Guides
Secure Access Help Center

Endpoint Attributes

The following sections describe the endpoint attributes that are evaluated.

Table of Contents

Supported Operating Systems

This option checks for the existence of any required operating systems that are needed on the endpoint device.

The operating system hosts and manages your data, applications, and connected devices. Inadequate protections for the operating system could also affect the performance of all of these components and ultimately affect productivity of your users and the organization.

The following sections describe the supported operating systems and package dependencies for Secure Access posture profiles.

Zero Trust Connections

  • Windows
  • Mac OS X
  • Linux (browser-based only)
  • iOS
  • Android (version 14 or later)

VPN Connections

  • Windows
  • Mac OS X
  • iOS

Inadequate protections for the operating system could also affect the performance of all of these components and ultimately affect productivity of your users and the organization.

Firewall Conditions

This option checks for the existence of a firewall on the endpoint device.

  • Windows
    • Require the platform-native firewall to be running on the endpoint device.
  • Mac OS X
    • Require the platform-native firewall to be running on the endpoint device.

Endpoint Security Agents

This option checks for the existence of an endpoint security agent required to be running on the endpoint device.

System Password Enforcement

This option checks whether a system password is required on the endpoint device.

Disk Encryption

This option checks for the existence of disk encryption running on the endpoint device.

Disk encryption ensures that files are always stored on disk in an encrypted form. The files become available to the operating system and applications in readable form while the system is running and unlocked by a trusted user. An unauthorized user inspecting the contents of the disk directly finds garbled random-looking data instead of the actual files.

With user data encryption enabled, the /home directory in the file system is encrypted and user data is available when the system is running. The user /home partition is mounted on a separate disk partition and block level encryption is enabled for that disk.

Supported Browsers

This option checks for the existence of a required web browser on the endpoint device.

Windows Registry Conditions

This option checks for the existence of a registry key or the value of the registry key on the endpoint device.

Windows Domain Join

This option enforces a check to verify if the device has joined a Windows domain. When a device is required to be joined to a Windows domain, you can centrally manage user access, enforce access rules and policies across devices, provide single sign-on (SSO) to network resources like shared files and printers, and simplify administration by allowing IT teams to control user permissions and device settings from a single location within the domain.

File Conditions

This option checks for the existence of a file, the date of a file, and the versions of a file on the endpoint device.

Process Conditions

This option checks if an application or process is running or not running on the endpoint device.

Certificate Conditions

Secure Access supports Certificate and Security Assertion Markup Language (SAML) authentication for remote access VPN connection profiles. This option checks if any required server certificates are present and valid on the endpoint device.

A user on VPN is authenticated with both a client certificate and SAML server. The client certificates are installed on every users' device and are validated by CA certificate(s) to verify identity. SAML is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers. When a user logs into a SAML-enabled application, the service provider requests authorization from the appropriate IdP. The identity provider authenticates the user’s credentials and returns the authorization to the service provider. Once authorized, the user can use the application. In the case of certificate and SAML authentication, certificates are authenticated before SAML authentication.

When selected, you can configure up to two certificates to authenticate each endpoint. For each certificate, configure the following attributes:

  • Subject — The subject field identifies the entity that owns or is associated with the public key embedded in the certificate. It often corresponds to the hostname or domain name the VPN server uses.
    Note: The subject field is important because it ensures that VPN clients can verify the identity of the server they are connecting to by checking the certificate's subject against the expected hostname. The Common Name (CN) within the subject field is often used to identify the primary hostname of the server.
  • Issuer — The issuer field is the entity (trusted authority) that issues the digital certificates used for authentication and secure communication within a VPN. These certificates verify the identity of the VPN server and clients, ensuring secure access to the network.
  • Subject alternate name — The subject alternative name field allows a single certificate to cover multiple hostnames or IP addresses, ensuring secure connections when a VPN client connects to a server with different names or addresses.

You select the Type to check when validating the endpoint certificate. You can manually enter a Value, or you can select SAML attribute name from the Type drop-down to use the values provided by the SAML identity provider (IdP) that is integrated with Secure Access.

Manage Endpoint Security< Endpoint Attributes > Manage Zero Trust Access Posture Profiles

Updated 15 days ago