Skip navigation

Trusted Endpoints

Duo's Trusted Endpoints feature lets you define and manage trusted endpoints and grant secure access to your organization's applications with device certificate verification policies.


Duo helps you distinguish between unmanaged endpoints and managed endpoints that access your browser-based applications. The Trusted Endpoints policy tracks whether clients accessing the applications have the Duo device certificate present, or can block access to various applications from systems without the Duo certificate.

At a high level, Duo's certificate-based trusted endpoint verification works like this:

Trusted Endpoints Overview

  1. Duo issues certificates for client authentication to your managed endpoints from our cloud-based public key infrastructure (PKI).
  2. A user logs into a browser-based, Duo-protected application that shows the inline Duo prompt.
  3. Successful primary login to the web application redirects the client to Duo.
  4. Duo's cloud service applies the Trusted Endpoints policy setting to the access attempt.
  5. The Duo prompt checks for the Duo device certificate in the user's personal store. If present. Duo reports the endpoint as trusted.
  6. If the Duo certificate isn't present we report that the endpoint does not have a certificate (and is therefore not a managed endpoint). Application access may be blocked from that device.

Duo's Trusted Endpoints feature is part of the Duo Beyond plan.

Best Practices for Implementing Trusted Endpoints

Most organizations perform a staged deployment of Duo's Trusted Endpoints policy. Beginning to end, your rollout should proceed like this:

  1. Identify an application for testing. Applications must use Duo's inline browser authentication prompt to report managed/unmanaged status.
  2. Identify (or create) a Duo group containing your pilot users. If AD or Azure directory sync manages your users and groups then you need to create the pilot group in your source directory and add the test users first. Then, add that new group to your Duo directory sync configuration and perform a manual sync to import the pilot group to Duo.
  3. Create a new Trusted Endpoints policy that enables detection and reporting of devices without a Duo certificate.
  4. Apply the new policy to the pilot group on the test application and enable the management integration.
  5. Monitor Device Insight and Endpoints in the Duo Admin Panel. As the pilot users receive the Duo certificate their endpoints will start reporting their managed status to Duo.
  6. Start deploying the Duo certificates widely throughout your organization, and expand the Duo Trusted Endpoints policy to all users and applications by adding it to the Global Policy.
  7. Start using the Trusted Endpoints policy to block access to your sensitive applications (optional).

Note that the Duo device certificate is not intended for use as a substitute for successful primary authentication to your protected service or application! This is poor security practice and should not be done under any circumstances.

Duo Device Certificate Deployment

Before you can use the Trusted Endpoints policy for reporting or controlling access to applications, you'll need to distribute the Duo certificate or configuration to your organization's managed devices. We've created guides for these deployment options:

You can use any or all of these deployment options in your environment. In fact, we recommend configuring more than one to ensure that you enroll as many trusted endpoints as possible.

Applying the Trusted Endpoints Policy to Applications and Groups

Create a new policy with the Trusted Endpoints setting. At first, configure the policy to check for management status.

  1. Log on to the Duo Admin Panel as an administrator with the Owner or Administrator admin role.

  2. Navigate to the details page on the application you'll use to pilot the Trusted Endpoints policy.

  3. Click the Apply a policy to groups of users link to assign the new Trusted Endpoints policy to just the pilot group.

  4. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.
  5. The policy editor launches with an empty policy.
  6. Enter a descriptive Policy Name at the top of the left column, and then click the Trusted Endpoints policy item on the left. Change the selected option to Allow all endpoints.
  7. Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new Trusted Endpoints policy selected. Start typing in the pilot group's name in the Groups field and select it from the suggested names.
  8. Click the Apply Policy button. The application page shows the new group policy assignment. For more information about creating and applying group policies, see the Policy documentation.

Mobile Trusted Endpoints Policy

Your organization may want to apply different Duo trusted endpoint policies to computer endpoints and mobile devices. For instance, you may want to track the status of application access by unmanaged workstations without blocking access, while at the same time preventing application access from unmanaged mobile endpoints.

Accomplish this by clicking the Enable Custom Options for Mobile Endpoints option within the Trusted Endpoints policy setting to expose the mobile-only selections. Once the mobile options for trusted endpoints have been enabled, Duo uses the accessing browser's user agent string to distinguish between mobile and traditional endpoints and apply the configured policy setting based on the endpoint's platform.

Since the user agent is self-reported by the browser, it's possible to manipulate the user agent string contents from the client side to make it appear as a different browser or operating system to Duo, with the potential effect of bypassing a trusted endpoints policy intended to block access.

Duo generally recommends using the default trusted endpoints policy settings for all types of endpoints to protect against policy bypass due to user agent spoofing.

Monitoring Trusted Endpoints

As users access the application that has the Trusted Endpoints policy, they see no difference in the Duo Prompt when authenticating but Duo notes whether the devices used are managed or not. When you view these endpoints in the Admin Panel (from the Endpoints page, from the details page for that device, or from an individual user's details page), the "Trusted Endpoint" column shows the device certificate status: "Yes" if the endpoint passed Duo's managed system check, or "No" if it did not. "Unknown" status in the Trusted Endpoint column usually indicates that the endpoint hasn't been used to access the application that has the Trusted Endpoints policy yet.

Expand the Trusted Endpoints Policy Scope

To include more of your users in the Trusted Endpoints pilot, return to the Duo Admin Panel and either add more users to the pilot Duo group or apply the test policy to additional groups from the test application's details page, You can also apply the Trusted Endpoints policy to additional applications.

Add even more users to your testing by switching from applying the Trusted Endpoints policy to specific groups on an application to applying the policy to all users of that application. Click the Apply a policy to all users link on an application's details page and select the Trusted Endpoints policy.

Eventually, you should add the Trusted Endpoints policy to your Duo Global Policy, so that all your browser-based application default to checking for the Duo device certificate.

Controlling Application Access with the Trusted Endpoints Policy

When the majority of your devices have the Duo certificate and are reporting the certificate status back to Duo, you may wish to block access to your more sensitive applications from unmanaged devices. Accomplish this by applying a policy with the "Trusted Endpoints" policy option set to Block endpoints that do not have a Duo certificate.

Trusted Endpoints Policy to Block Unmanaged Device Access

Users accessing the applications with this policy who do have the Duo device certificate present on their devices continue to see no change in the Duo Prompt when authenticating. However, if the browser does not detect the Duo certificate, then Duo prevents the user from authenticating.

Trusted Endpoints Policy to Block Unmanaged Device Access

Clicking the "See what is allowed" link in the notification provides the user with some additional clarification about why their device isn't able to access the application.

Trusted Endpoints Policy to Block Unmanaged Device Access

Don't enable this policy setting before deploying the Duo device certificate to your trusted access devices, or you may inadvertently block users' access to applications.


Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free