Skip navigation
Documentation

Duo Trusted Endpoints - Workspace ONE Managed Device Deployment

Last Updated: August 11th, 2022

Certificate-based Trusted Endpoint verification for Workspace ONE/AirWatch will reach end-of-life in a future release. Migrate existing iOS Certificate Configuration management integrations to iOS with App Config Configuration. Learn more about the end-of-life timeline and migration options in the Duo Trusted Endpoints Certificate Migration Guide.

Overview

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Trusted Endpoints is part of the Duo Beyond plan.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed mobile devices, or deploy Duo Device Health to Windows and macOS managed systems and sync identifiers for those systems from Workspace ONE into Duo.

This guide walks you through Workspace ONE configuration for Windows and macOS endpoint clients and Android and iOS mobile devices.

Requirements

  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
  • Access to the Workspace ONE Console as an administrator with the rights to create roles, accounts, and device profiles.
  • Directory Services enabled within the Workspace ONE Console with an account in the directory that will be used as an Admin Account within Workspace ONE.

Create a Duo Admin and API Key in Workspace ONE

Create a read-only API user and role and an API key in Workspace ONE for Duo to obtain managed endpoint information. Duo will use this account to synchronize your Windows device identifiers from Workspace ONE. The imported identifiers will be used to determine device trust when Windows devices access your protected applications.

You only need to do this once, and can then use the same Duo admin credentials and API key for each Workspace ONE management integration you configure in Duo, even if they are for different device operating systems.

Create an API Role for Duo

  1. Log in to the Workspace ONE console as an administrator and go to AccountsAdministratorsRoles.

  2. Click the Add Role button. Enter Duo API Role as the Name and add a Description for the new role on the "Create Role" page.

  3. Click on the "API" category on the left and then locate REST - Devices - REST APIs for device management in the API category list. Check the box in the "Read" column to grant the new Duo API role read access to devices. Click Save to create the role.

    Create Duo API Role

Create a Duo Admin Account

Determine whether you plan to create an admin for Duo using an account synced from an external directory or a "Basic" (local) account before you begin.

We recommend using a directory account over a "Basic" account because Workspace ONE enforces password expiration for "Basic" user types every 30 days. While the password is expired, your Trusted Endpoint Integration with Workspace ONE will not work, and you will need to reset the password to restore functionality.

Use of a directory account is not subject to the 30-day password expiration.

  1. Navigate to AccountsAdministratorsList View in the Workspace ONE console.

  2. Click the Add button and choose Add Admin on the pop-up menu.

  3. Enter the following information on the "Basic" tab form:

    User Type Directory
    Domain Select the correct domain from the drop-down if not already selected.
    Username Search for an account in your directory to use.
    First Name and Last Name Enter a first and last name for the Duo admin user (e.g. "Duo" "Admin").
    Email Address Enter an email address for the Duo admin user.
    Time Zone and Last Name Select your time zone.
    Locale and Last Name Select your language/region.
    Initial Landing Page and Last Name Leave as the default option

    Do not make any changes to the "Two-factor Authentication Method" or "Notification" options.

    New Duo Admin - Basic Tab

    If you do not have your Directory synced with Workspace ONE, then you may create a new admin with the "User Type" set to Basic and a specified username and password. Please be aware that Workspace ONE enforces password expiration for "Basic" user types every 30 days.

  4. Click the "Roles" tab then click the Add Role button. Choose your Organization Group from the list presented. Locate and select the "Duo API Role" read-only role you created earlier in the Role list. Click the checkbox at the far left to enable the Duo role for the Duo admin user.

    New Duo Admin - Role Tab
  5. Click the "API" tab and ensure that you select the User Credentials option.

    New Duo Admin - API Tab
  6. Click Save to create the Duo admin user.

Create the Duo REST API Key

  1. Navigate to Groups & SettingsAll SettingsSystemAdvancedAPIRest API in the Workspace ONE console.

  2. Click Add to generate a new REST API key. This appends a new row in the existing API keys table.

  3. Click into the blank Service field for the newly-generated API key to type in a service name for this API key (like "Duo API"). You can also enter additional identifying information in the Description field.

  4. Leave the "Account Type" set to Admin and click Save.

    New Duo API key

Windows Configuration

This integration relies on having the Duo Device Health app present on your Workspace ONE-managed Windows endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device identifiers reported by the Device Health app with managed device information obtained from Workspace ONE in a nightly sync via read-only API access (note this sync can't be manually initiated or rescheduled at this time).

Prerequisites

Create the Workspace ONE with Device Health Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate Workspace ONE in the listed integrations and click the Add this integration selector.
  4. Choose Windows from the "Recommended" options, and then click the Add button.

