Views:

Specify security-related criteria to check the security posture of devices.

Procedure

  1. On the Secure Access Resources screen, click the Device Posture Profiles tab and then click Add.
    The Add Device Posture Profile screen appears.
  2. Specify a unique name and a description for the profile.
  3. Go to the tab for the operating system you want the profile to check. Then select the corresponding setting.
    • For Windows, select Check Windows devices.
    • For macOS, select Check macOS devices.
    • For Android, select Check Android devices.
    • For iOS, select Check iOS devices.
  4. For devices with Windows or macOS, specify the following criteria.
    Criterion
    Description
    The device is running one of the specified OS versions
    Check whether the device is running on a required operating system version.
    If the option is enabled, select or specify a minimum version number of the corresponding operating systems. For example, Redstone 5 or 11.0.22000.376 for Windows, 10.15 or 10.15.1 for macOS.
    Note
    Note
    For macOS, only 10.15 and above are supported.
    A device installed with the specified version or later passes the check.
    The company CA certificate is present in the Trust Store
    Check that your organization's CA certificate is present in the Trust Store.
    Specify the Certificate common name and Certificate thumbprint.
    For Windows OS, specify the Certificate location on the endpoint. For more information, see Getting the certificate location using PowerShell.
    The client certificate is signed by company's CA
    Check that the client certificate on the device is signed by your organization's CA certificate.
    Specify the Issuer common name and Issuer certificate thumbprint.
    For Windows OS, specify the Certificate location on the endpoint. For more information, see Getting the certificate location using PowerShell.
    The specified file is present on the device
    Check that the specified file is present on the device at the specified file path.
    For Windows, specify the full file name with file extension, including the drive location, in the file path. For example, C:\Program Files(x86)\Example\example.txt
    For macOS, specify the full file path and file name with file extension. For example, /Users/ExampleUser/Desktop/Example/example.txt
    Firewall is turned on for the connected network
    Check whether the firewall state is on for the network that the device is connecting to, that is, public networks, private networks, or domain networks.
    Vulnerability Assessment is enabled
    Check whether Vulnerability Assessment is enabled on the device.
    Vulnerability Assessment requires that you enable Vulnerability Assessment on target endpoints in the Security Policies app. For more information, see Endpoint Policies.
    Important
    Important
    • This option is supported on Windows only.
    • This feature is undergoing temporarily testing, therefore Vulnerability Assessment being enabled or disabled will not affect the device posture profile. In other words, devices with Vulnerability Assessment disabled may still be matched to this profile.
    If this option is enabled, optionally configure the following settings:
    • Global exploit activity of detected vulnerabilities: Select to check whether the global exploit activity level of vulnerabilities detected on the device meets the specified threshold.
    • Specified vulnerabilities not detected: Select to check whether the device does not have the specified vulnerabilities.
      Type one or several vulnerability IDs in the text box. Example of an vulnerability ID: CVE-2020-1472
    For more information about at-risk vulnerabilities, see Vulnerabilities in the Operations Dashboard app.
    Antivirus software from one of the specified vendors is installed/running
    Check whether any of the antivirus software from the specified vendors is installed or running on the device.
    If the option is enabled, type the vendor names in the text box and press Enter.
    For the list of supported vendors, see List of supported vendors.
    Note
    Note
    For Windows, Zero Trust Secure Access checks antivirus software installation status on Windows Server, and checks antivirus software running status on Windows Desktop.
    For macOS, Zero Trust Secure Access checks the running status of antivirus software from Trend Micro, and checks the installation status of antivirus software from other vendors.
    An EDR solution from one of the specified vendors is running
    Check whether any of the EDR solutions from the specified vendors is running on the device.
    If the option is enabled, type the vendor names in the text box and press Enter.
    For the list of supported vendors, see List of supported vendors.
    The device has joined your domain
    Check whether the device has joined the domain of your organization.
    If the option is enabled, specify one or multiple domains owned by your organization for posture validation check.
    Screen lock is enabled
    Check whether the screen lock is enabled on the device.
    (For Windows) Full disk encryption with BitLocker is turned on
    (For macOS) FileVault is turned on
    Check whether the disk encryption is enabled on the device.
  5. Click Save.
Related information