Skip navigation
Documentation

Trusted Endpoints

Duo's Trusted Endpoints feature lets you define and manage trusted endpoints and grant secure access to your organization's applications with device certificate verification policies.

Overview

Duo helps you distinguish between unmanaged endpoints and managed endpoints that access your browser-based applications. The Trusted Endpoints policy tracks whether clients accessing the applications have the Duo device certificate present, or can block access to various applications from systems without the Duo certificate.

At a high level, Duo's certificate-based trusted endpoint verification works like this:

Trusted Endpoints Overview

  1. Duo issues certificates for client authentication to your managed endpoints from our cloud-based public key infrastructure (PKI).
  2. A user logs into a browser-based, Duo-protected application that shows the inline Duo prompt.
  3. Successful primary login to the web application redirects the client to Duo.
  4. Duo's cloud service applies the Trusted Endpoints policy setting to the access attempt.
  5. The Duo prompt checks for the Duo device certificate in the user's personal store. If present. Duo reports the endpoint as trusted.
  6. If the Duo certificate isn't present we report that the endpoint does not have a certificate (and is therefore not a managed endpoint). Application access may be blocked from that device.

Duo's Trusted Endpoints feature is part of the Duo Beyond plan.

Best Practices for Implementing Trusted Endpoints

Most organizations perform a staged deployment of Duo's Trusted Endpoints policy. Beginning to end, your rollout should proceed like this:

  1. Identify an application for testing. Applications must use Duo's inline browser authentication prompt to report managed/unmanaged status.
  2. Identify (or create) a Duo group containing your pilot users. If AD or Azure directory sync manages your users and groups then you need to create the pilot group in your source directory and add the test users first. Then, add that new group to your Duo directory sync configuration and perform a manual sync to import the pilot group to Duo.
  3. Create a new Trusted Endpoints policy that enables detection and reporting of devices without a Duo certificate.
  4. Apply the new policy to the pilot group on the test application and enable the management integration.
  5. Monitor Device Insight and Endpoints in the Duo Admin Panel. As the pilot users receive the Duo certificate their endpoints will start reporting their managed status to Duo.
  6. Start deploying the Duo certificates widely throughout your organization, and expand the Duo Trusted Endpoints policy to all users and applications by adding it to the Global Policy.
  7. Start using the Trusted Endpoints policy to block access to your sensitive applications (optional).

Note that the Duo device certificate is not intended for use as a substitute for successful primary authentication to your protected service or application! This is poor security practice and should not be done under any circumstances.

Duo Device Certificate Deployment

Before you can use the Trusted Endpoints policy for reporting or controlling access to applications, you'll need to distribute the Duo certificate or configuration to your organization's managed devices. We've created guides for these deployment options:

You can use any or all of these deployment options in your environment. In fact, we recommend configuring more than one to ensure that you enroll as many trusted endpoints as possible.

Applying the Trusted Endpoints Policy to Applications and Groups

Create a new policy with the Trusted Endpoints setting. At first, configure the policy to check for management status.

  1. Log on to the Duo Admin Panel as an administrator with the Owner or Administrator admin role.

  2. Navigate to the details page on the application you'll use to pilot the Trusted Endpoints policy.

  3. Click the Apply a policy to groups of users link to assign the new Trusted Endpoints policy to just the pilot group.

    Apply Group Policy

  4. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

    Create New Application Policy

  5. The policy editor launches with an empty policy.

    Empty Custom Policy

  6. Enter a descriptive Policy Name at the top of the left column, and then click the Trusted Endpoints policy item on the left. Change the selected option to Allow all endpoints.

    Creating the Trusted Endpoints Policy

  7. Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new Trusted Endpoints policy selected. Start typing in the pilot group's name in the Groups field and select it from the suggested names.

    Apply the New Trusted Endpoints Group Policy

  8. Click the Apply Policy button. The application page shows the new group policy assignment.

    Applied Trusted Endpoints Group Policy

For more information about creating and applying group policies, see the Policy documentation.

Mobile Trusted Endpoints Policy

Your organization may want to apply different Duo trusted endpoint policies to computer endpoints and mobile devices. For instance, you may want to track the status of application access by unmanaged workstations without blocking access, while at the same time preventing application access from unmanaged mobile endpoints.