The new Workspace ONE with Device Health integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Workspace One Pro with Device Health management integration page to complete the configuration steps.

Enter Workspace ONE Info in Duo

  1. Return to your Workspace ONE Windows management integration page in the Duo Admin Panel if you navigated away.

  2. Enter the following information into the blank fields under step 4 of the Workspace ONE "Windows Configuration Instructions" section:

    Admin Username Enter the Duo admin username you created in Workspace ONE.
    Admin Password Enter the password for the Duo admin user you created in Workspace ONE.
    API Key Enter the REST API key you created for Duo in Workspace ONE.
    Domain Name Enter your organization's Workspace ONE domain. For example, if you access the Workspace ONE console at https://acmecorp.awmdm.com then you'd enter acmecorp.awmdm.com as the domain name.
  3. Click the Test Configuration button to verify Duo's API access to your Workspace ONE instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the Workspace ONE configuration steps and entered the right information in the Duo Admin Panel.

  4. After you successfully test your configuration, click the Save & Configure Android Devices button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

macOS Configuration

This integration relies on having the Duo Device Health app present on your Workspace ONE-managed macOS endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device identifiers reported by the Device Health app with managed device information obtained from Workspace ONE in a nightly sync via read-only API access (note this sync can't be manually initiated or rescheduled at this time).

Prerequisites

Create the Workspace ONE with Device Health Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate Workspace ONE in the listed integrations and click the Add this integration selector.
  4. Choose macOS from the "Recommended" options, and then click the Add button.

The new Workspace ONE with Device Health integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Workspace One Pro with Device Health management integration page to complete the configuration steps.

Enter Workspace ONE Info in Duo

  1. Return to your Workspace ONE macOS management integration page in the Duo Admin Panel if you navigated away.

  2. Enter the following information into the blank fields under step 4 of the Workspace ONE "Windows Configuration Instructions" section:

    Admin Username Enter the Duo admin username you created in Workspace ONE.
    Admin Password Enter the password for the Duo admin user you created in Workspace ONE.
    API Key Enter the REST API key you created for Duo in Workspace ONE.
    Domain Name Enter your organization's Workspace ONE domain. For example, if you access the Workspace ONE console at https://acmecorp.awmdm.com then you'd enter acmecorp.awmdm.com as the domain name.
  3. Click the Test Configuration button to verify Duo's API access to your Workspace ONE instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the Workspace ONE configuration steps and entered the right information in the Duo Admin Panel.

  4. After you successfully test your configuration, click the Save & Configure Android Devices button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Android Configuration

Duo determines trusted device status on Android devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Workspace ONE MDM's API access.

Prerequisites

Create the Workspace ONE Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate Workspace ONE in the listed integrations and click the Add this integration selector.
  4. Choose Android from the "Recommended" options, and then click the Add button.

The new Workspace ONE integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Workspace ONE management integration page to complete the Android configuration steps.

Configure Duo Mobile Distribution

  1. Log on to the Workspace ONE console as an administrator. Click the Add drop down at the top of the page, then click Public Application.

  2. On the "Add Application" page, set the "Platform" to Android.

  3. Set the "Source" to SEARCH APP STORE.

  4. Enter Duo Mobile in the "Name" field and click Next to search for it in the Google Play Store.

  5. Click on Duo Mobile in the Google Play Store search results, and then click Approve for the Duo Mobile app.

  6. Configure app options like "Categories" on the "Details" tab if desired. Click SAVE & ASSIGN when done.

  7. Go to the "Assignments" tab for the Duo Mobile app and click Add Assignment.

  8. On the "Duo Mobile - Add Assignment" page, select your desired assignment group or groups.

  9. Go to the "Application Configuration" section. Set it to ENABLED to reveal the Duo Mobile Trusted Endpoints configuration fields..

  10. Locate the "Trusted Endpoint Identifier" managed configuration field and enter {DeviceUid} as the value.

  11. Return to your Workspace ONE Android management integration page in the Duo Admin Panel.

  12. Copy the "Trusted Endpoints Configuration Key" value from the Android Configuration Instructions of your Duo Workspace ONE management integration (it will look similar to DJPO0S0HLJD0ASDHTDD). Paste this into Workspace ONE as the Trusted Endpoints Configuration Key value.

