Endpoint Agents
Overview
The SecurEnvoy Endpoint Agent for the Access Management Platform can be used as an additional agent that can be installed on Windows or Debian-based Linux machines, to provide extra information for the Conditional Access Policy Engine.
Installing the Endpoint Agent on a target machine will allow organisations to make more decisions about how users are authenticating to their resources, and make more intuitive decisions on these flows by incorporating machine identification attributes, such as machine name, joined domain name, operating system version or family or even by looking at the presence of the endpoint agent being installed on the requesting device.
Setting up Conditional Access Policies
Once the Endpoint agent has completed the installation and has been successfully registered on the SecurEnvoy Access Management Platform, the organisation will be able to see the details about each endpoint on the "Endpoint Agents" section, of the platform. This is unique information that can be used to create Conditional Access Policies.
The Endpoint Agent cannot be used with the Windows Login Agent or RADIUS clients, as these devices have no way of knowing about the presence of the Endpoint Agent. If you try to create a policy that has these applications and the Endpoint Agent, the policy will fail in practice.
Conditional Access Policies can be created under Management > Conditional Access > Configured Policies > Add Policy.
The Endpoint Agent Conditional Access Policies can always be tested using the "Test Policies" section of Conditional Access.
The following parameters can be set up for the Endpoint Agent:
- Agent PresentThis policy can check for the presence of the Endpoint Agent on the machine, against True/False statements. This is particularly useful if organisations are looking to reduce down allowed authentications ONLY to devices that have the SecurEnvoy Endpoint Agent Installed on the target machine.
- Device Name: This policy can restrict to the name of the Device the target machine. This is useful if Organisations are looking to reduce authentications to a certain device naming scheme, for example ACME-LAP01.
- Joined Domain Name: This policy can restrict to the Joined Domain Name that the machine is part of, for example "ACME.com". This is useful for organisations that wish to reduce down allowed authentications ONLY to users who are part of the Joined Domains that are specified.
- Operating System: This policy can restrict the Operating System that the target machine is running for authentication, for example "Windows".
- Operating System Family: This policy can restrict the Operating System Family that the target machine is running for authentication, for example "Windows".
- Operating System Version: This policy can restrict the version of Operating System that is being used.
Testing Conditional Access Policies
This section will demonstrate utilising the Endpoint Agent to trigger multiple Advanced Policies on the Conditional Access Policy Engine.
A Conditional Access Policy has been set up, to Allow Users who are trying to sign into the Access Management Web GUI, Credential Reset or Office 365 with Multi Factor Authentication (Enforce Second Factor), with Advanced Policies relating to the Endpoint Agent (Agent Presence, Device Name, Joined Domain Name and Operating System).
Navigating to the "Test Policies" section of Conditional Access will allow organisations to test policies before rollout. In the example below, user "am_push" is attempting to authenticate with Microsoft Office 365. Additional parameters have also been populated for the endpoint agent to ensure sufficient information is given to trigger the Conditional Access Policy.
After testing the policy, the Conditional Access Engine has returned that the "Endpoint Agent Test" policy has been triggered, and the expected outcome from the authentication context given is that user "am_push" will be able to sign in using Multi-Factor Authentication. This was the expected outcome.
