPadOS" tab. Click Save.

    Sophos Mobile iOS and iPadOS Compliance Policy

Apply Sophos Compliance Policy to Device Groups

For more information about applying Sophos compliance policies to device groups please visit the Sophos Mobile on Premise documentation or the Sophos Mobile documentation.

  1. In the Sophos Mobile Management dashboard, navigate to ManageDevice Groups.

  2. Click Create to create a new device group, or select an existing group to which you'll apply the Duo compliance policy.

    Sophos Mobile New Device Group
  3. Select the compliance policy you created or modified earlier for Duo Mobile from the drop-down for both Corporate devices and Personal devices.

    Seledct Duo Mobile Compliance Policies in Sophos Mobile
  4. Click Save.

iOS Certificate Configuration

End of Life Information

New Sophos certificate deployment management integrations may no longer be created as of October 2021. Consider migrating your certificate-based iOS Sophos integration to Sophos Mobile with App Config. See the Duo Knowledge Base article Guide to updating Trusted Endpoints iOS integrations from certificates to AppConfig for more information about migrating your iOS certificate-based management integrations to App Config.

These instructions remain available for customers who created these integrations before October 2021 and may need to reconfigure them. Duo continues to support existing Sophos iOS certificate deployments and will do so until the integration reaches end-of-life status in a future update.

Duo verifies the trusted status of iOS devices by checking for the presence of a Duo device certificate. You'll use Sophos Mobile to push the Duo CA information to your mobile devices so they can obtain a Duo certificate.

Create the Sophos Mobile Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
  3. On the "Add Management Tools Integration" page, locate Sophos Mobile in the list of "Device Management Tools" and click the Add this integration selector.
  4. Choose Certs for iOS from the "Legacy" options, and then click the Add button.

The new Sophos Mobile integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Sophos Mobile management integration page to complete the iOS configuration steps.

Modify Firewall Rules for Duo

If using an on-premises installation of Sophos Mobile you may need to modify your firewall rules so that Sophos Mobile can communicate with Duo's service.

Use the IP ranges shown on the "Sophos Mobile - iOS Configuration Instructions" management integration page in the Duo Admin Panel when updating your firewall rules and verifying connectivity.

Add the Duo Certificate Authority

  1. Log on to Sophos Mobile Admin and navigate to SetupSystem SetupDuo Security.

  2. Enter the User and Password from the SCEP information on the Sophos Mobile management integration page in the Duo Admin Panel into Sophos Mobile. Do not modify the "SCEP server URL" or "Challenge URL" from the preconfigured values.

    Add Duo CA

Add a Device Profile

  1. Navigate to Profiles, policiesiOS and click CreateDevice profile in Sophos Mobile Admin.

  2. Enter a Name, Organization, and Description for the new profile on the "Edit profile" page.

  3. Click Add configuration and scroll down the page until you locate Duo device certificate. Select it, and then click Next.

  4. Enter a CA name and click Apply. This returns you to the "Edit profile" page.

  5. Click Save to finish and return to the

    Create Duo Device Profile

Deploy a Device Profile to iOS Devices

  1. Navigate to Profiles, policiesiOS in Sophos Mobile Admin.

  2. Locate the Duo device profile you created earlier in the list, click the down arrow next to the name to expose additional options, and click on Show.

  3. Click Transfer on the "Show Profile" page.

  4. Select the iOS devices or device groups to which you'd like to apply the Duo certificate profile and click Next.

  5. Choose whether you want to execute the policy assignment now or at a future date or time, and then click Finish.

You can monitor the profile's installation status on the selected iOS devices under from the "Tasks" page.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Finish Trusted Endpoints Deployment

Once your Sophos Mobile managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Sophos Mobile trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group or groups, or activate for all users. If you created more than one Sophos Mobile integration, you must activate each one individually.

Enable Trusted Endpoints Management Integration

Duo Premier and Duo Advantage plans: The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

Users with Duo Mobile installed and activated for Duo Push on Android and iOS devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.

iOS Trusted Endpoint Inline Verification - Step 1

Duo uses the API access you granted in Sophos or the app policy configuration to perform a permissions check to verify device information.

iOS Trusted Endpoint Verification - Step 2

If Duo successfully verifies the device information, then the user receives a login request on their phone. Approving the request grants access to the protected application. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

iOS Trusted Endpoint Verification - Step 3

On Android devices, approving the request grants access and returns the user to the protected application. On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login.

iOS Trusted Endpoint Verification - Step 3

If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.

With the legacy iOS certificate configuration, iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

Removing the Sophos Mobile Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Sophos Mobile integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Sophos Mobile.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.