  13. Click Add and then click Save and Publish in Workspace ONE to complete the app publishing process.

Enter Workspace ONE Info in Duo

  1. Return to your Workspace ONE Android management integration page in the Duo Admin Panel.

  2. Enter the following information into the blank fields under step 4 of the Workspace ONE "Android Configuration Instructions" section:

    Admin Username Enter the Duo admin username you created in Workspace ONE.
    Admin Password Enter the password for the Duo admin user you created in Workspace ONE.
    API Key Enter the REST API key you created for Duo in Workspace ONE.
    Domain Name Enter your organization's Workspace ONE domain. For example, if you access the Workspace ONE console at https://acmecorp.awmdm.com then you'd enter acmecorp.awmdm.com as the domain name.
  3. Click the Test Configuration button to verify Duo's API access to your Workspace ONE instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the Workspace ONE configuration steps and entered the right information in the Duo Admin Panel.

  4. After you successfully test your configuration, click the Save & Configure Android Devices button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

iOS Configuration

Duo determines trusted device status on iOS devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Workspace ONE MDM's API access.

Prerequisites

Create the Workspace ONE with App Config Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate Workspace ONE in the listed integrations and click the Add this integration selector.
  4. Choose iOS from the "Recommended" options, and then click the Add button.

The new Workspace ONE with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Workspace ONE with App Config management integration page to complete the configuration steps.

Configure Duo Mobile Distribution

  1. Log on to the Workspace ONE console as an administrator. Click the Add drop down at the top of the page, then click Public Application.

  2. On the "Add Application" page, set the "Platform" to iOS.

  3. Set the "Source" to SEARCH APP STORE.

  4. Enter Duo Mobile in the "Name" field and click Next to search for it in the App Store.

  5. Click on Duo Mobile in the App Store search results, and then click Select for the Duo Mobile app.

  6. Configure app options like "Categories" on the "Details" tab if desired. Click SAVE & ASSIGN when done.

  7. Go to the "Assignments" tab for the Duo Mobile app and click Add Assignment.

  8. On the "Duo Mobile - Add Assignment" page, select your desired assignment group or groups.

  9. Go to the "Application Configuration" section. Set it to ENABLED to reveal the Duo Mobile Trusted Endpoints configuration fields.

  10. Toggle both Managed Access and Send Configuration on.

  11. Under "Send Configuration" click ADD.

  12. Return to your Workspace ONE with App Config management integration page in the Duo Admin Panel.

  13. Copy the "Trusted Endpoints configuration Key" Key, Type, and Value from the Duo Workspace ONE with App Config management integration and paste these into Workspace ONE.

  14. Copy the "Trusted Endpoints Identifier" Key, Type, and Value from the Duo Workspace ONE with App Config management integration and paste these into Workspace ONE as well.

  15. Click Add and then click Save and Publish in Workspace ONE to complete the app publishing process.

Enter Workspace ONE Info in Duo

  1. Return to your Workspace ONE with App Config management integration page in the Duo Admin Panel.

  2. Enter the following information into the "Enter API details" blank fields under step 5 of the Workspace ONE iOS configuration section:

    Admin Username Enter the Duo admin username you created in Workspace ONE.
    Admin Password Enter the password for the Duo admin user you created in Workspace ONE.
    API Key Enter the REST API key you created for Duo in Workspace ONE.
    Domain Name Enter your organization's Workspace ONE domain. For example, if you access the Workspace ONE console at https://acmecorp.awmdm.com then you'd enter acmecorp.awmdm.com as the domain name.
  3. Click the Test Configuration button to verify Duo's API access to your Workspace ONE instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the Workspace ONE configuration steps and entered the right information in the Duo Admin Panel.

  4. After you successfully test your configuration, click the Save & Configure Android Devices button.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

iOS Certificate Configuration

End of Life Information

New Workspace ONE certificate deployment management integrations may no longer be created as of October 2021. Consider migrating your certificate-based iOS Workspace ONE/AirWatch integration to Workspace ONE with App Config. See the Duo Knowledge Base article Guide to updating Trusted Endpoints iOS integrations from certificates to AppConfig for more information about migrating your iOS certificate-based management integrations to App Config.

These instructions remain available for customers who created these integrations before October 2021 and may need to reconfigure them. Duo continues to support existing Workspace ONE/AirWatch iOS certificate deployments and will do so until the integration reaches end-of-life status in a future update.

Duo verifies the trusted status of iOS devices by checking for the presence of a Duo device certificate. You'll use Workspace ONE to push the Duo CA information to your mobile devices so they can obtain a Duo certificate.

Create the Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Add Management Tools Integration" page, locate Workspace ONE in the listed integrations and click the Add this integration selector.
  4. Choose Certs for iOS from the "Legacy" options, and then click the Add button.

The new integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Workspace ONE management integration page to complete the iOS configuration steps.

