Secure Access Module

Views:

Deploy the Secure Access Module to supported endpoints or mobile devices and manage the deployment status in the Trend Vision One console.

Before deploying the Secure Access Module, install the endpoint agent on target endpoints or the Mobile Agent on target mobile devices. The Secure Access Module functions as a separate app on endpoints and a feature of the Mobile Agent on mobile devices.

The Secure Access Module authenticates users when they sign in and then controls their access to internal apps and the internet based on configured secure access rules. By default, the Secure Access Module authenticates users to both Internet Access and Private Access simultaneously when both solutions are available.

Important

Make sure you have configured SAML single sign-on under Administration → Identity Providers. Trend Vision One works with your SAML-based IAM vendor to authenticate your company's users when they use the Secure Access Module.

The following table outlines the options available on the Secure Access Module screen.

Tab

Description

Endpoints

Displays a list of endpoints in your environment that have the endpoint agent installed.

View endpoint details, including service configuration, connection status, and device posture information if available.
Select endpoints for deployment or removal of the Secure Access Module.
Select endpoints with the Secure Access Module deployed to replace the proxy auto-configuration (PAC) file in use.
To install the endpoint agent on endpoints, click Download the Agent Installer and download the agent installation package based on the endpoint operating system.
To manage Secure Access Module updates, click Module Version Management where you may perform the following actions:
- Choose which Secure Access Module version to update or deploy to endpoints. Available versions are limited to the previous three versions, and newer versions that have already been deployed cannot be downgraded. The latest version is selected by default.
- Select a group of test endpoints to always update to the latest Secure Access Module version in order to ensure compatibility and functionality before wider deployment.
- Specify a time period to pause automatic module updates in order to avoid service disruption. The maximum allowed time period is 18 hours.

Mobile Devices

Displays a list of mobile device groups in your environment that have the Mobile Agent deployed.

Select mobile device groups to enable or disable Secure Access. For more information, see Deploying the Secure Access Module to mobile devices.
To install the Mobile Agent on mobile devices, click Deploy Mobile Agent to go to Mobile Inventory and complete the Mobile Agent deployment process.

Action Required

Displays a list of endpoints that have encountered issues while attempting to deploy, update, or remove the Secure Access Module.

Tip

You may be able to resolve some issues by attempting to deploy or remove the module again, or by updating the endpoints to later operating system versions. For other issues, contact your support provider.

Global Settings

Require an additional authentication for users to connect to Private Access while both Private Access and Internet Access solutions are enabled. Only supported for Secure Access Module versions later than 2.8.1369 (Windows) or 2.8.615 (macOS).

Tip

By default, users connect to both Internet Access and Private Access when signing in to the Secure Access Module. Requiring an additional authentication to Private Access ensures that Private Access is available only on demand.

Configure the authentication method for the Secure Access Module.

Important

Browser-based authentication only supports Microsoft Entra ID, Okta, and Duo for SAML single sign-on (SSO) authentication. Using an unsupported identity provider automatically switches the authentication method to module-based authentication.

Select how the Secure Access Module sends traffic from user devices for Internet Access.
- Windows service modes include:
  - Adaptive mode (Default): Allows the Secure Access Module to switch between supported modes based on network conditions
  - Localhost proxy: Forces all Internet Access traffic to go to the local host
  - TUN (Wintun): Allows for greater traffic throughput than the TUN (TAP-Windows) service mode.
  - TUN (TAP-Windows): Provides a functional Internet Access service mode for devices that have compatibility issues with both the Wintun virtual adapter and the localhost proxy
- macOS service modes include:
  - Tunnel (VPN): Sends traffic through the VPN configured on the device
    
    Note
    
    The Tunnel (VPN) mode for macOS requires users to allow VPN configurations on their devices.

Important

Tip

Tip

Important

Note