Configuring managed device identification

Forcepoint ONE SSE provides three methods to distinguish between managed and unmanaged devices. This allows for greater restrictions to be applied to users using unmanaged devices.

This section will walk you through each method and how to create a standard set of policies that you can use for providing different levels of access for managed and unmanaged devices. Finally this document will show an example walkthrough for using client certificates for determining a managed device and how the users interface will look when accessing the cloud application via web and thick client applications (such as Outlook).

The three methods are:
  • Managed Client Certificates: Forcepoint ONE SSE can utilise SSL client authentication as a mechanism to determine if a user is accessing resources on a machine that is deemed as managed. With SSL client authentication, the SSL server asks the client to provide an SSL certificate signed by a specific entity to prove who they are. This certificate would only exist on devices admins have specifically installed on them. Hence, only devices the admin chooses would be deemed as managed. Managed client certificate device profile is independent of the SmartEdge agent.

    This method involves uploading a Root CA certificate in the Forcepoint ONE SSE portal and installing client certificates on the device. Client certs must be deployed to managed devices outside of Forcepoint ONE SSE, example, through the Active directory group policy. The validation process checks that the Root CA Certificate or chain of CA certificates matches the client cert presented by a user during the SAML 2.0 authentication process.

  • SmartEdge Agent: Admins can download the SmartEdge agent which can act as a device profiler to identify machines for policy. Device profiling performs device posture management to identify devices as managed and unmanaged. It is possible to device profile corporate Windows and Mac computers using a variety of attributes. This requires SmartEdge agent running on these devices. A discrete Forward proxy agent is installed on machines that profiles the device. The profiled device can then be used in a policy rule to configure access to the sanctioned application.
  • SAML Attributes: SAML attributes can be used in device profiling to identify managed devices. Customers can configure an external IdP to pass SAML attributes to Forcepoint ONE SSE during authentication. The attribute name and values passed are compared against expected values set up in the Forcepoint ONE SSE device profile to identify the device as managed. This allows granular control to apply policies based on user attributes configured in the IdP. For example, user’s group membership or position in the corporate structure. SAML attributes device profiles are independent of the SmartEdge agent.