Topic
This article discusses how to work with Device Posture Policy (DPP) settings in ControlOne.
Environment
- Cytracom ControlOne
Description
Index
- What are Device Posture Checks?
- Setting up a Device Posture Policy using Device Posture Check
- Customizing device posture policy settings
- OS-based device posture options
- Applying a Device Posture Policy
- Additional resources
Device Posture Checks are an integral part of a comprehensive Zero Trust approach. They can enforce compliance requirements on an endpoint before it is allowed on to the corporate network. Systems that are not compliant will not be allowed on the assigned zone, and are automatically quarantined (or redirected to an alternate zone) with different access permissions and security policies.
Setting up a Device Posture Policy using Device Posture Check
1. In the Navigation menu, click Zero Trust on the left navigation panel, then click the Device Posture Policies button at the top of the screen.
Figure 1: Navigating to Device Posture (click to enlarge)
2. Click the "+ Add New" button to add a new policy.
Figure 2: The Add New button (click to enlarge)
3. A dialog box will appear. Enter a name for the new policy.
Figure 3: New Device Posture Policy (click to enlarge)
4. Click the Create button to create the policy with default settings. The device posture policy will display in the center of the screen.
Customizing device posture policy settings
Click a device policy you would like to customize further. A fly-out menu will open on the right-hand side of the screen showing all editable parameters. At the top of this menu, you can choose to edit General options, options for Windows devices, or options for macOS devices.
Figure 4: Customization tabs (click to enlarge)
Editing general options
Make sure the General tab is selected in the options fly-out menu.
Figure 5: General customization options (click to enlarge)
1. Runtime schedule: Designate when the device posture check should run. You can set the check to run prior to the device making a connection, or set it to also run at a specific time interval during the connected session.
2. Action: Assign what action ControlOne should take if a device fails a posture check:
- Alert: creates an alert on the Reporting page, visible on the Events tab.
- Alert and disconnect: Creates the alert and disconnects the device, preventing reconnection until it passes a device posture check.
- Alert and move to selected zone: Sends an alert and moves the device into a quarantine zone that you designate, prohibiting connection by that device until it is moved out of the quarantine zone.
3. Exempt users: Designate users that are exempt from the device posture check. You can use the menu in this setting to choose any users assigned to a user zone.
4. Exempt devices: Specify which ControlOne devices should be exempt from device posture checks.
5. Protected zones: Select which ControlOne zones are exempt from posture checks.
OS-based device posture options
Editing Windows options
Make sure the Windows tab is selected in the options fly-out menu.
Figure 6: Windows customization options (click to enlarge)
1. Full disk encryption: Use this option to state whether full disk encryption will be required to pass the device posture check.
2. Geolocation rules: This option lets you specify that a device be within a certain number of miles from a particular location in order to pass a device posture check.
3: Version requirements: Specify a minimum OS release and version to pass a posture check.
4. File requirements: Tell the system to fail the posture check unless a specific file is in a specific location on the device. A common use case is to include a placed file in official OS images so DPP can verify the image is corporate-issued.
5. Process requirements: Fail the posture check if a specific process (such as an RMM process) is not running on the device. To add a process, enter its name or file path. See Cytracom ControlOne: Specifying running processes for a Device Posture Policy (DPP) to learn more about finding process names.
6. Registry key requirements Fail a device posture check unless a particular key exists at a designated location within the registry. A common use case is to include a registry key in official OS images so DPP can verify the image is corporate-issued.
Editing macOS options
Make sure the macOS tab is selected in the options fly-out menu.
Figure 7: macOS customization options (click to enlarge)
1. Full disk encryption: Use this option to state whether full disk encryption will be required to pass the device posture check.
2. Geolocation rules: This option lets you specify that a device be within a certain number of miles from a particular location in order to pass a device posture check.
3: Version requirements: Specify a minimum OS release and version to pass a posture check.
4. File requirements: Tell the system to fail the posture check unless a specific file is in a specific location on the device. A common use case is to include a placed file in official OS images so DPP can verify the image is corporate-issued.
5. Process requirements: Fail the posture check if a specific process (such as an RMM process) is not running on the device. To add a process, enter its name or file path. See Cytracom ControlOne: Specifying running processes for a Device Posture Policy (DPP) to learn more about finding process names.
Editing mobile options
Make sure the Mobile tab is selected in the Options fly-out menu. This tab lets you edit the following options:
Figure 8: Mobile customization options (click to enlarge)
1. Full Disk Encryption: Use this option to state whether full disk encryption will be required to pass the device posture check.
2. Geolocation Rules: This option lets you specify that a device be within a certain number of miles from a particular location in order to pass a device posture check.
3. Device Authentication Requirements: Click the Manage link to select whether iOS devices must be protected by an active passcode, biometric protection, or both.
4. Device Integrity Requirements: Click the Manage link to select the minimum iOS release and minimum version that can pass a device posture check. See Figure 5, below.
5. IOS Version Requirements: Click the Manage link to choose which iOS versions will be excluded.
6. Android Version Requirements: Click the Manage link to choose which Android versions will be excluded.
Figure 9: Device integrity requirements (click to enlarge)
Applying a Device Posture Policy
After creating your policies you can assign them to your user zones.
Each user zone can have only one Device Posture Policy.
1. In the Navigation menu, click the Zones tab, then select the user zone. You can also select your zone by clicking it on the Network Map.
Figure 10: Applying the policy (click to enlarge)
2. In the right-hand Options pane, make sure the General tab is selected, then scroll down to the Device Posture Policy drop-down menu and select the policy you wish to apply. When finished, click the Save button.
Figure 11: Applying the policy (click to enlarge)
You can also create a new DPP by clicking the Create a new policy link in the Device Posture Policy drop-down menu. If you do so, you must return to the Zero Trust page and set up your new policy's configuration according to the Customizing device posture policy settings steps above.
Additional resources
Still have questions? Click here to learn how to contact Cytracom Technical Support or open a ticket.