Checking Client Certificate

Client Cert checking can be used to determine if a device is managed or unmanaged and enforce appropriate access control policies. A Root CA Certificate or chain of CA certificates is uploaded to validate if the client cert presented by a user during the SAML 2.0 authentication process is legitimate.

To learn how to enable and use client certificate checking to determine a managed device, refer to Configuring managed device identification.
  • Client certs must be deployed to managed devices outside of Forcepoint ONE SSE.
    • Admins can use AD GPO, SCCM/SMS, JAMF Casper, etc for pushing out the client certificate to the devices.
    • It is recommended that users have the proper certificates installed before moving on to the next step where policies are created to control app access.
  • Certificate checking only applies to apps setup for SSO authentication via SAML 2.0.
    Note: This requires a registry key change to enable ADAL for Office 2013 (view Microsoft's instructions here) on Windows or use of Office 2016
  • The most common use case for this feature will be to allow Direct App Access to Client Apps (e.g. OneDrive sync client) on managed devices while blocking Direct App Access on unmanaged devices. This blocks a user from synchronizing their entire repository of company files to an unmanaged machine while still allowing individual file download and online work to continue. The Client Cert is used to validate that the machine is a managed device.