On the Device Posture Signal Configuration page, you can configure the following profiles:
Anti-malware profiles allow you to configure a set of parameters to verify the presence of active anti-malware software on enterprise devices.
On the Signal Configuration page, under Anti-malware Profiles, you can find all configured anti-malware profiles. With this feature, you can collect anti-malware signals that help you to evaluate the security posture of enterprise devices. There are two types of anti-malware profiles:
The Any Vendor profile. This profile can be neither modified nor deleted. It checks if any anti-malware software is installed and considered active on the user's device:
On macOS, this corresponds to a preset list of anti-malware software that is detected by the EAA Client.
On Windows, this indicates any active anti-malware software registered with Windows Security Center.
Custom anti-malware profiles. You can configure a custom anti-malware profile for a specific vendor per operating system to confirm if its software is installed and considered active on the device.
The following is the list of supported vendors that you can select for each of the operating systems. You can set the same or different anti-malware vendor for macOS and Windows.
|Windows||Avast, AVG, Avira, Bitdefender, Carbon Black, Cisco, CrowdStrike, Cylance, ESET, FireEye, Forti Client, Kaspersky, K7, Malwarebytes, McAfee, Microsoft, Norton, SentinelOne, Quick Heal, Sophos, Symantec, Trend Micro, Webroot, Windows Defender.|
|macOS||Avast, AVG, Avira, Bitdefender, Carbon Black, CrowdStrike, ESET, Intego, Kaspersky, Malwarebytes, McAfee, Norton, SentinelOne, Sophos, Symantec, Tanium, Trend Micro, Webroot.|
You can apply the N/A (Not Applicable) value for one of the operating systems in your custom anti-malware profile if you're not interested in checking the anti-malware status of devices with that OS. N/A means that this profile won't be used to check the presence of active anti-malware software on devices with that operating system. So, for example, if you want to configure an anti-malware profile only for macOS devices, you can set the N/A value for the Anti-malware for Windows criterion.
You can set up to four additional anti-malware profiles. When you try to create the fifth profile, you receive an error message. In this situation, you have to delete one of the existing profiles, except the Any Vendor profile that cannot be deleted. Then, you can proceed with the creation of the new anti-malware profile.
In the EAA Management Portal navigation menu, select System > Device Posture.
On the Device Posture page, click Signal Configuration.
Scroll down to Anti-malware Profiles and click Add Anti-malware Profile (+).
In the Any Vendor profile, verify that the Any Vendor value is set for macOS and Windows.
To configure an additional anti-malware profile, click Add Anti-malware Profile (+).
The table below contains parameters that you have to configure for each custom anti-malware profile.
|Name||Enter a unique anti-malware profile name.
You can later select this anti-malware profile by its name and apply it as a value for the Anti-malware Profile tier/tag criterion, and use it to configure application access control rules (ACLs).
|Anti-malware for macOS and Windows||Select from the list of supported vendors one of the anti-malware programs to check if its software is active on the device. See above the list of the supported programs.
You can set the same or different anti-malware vendor for macOS and Windows.
If you want to configure the custom anti-malware profile for only one of the available operating systems, you can apply Any Vendor or N/A value for the other OS. For example, assume that you want to check the status of Carbon Black software on macOS devices.
- Click Save and, next, Create Anti-malware Profile.
After you created an anti-malware profile, signals collected from devices that have installed the selected vendor's anti-malware are checked against anti-malware profile parameters.
Now you may apply your anti-malware profile as a part of tier and tag configuration to evaluate security posture of devices, and allow or deny access to applications. See Configure tiers and tags.
Each device in your deployment will now be evaluated against any configured anti-malware profile and you may also use anti-malware profiles as criteria for creating inventory reports. See Create an inventory report.
The device history report provides you with the names of profiles that are met by a particular device. See Create a device history report.
From both inventory and device history reports, you can display the Device Details report where you can find the following information:
Anti-malware. Displays the status of the anti-malware software that is installed on the device. The status can be:
Active (✓). On macOS, the active status means that Device Posture detected a specific anti-malware program as running on the device. On Windows, the active status means that Device Posture verified that a specific anti-malware program is installed, running and actively protecting the device.
Inactive (✗). On macOS, the inactive status is not reported. On Windows, the inactive status means that Device Posture verified that a specific anti-malware program is installed and running but not actively protecting the device.