Accomplish this by clicking the Enable Custom Options for Mobile Endpoints option within the Trusted Endpoints policy setting to expose the mobile-only selections. Once the mobile options for trusted endpoints have been enabled, Duo uses the accessing browser's user agent string to distinguish between mobile and traditional endpoints and apply the configured policy setting based on the endpoint's platform.

Since the user agent is self-reported by the browser, it's possible to manipulate the user agent string contents from the client side to make it appear as a different browser or operating system to Duo, with the potential effect of bypassing a trusted endpoints policy intended to block access.

Duo generally recommends using the default trusted endpoints policy settings for all types of endpoints to protect against policy bypass due to user agent spoofing.

Monitoring Trusted Endpoints

As users access the application that has the Trusted Endpoints policy, they see no difference in the Duo Prompt when authenticating but Duo notes whether the devices used are managed or not. When you view these endpoints in the Admin Panel (from the Endpoints page, from the details page for that device, or from an individual user's details page), the "Trusted Endpoint" column shows the device certificate status: "Yes" if the endpoint passed Duo's managed system check, or "No" if it did not.

Trusted Endpoints Reporting

"Unknown" status in the Trusted Endpoint column usually indicates that the endpoint hasn't been used to access the application that has the Trusted Endpoints policy yet.

Expand the Trusted Endpoints Policy Scope

To include more of your users in the Trusted Endpoints pilot, return to the Duo Admin Panel and either add more users to the pilot Duo group or apply the test policy to additional groups from the test application's details page, You can also apply the Trusted Endpoints policy to additional applications.

Add even more users to your testing by switching from applying the Trusted Endpoints policy to specific groups on an application to applying the policy to all users of that application. Click the Apply a policy to all users link on an application's details page and select the Trusted Endpoints policy.

Apply Application Policy

Eventually, you should add the Trusted Endpoints policy to your Duo Global Policy, so that all your browser-based application default to checking for the Duo device certificate.

Apply Application Policy

Controlling Application Access with the Trusted Endpoints Policy

When the majority of your devices have the Duo certificate and are reporting the certificate status back to Duo, you may wish to block access to your more sensitive applications from unmanaged devices. Accomplish this by applying a policy with the "Trusted Endpoints" policy option set to Block endpoints that do not have a Duo certificate.

Trusted Endpoints Policy to Block Unmanaged Device Access

Users accessing the applications with this policy who do have the Duo device certificate present on their devices continue to see no change in the Duo Prompt when authenticating. However, if the browser does not detect the Duo certificate, then Duo prevents the user from authenticating.

Trusted Endpoints Policy to Block Unmanaged Device Access

Clicking the "See what is allowed" link in the notification provides the user with some additional clarification about why their device isn't able to access the application.

Trusted Endpoints Policy to Block Unmanaged Device Access

Don't enable this policy setting before deploying the Duo device certificate to your trusted access devices, or you may inadvertently block users' access to applications.

Deployment Setup Tips

Most organizations will want to test the Trusted Endpoints feature on a select group of users before deploying the feature to their entire user population. Below are instructions on how to achieve commonly desired configurations while avoiding user interruptions during your testing and deployment.

For each of the desired configurations documented below, once completed, the Endpoints menu can be used to filter users devices based on their trust status using the “Trusted Endpoint” filter.

We would like test with a pilot group of users and identify which of these users are accessing applications using trusted devices and which are not using trusted devices. We don’t want anyone to be blocked regardless of which type of device they are using.

  1. Create a group in Duo or identify a synced directory group that contains the members of the pilot group.

  2. To enable Trusted Endpoint identification for:

    a. All applications: Make sure the global policy setting for Trusted Endpoints is set to Allow all endpoints. This is the default and cannot be changed unless least one Trusted Endpoint Configuration exists. Identification of trusted endpoints will not start until an applicable Trusted Endpoint Configuration is enabled.

    b. One application: Create an application or group custom policy for the desired application with the policy setting for Trusted Endpoints set to Allow all endpoints. This is the default and cannot be changed unless least one Trusted Endpoint Configuration exists. Identification of trusted endpoints will not start until an applicable Trusted Endpoint Configuration is enabled.

  3. Create a Trusted Endpoint Configuration using your chosen management tools integration and configure it according to its instructions. A Trusted Endpoint Configuration will be created in the disabled state and thus will not have any effect on when trusted endpoint identification will be attempted.