Add the Duo Certificate Authority

  1. Log on to the Workspace ONE console as an administrator and navigate to DevicesCertificatesCertificate Authorities.

  2. Click the Add button and enter the Duo Certificate Authority (CA) information from the Workspace ONE management integration page in the Duo Admin Panel as follows:

    Name Enter a descriptive name, like "Duo CA".
    Description Enter additional information about this new Duo CA, if desired.
    Authority Type Microsoft ADCS
    Protocol SCEP
    Version NDES 2008/2012
    SCEP URL Paste in the SCEP URL from the "Add a Certificate Authority" section of the iOS instructions on the Workspace ONE management integration page in the Duo Admin Panel.
    Challenge Type Dynamic
    Challenge Username Paste in the Username from the "Add a Certificate Authority" section of the iOS instructions on the Workspace ONE management integration page in the Duo Admin Panel.
    Challenge Password Paste in the Password from the "Add a Certificate Authority" section of the iOS instructions on the Workspace ONE management integration page in the Duo Admin Panel.
    SCEP Challenge URL Paste in the Challenge URL from the "Add a Certificate Authority" section of the iOS instructions on the Workspace ONE management integration page in the Duo Admin Panel.
    Enable Proxy Disabled

    You do not need to set any advanced options for this CA. Click Save and Add Template after entering all the required information to move to the next steps of adding a new device certificate template.

    Add Duo CA

Add a Device Certificate Template

  1. If you didn't get to the "Certificate Template - Add/Edit" page from the new CA page then navigate to DevicesCertificatesCertificate AuthoritiesRequest Templates and click the Add button.

  2. Enter the Certificate Template information from the Workspace ONE management integration page in the Duo Admin Panel as follows:

    Name Enter a descriptive name, like "Duo CA Template".
    Description Enter additional information about this new certificate template, if desired.
    Certificate Authority Select the Duo CA you added earlier.
    Subject Name Paste in the Subject Name from the "Add a Certificate Template" section of the iOS instructions on the Workspace ONE management integration page in the Duo Admin Panel.
    Private Key Length 2048
    Private Key Type Signing
    Auto Renewal Period (days) 14

    Click Save after entering all the required information.

    Add Duo CA Template

Deploy a Device Profile to iOS Devices

  1. Navigate to DevicesProfiles & ResourcesProfiles in the Workspace ONE console.

  2. Click Add and choose Add Profile on the pop-up menu.

  3. Click Apple iOS.

  4. Fill out the General form on the "Add a New Apple iOS Profile" page with the following information:

    Name Enter a descriptive name, like "Duo iOS Profile".
    Description Enter additional information about this new profile, if desired.
    Deployment Type Leave as "Managed".
    Assignment Type Leave as "Auto".
    Allow Removal Change to Never or With Authorization to prevent end users removing the Duo profile from their devices. If you select With Authorization then you'll need to enter an authorization password as well.
    Assigned Groups Select the device groups to which you want to assign the Duo CA profile.

    The remaining options may be left at their default values. You still need to configure SCEP before saving the new iOS profile.

    Add Duo Profile - General Info
  5. Click the SCEP link on the left and then click Configure.

  6. Configure the new SCEP as follows:

    Credential Source Leave as "Defined CA".
    Certificate Authority Select the Duo CA you added earlier.
    Certificate Template Select the Duo CA Template you added earlier.

    Click the Save & Publish button after filling out the General and SCEP information.

    Add Duo Profile - SCEP Info

You can monitor the profile's deployment status under DevicesProfiles & ResourcesProfiles.

At this point the configured integration is disabled and applies to no users until you finish your deployment.

Finish Trusted Endpoints Deployment

Once your Workspace ONE managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Workspace ONE trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group or groups, or activate for all users. If you created more than one Workspace ONE integration, you must activate each one individually.

Enable Trusted Endpoints Management Integration

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Verify Your Setup

iOS App Config and Android

Users with Duo Mobile installed and activated for Duo Push on Android and iOS devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.

iOS Trusted Endpoint Inline Verification - Step 1

Duo uses the API access you granted in Workspace ONE to perform a permissions check to verify device information.

iOS Trusted Endpoint Verification - Step 2

If Duo successfully verifies the device information using the Workspace ONE API access, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone.

iOS Trusted Endpoint Verification - Step 3

On Android devices, approving the request grants access and returns the user to the protected application. On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.

iOS Trusted Endpoint Verification - Step 4

If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.

With the legacy iOS certificate configuration, iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.

Windows with Device Health

When Windows users access Duo-protected resources, the installed Duo Device Health app provides device information to Duo. If the information from the device matches the information in Azure, Duo grants access to the trusted device.

Removing the Workspace ONE Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Workspace ONE integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Workspace ONE.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.