Creating Device Posture Profiles and Device Checks

This article discusses how to create Device Posture Profiles and Device Checks to make sure that only devices (for SDP users) that meet the security requirements are allowed to connect to the network.

Overview

Create Device Checks to define the minimum requirements that a device must meet to be able to connect to your network. For example, the requirements for a specific Anti-Malware vendor and product with the minimum supported version. Then define Device Profiles (that can contain multiple checks), to specify which devices will be allowed to connect to the network.

You can use Device Profiles in the Client Connectivity Policy and in the Internet and WAN firewall.

Working with Unsupported Cato Clients

Sometimes you need to accommodate Clients in your organization that currently don't support Device Posture, and allow these Clients the access the network. When you configure a Device Check, the Criteria section lets you choose the behavior for Clients that don't support Device Posture.

When an unsupported Client matches the settings for a rule except for the profile, these are the behavior options:

  • Skip the Device Check, and allow unsupported Clients to connect to the network

  • Block unsupported Clients because they can't meet the requirements of the Device Check

We recommend that you minimize the scope and impact of Device Checks that allow unsupported Clients in your organization. The fewer unsupported Clients that are allowed, the stronger the Client Connectivity Policy is.

Device Checks in an Office

Starting from Windows Client v5.7, Device Posture Profiles are applied to devices connecting to your network behind a socket. This enables you to apply the same device posture profiles, regardless of the device's location. For example, a sales executive works two days in the office and three days remotely. The Device Posture Profile is applied to their device whenever and wherever they connect to Cato.

Prerequisites

These are the minimum version Client requirements for Device Checks:

  • Anti-Malware

    • Windows v5.2

    • macOS v5.2

    • Linux v5.1
  • Firewall

    • Windows v5.4

    • macOS v5.2

    • Linux v5.1
  • Disk Encryption

    • Windows v5.5

    • macOS v5.6
  • Patch Management

    • Windows v5.5

    • macOS v5.2

    • Linux v5.2
  • Device Certificate

    • Windows v5.5

    • macOS v5.4

    • iOS v5.3
    • Linux v5.1

    • Android v5.0.1.115
  • DLP

    • Windows v5.9
    • macOS v5.5
    • Linux v5.2
  • Device Checks applied for SDP users in an office

    • Windows v5.7
  • Cato Client Version

    • Windows v5.0
    • macOS v5.0
    • Linux v5.0

Known Limitations

  • In an office, the Client checks the Device Posture every 10 minutes. The configuration set for Client periodic checks do not apply

  • After creating a Device Check, the page needs to be refreshed so that the new check can be included in a Device Profile 

Configuring Device Checks

Each Device Check can include these settings:

  • One Device Test Type (for example, one Anti-Malware or one endpoint Firewall vendor)

  • A vendor, product, and version
    • You can choose any version, a specific version, or a minimum version (greater than)
      Note: In a Firewall device check, if you select Apple's macOS builtin firewall, the version number refers to the macOS version number
    • For Anti-Malware, Firewall, Patch Management, and DLP Device Posture checks you can create a general check for any supported vendor or product. For example, you can create a check to allow access for a device with any of the supported Anti-Malware solutions installed. For a list of supported vendors and products, see the drop down lists in the Vendor section of the New Device Check panel. 
  • Option to skip the check for unsupported Client versions

  • For Disk Encryption - Define one or more drive paths that are encrypted (the entire root path is encrypted, for example C:\)

    • Only software-based encryption is supported (hardware-based encryption is not supported)

    • For devices with multiple partitions, you can specify which partition is encrypted

      • When you define multiple drive paths for a device, the check validates that all paths are encrypted

  • Device Certificate - see below

In the Criteria section, you can also choose to enable Real time protection, and a connected device is continuously verified that it matches the Device Check.

image1.png

Working with Device Certificate Checks

You can create Device Checks for certificates that are installed on the end-user device that are defined for your account. Use the Device Authentication screen (Access > Client Access > Device Authentication), to upload signing certificates for your account. The check validates that there is a certificate installed on the device that matches one of the signing certificates defined for your account.

Working with Cato Client Version Checks

You can create Device Checks for the Cato Client version that is installed on the end-user device. To block a specific Cato Client version, use the Block operator. To allow a specific Cato Client version, use the Equals or higher operator.  

Using Device Checks in WAN and Internet Firewalls

Device Checks can also be used in WAN and Internet firewall policies to create rules that include conditional access based on the actual device of the end-user. For more about using Device Checks in a firewall policy, see Adding Device Conditions to Firewall Rules.

To configure a Device Check:

  1. From the navigation menu, select Access > Device Posture.

  2. Select the Device Checks tab.

  3. Click New. The New Device Check panel opens.

    DeviceChecksPanel
  4. Configure the settings for the Device Check.

  5. Click Apply and then click Save.

Configuring the Device Profiles

Each Device Profile can include multiple checks using AND logic. This means that a user that matches the Device Profile must comply with all the specified Device Checks to be able to connect with the Client.

DeviceProfiles

To configure a Device Profile:

  1. From the navigation menu, select Access > Device Posture.

  2. Click the Device Profiles tab.

  3. Click New.

    The New Device Profile panel opens.

  4. Configure the settings for the Device Profile, and add the required Device Checks (that you created in the previous section).

  5. Click Apply and then click Save.

Creating a Profile with Multiple Checks

When you create a Device Profile with multiple checks there is an AND relationship between them. This means that a device must meet the requirements of all the Device Checks to apply the rule action to the device.

The following example shows the Sample Device Profile which includes these checks:

  • Patch Management - Sample Patch MGMT

  • Disk Encryption - Sample Disk Encryption

Device_Profile_FW_AM.png

Was this article helpful?

1 out of 2 found this helpful

9 comments

  • Comment author
    Yaakov Simon

    Updated to include support for endpoint Firewall Device Checks

  • Comment author
    Yaakov Simon

    Updated to include support for:

    • New Device Checks: Patch Management, Disk Encryption and Certificate
    • macOS Client v5.2 for Anti-Malware, Firewall, and Patch Management checks
  • Comment author
    Koen Vandenabeele

    It is not clear whether device profiling does or does not work if a workstation is only running the SDP client as user agent.

    Do you need to be connected or in office mode for the device checks to be performed?

  • Comment author
    Michael Goldberg

    Hi Koen Vanderschelde,

    The device checks run during the Client connecting process. If the Client doesn't connect, the checks to do not run. 

    Behind a site,  the device checks only run on Windows Client v5.7 and higher. 

  • Comment author
    Srecko srecko.anzic

    I don't understand the Working with Cato Client Version Checks part. If we try to use Patch Management there is no Cato under the Vendor dropdown.

  • Comment author
    wwebsterSA

    Period checks are only ever referenced but not really explained.  If I set periodic check to 0, meaning it never periodically checks, is it still atleast checking at connection time?

  • Comment author
    Makara Sakolvaree

    Need jailbreak and root detect

  • Comment author
    Michael Goldberg

    Hi wwebsterSA,

    Device checks run as part of the Client Connectivity Policy every time the Client Connects. For more information, see Understanding the Cato Client Connection Flow.

  • Comment author
    Michael Goldberg

    Hi Makara Sakolvaree,

    To request new features, please open an RFE. For more information, see Requesting New Features (RFEs).

Add your comment