With versions of EAA Client earlier than 2.4.0, it is not possible to determine which of the installed anti-malware programs is active. The older versions of EAA Client can only confirm that at least one of the supported anti-malware programs installed on the device is active.
As long as one of the program's statuses is active, Device Posture marks the Any Vendor profile as passed.
- Unknown - status cannot be determined (yellow circle).
Refers to Windows devices running the EAA Client version earlier than 2.4.0. For those devices, it is not possible to determine which of the installed anti-malware programs is active. Consequently, those devices are assigned the unknown status.
The unknown status is not applicable to macOS devices. As mentioned above, macOS devices don't report the inactive status. Consequently, if any anti-malware software is detected on the device, it's always considered active.
Anti-malware Profile(s). Displays the list of configured anti-malware profiles and their statuses for the selected device.
Passed (✓). Identifies the profiles that are met by the selected device.
Failed (✗). Identifies the profiles that aren't met by the selected device.
Certificate profiles allow you to configure a set of parameters to verify certificates present on a device. After you have defined certificate profiles you can apply them to tiers and tags configuration to allow or deny access to applications. Signals collected from enterprise devices can also be monitored in the Device Details report for any device on your system using device posture.
See Certificates in EAA to learn more about the use of certificates in Enterprise Application Access.
This feature does not verify that the browser used for accessing your protected resources is using the certificate specified as part of certificate profiles. It does verify the presence of certificates and related parameters on the device.
Upload a Certificate Authority (CA) certificate to verify device certificates.
Optionally, Create an online certificate status protocol (OCSP) responder to check for revoked certificates.
Only external type OCSP servers can be configured as part of a certificate profile.
You only need to configure OCSP if you are going to select the Check Revocation Status (OCSP Server) option when you're configuring the certificate profile.
In order to pass verification the device certificate must have a private key and be signed by the configured Certificate Authority (CA).
EAA Client will verify certificates stored in the following locations on the user's device:
macOS: System.keychain located in /Library/Keychains/System.keychain
Windows: CERT_SYSTEM_STORE_LOCAL_MACHINE/My located in SystemCertificates. For more information, see Microsoft guide on System Store Locations.
In the Enterprise Application Access navigation menu, select System > Device Posture.
On the Device Posture page, click Signal Configuration.
Go to Certificate Profiles and click Add Certificate Profile (+).
You may create up to three certificate profiles.
Configure certificate profile parameters. The table below includes both mandatory and optional parameters. The obligatory parameters are marked with an asterisk.
|Certificate profile name*||Enter a meaningful certificate profile name.
You can later select the certificate profile by its name in the list of tiers and tags criteria and apply your certificate profile to configure application access control rules (ACLs).
|Signed by*||Select a Certificate Authority (CA) that will perform device certificate verifications. Device certificates from the System Store on Windows or Keychain on macOS are considered for verification by checking if the certificates are signed by the selected CA.|
|TPM attested||Verify if the device certificate is protected by the Trusted Platform Module (TPM). See TPM to learn more.
This parameter is optional.
|Check Revocation Status (OCSP Server)||Enable and select from external OCSP servers to check certificate revocation status. Enabling this option activates the drop-down menu to select an OCSP Server to use for verification.
This parameter is optional. To enable the verification of the OCSP revocation status, you should have previously configured an external OCSP server.
Certificate profiles configured to use an OCSP server to verify certificate status behave as follows:
The certificate profile capability available in the Enterprise Center interface lets you configure an additional parameter referred to as the Fail Certificate Profile Evaluation.
The Fail Certificate Profile Evaluation feature allows you to deny access to users when either the OCSP server used to validate the certificate is down, or the end user status is unknown because the OCSP server cannot find the certificate’s serial number in it’s database. This setting improves your authentication assurance level.
See Configure a certificate profile to learn how to configure the Fail Certificate Profile Evaluation parameter.
- Click Save.
After you created a certificate profile, signals collected from devices where it is installed are checked against certificate profile parameters.
Now you may apply your certificate profile as a part of tier and tag configuration to evaluate security posture of devices and allow or deny access to applications.
Each device in your deployment is now be evaluated against any configured certificate profiles and you may also use certificate profiles as criteria for creating inventory reports. See Create an inventory report and Create an inventory report for devices matching certificate profiles.
Updated 4 months ago