  4. On the Trusted Endpoints Configuration:

    a. Click the Change link in the upper right area of the page.

    b. Toggle from the disabled state to the active state.

    c. Select the Test with a group option and select the desired group from the drop-down menu.

    d. Click Save.

  5. Members of the pilot group will have their devices identified as trusted.

Note: Identifying trusted devices sometimes requires that users take extra actions during authentication, such as launching Duo Mobile on mobile devices. The advanced option Allow all mobile endpoints can be used to avoid extra authentication steps on mobile devices.

We would like to identify which users in a pilot group are accessing applications using trusted devices and which are not using trusted devices, and we would like to block access to anyone in the pilot group who is not using a trusted device.

To block access to applications from devices that are not trusted for only a pilot group of users, each application will have to be configured with the “Require endpoints to be trusted” Trusted Endpoints setting as described below.

  1. Create a group in Duo or identify a synced directory group that contains the members of the pilot group.

  2. Create a custom policy for the desired application with the policy setting for Trusted Endpoints set to “Require endpoints to be trusted.”

  3. Create a Trusted Endpoint Configuration using your chosen management tools integration and configure it according to its instructions. A Trusted Endpoint Configuration will be created in the disabled state and thus will not have any affect on when trusted endpoint identification will be attempted.

  4. On the Trusted Endpoint Configuration:

    a. Click the Change link in the upper right area of the page.

    b. Toggle from the disabled state to the active state.

    c. Select the Test with a group option and select the desired group from the drop-down menu.

    d. Click Save.

  5. Select the desired application and in the “Group policies” section, assign the custom policy from step 2 to the Duo group identified in step 1.

  6. Members of the pilot group will have their devices identified as trusted or not trusted, with application access granted or blocked accordingly.

We currently use Trusted Endpoints to identify trusted desktop devices. We would like a pilot group of mobile users to be required to use a trusted mobile device without affecting our other users.

  1. Create a group in Duo or identify a synced directory group that contains the members of the pilot group.

  2. Create an application or group custom policy for the desired application with the policy setting for Trusted Endpoints set to Allow all endpoints. Then click on “Advanced options for mobile endpoints” and select the Require mobile endpoints to be trusted option. Once the policy is saved, apply it to the group created in step 1.

  3. Create an additional Trusted Endpoint Configuration for mobile clients using your chosen management tools integration and configure it according to its instructions. A Trusted Endpoint Configuration will be created in the disabled state and thus will not have any affect on when trusted endpoint identification will be attempted.

  4. On the Trusted Endpoint Configuration:

    a. Click the Change link in the upper right area of the page.

    b. Toggle from the disabled state to the active state.

    c. Select the Test with a group option and select the desired group from the drop-down menu.

    d. Click Save.

  5. Members of the pilot group will be required to use trusted mobile devices for that application.

We currently use Trusted Endpoints to require trusted desktop devices. We would like a pilot group of mobile users to be required to use a trusted mobile device without affecting our other users.

  1. Create a group in Duo or identify a synced directory group that contains the members of the pilot group.

  2. In the “Applications” menu, select the application you want to protect. Create a new group policy and set Trusted Endpoints to “Require endpoints to be trusted.” Once the policy is saved, apply it to the group created in step 1.

  3. Create a Trusted Endpoint Configuration of the desired type and configure it according to its instructions.

  4. On the Trusted Endpoint Configuration:

    a. Click the “Change” link in the upper right area of the page.

    b. Toggle from the disabled state to the active state.

    c. Select the “Test with a group” option and select the group from step 1 in the drop-down menu.

    d. Click “Save” and the members of the pilot group will be required to use trusted desktop AND mobile devices for that application.

I am already using the test mode successfully and I want to add more users to the test.

Simply add additional users to the pilot group that was created to test the trusted endpoints feature.

I am already using the test mode successfully and I want to add more applications to the test.

In each application that you want to test, in the “Group policies” section apply the already created custom policy to the Duo group you created previously.

I am satisfied with testing and want to deploy to all users.

For each Trusted Endpoint Configuration that has been restricted to the pilot group, change its integration status to “Activate for all”. Then for each application that has a custom group policy, either replace the group policy with an “Application policy”, or delete the group policy so that the global policy is enforced.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free