Configure tiers and tags

With tiers and tags you can group together enterprise devices that have the same values for a certain type of signals. For example, you could assign to the low-risk tier devices that comply with the corporate security policy such as anti-malware and firewall status. See Configure device risk assessments.

You can then use your tiers and tags in the application access control (ACL) rules that allow you to control the application traffic and protect your data. See Control access to applications.

Anti-malware Profiles

For Windows or macOS, with anti-malware profiles, you can collect anti-malware signals that help you to monitor the security posture of enterprise devices. There are two types of anti-malware entries that you may select as values for the Anti-malware Status criterion:

  • Any Vendor. Reports if any anti-malware is installed and considered active on the user's device.

    • On macOS this corresponds to a preset list of anti-malware software that is detected by the EAA Client, and contains the following anti-malware programs: Avast, AVG, Avira, Bitdefender, Carbon Black, CrowdStrike, ESET, Intego, Kaspersky, Malwarebytes, McAfee, Norton, SentinelOne, Sophos, Symantec, Tanium, Trend Micro, Webroot.

    • On Windows this indicates any anti-malware software registered with Windows Security Center.

  • Custom. Checks for the specific vendor's anti-malware. Once a custom profile is configured and selected in a tier or tag rule, this signal allows you to confirm if a particular vendor's anti-malware is installed and considered active on the device. For example, you can configure a CrowdStrike or Carbon Black anti-malware profile and select it as a tier or tag criterion value to check if this software is present on the device.

Biometrics

For Android or iOS you can check if the biometric authentication is enabled on the mobile device. Biometrics are features such as fingerprint readers or facial recognition systems.

Select Biometrics > Enabled.

Carbon Black Policy

For Windows or macOS you can check if the selected Carbon Black policy is protecting the device.

You can specify the policy name only if previously you had selected the Enabled checkbox in the Integrations tab. For more information, see Integrate with VMware Carbon Black.

Carbon Black Status

For Windows or macOS you can check if the Carbon Black agent is running on the device.

Select Carbon Black Status > Healthy.

You can set this condition only if previously you had selected the Enabled checkbox in the Integrations tab. For more information, see Integrate with VMware Carbon Black.

Certificate Profiles

For Windows or macOS you can configure a tier or tag with this criterion to verify device certificates and identify devices that do not comply with parameters defined in the certificate profile. You may select up to three certificate profiles if they are configured.

For more information, see Configure a certificate profile.

Compromised Device - ETP

For Windows or macOS, you can check if ETP has determined the device to be compromised or not.

Configure Compromised Device - ETP > Not Detected as a criterion.

You can set this condition only if ETP and EAA are both on the same contract.

📘

Device Posture only collects this information from devices running EAA Client.

See Enterprise Threat Protector Product guide to learn more about ​Enterprise Threat Protector​.

See Collect signals from ETP to learn more about the ETP integration.

CrowdStrike Status

For Windows or macOS you can check if a device's Falcon sensor is regularly communicating with the CrowdStrike cloud.

Configure CrowdStrike Status > Healthy as a criterion.

You can set this condition only if previously you had selected Enabled in Integrations. For more information, see Integrate with CrowdStrike.

Disk Encryption

For Windows or macOS you can check the disk encryption status on the device.

Configure Disk Encryption > Enabled as a criterion.

EAA Client Status

Determines the status of the EAA Client connector running on devices. If it runs, the status is either Healthy or Unhealthy.

This health check is an indicator of possibly risky devices in the enterprise network.

If the status is Healthy, it means that the EAA Client is communicating with the ​Akamai​ cloud as expected, and providing device posture updates.

If the status is Unhealthy, it means that the EAA Client may have an issue communicating with the ​Akamai​ Cloud, and the device posture signal may not be accurate.

EAA Client Version

For Windows or macOS, you can check the EAA Client version running on devices. Latest is the default value.

  • Latest. Represents the most recent fully patched release of the newest major browser version of the EAA Client. This category is automatically updated.

  • Latest+. Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.

  • Up-to-date. Represents the most recent fully patched releases of all supported major versions (except the latest) of the EAA Client. This category is automatically updated.

  • Up-to-date+. Includes patch releases to the up-to-date version that have not been released to general availability.

  • Custom. Lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

    📘

    If you have selected Custom, make sure that the EAA Client tab specifies EAA Client custom values for desktop devices. If no custom values are specified, the device does not match the tier or tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

EAA Client Status

For Windows or macOS you can check if the EAA Client is installed on the device.

Configure EAA Client Status> Installedas a criterion.

Firewall Status

For Windows or macOS you can check the firewall status on the device.

To verify the firewall status, you need to configure Firewall Status > Good as a tag or tier criterion.
Depending on the device's operating system (OS), the firewall status refers to different firewall solutions.

  • On macOS, it's the status of the OS built-in firewall. To learn more about the macOS firewall solution, see Firewall security in macOS.
  • On Windows, it's the status of either the Windows firewall—Microsoft Defender Firewall—or any third-party firewall running and reporting to Windows Security Center. To learn more about the Windows firewall solution, see Firewall and network protection in Windows Security.

Installed Browser Version

For Windows or macOS you can configure a tag or tier that indicates the required installed browser versions based on the values specified on System > Device Posture > Versions > Installed Browsers tab.

📘

This feature does not verify the browser used for application access.

  • Latest. Represents the most recent fully patched release of the newest major browser version. This category is automatically updated.

  • Latest+. Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.

  • Custom. Lets you manually configure versions not represented in latest version. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

    📘

    If you have selected Custom, make sure that the Installed Browsers tab specifies custom values for applicable browsers. If no custom values are specified, the device does not match the tier or tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

Jailbroken

For Android or iOS you can indicate if a given device is jailbroken or rooted.

Select to your tier or tag rule Jailbroken > Not Detected.

Mobile EAA Client version

For Android or iOS you can check the EAA Client version running on mobile devices. Latest is the default value.

  • Latest. Represents the most recent fully patched release of the newest major browser version of the EAA Client. This category is automatically updated.

  • Latest+. Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.

  • Custom. Lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

    📘

    If you have selected Custom, make sure that the EAA Client tab specifies EAA Client custom values for mobile devices. If no custom values are specified, the device does not match the tier/tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

OS Version

Use this condition to detect the OS version running on devices.

Select one or more of the following values:

  • Latest. Represents the most recent fully patched release of the newest major version of an operating system. This category is automatically updated.

  • Latest+. Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.

  • Up-to-date. Represents the most recent fully patched releases of all supported major versions (except the latest) of the operating system. This category is automatically updated.

  • Up-to-date+. Any OS version that's between up-to-date and latest. For example, if macOS Catalina gets a beta build, it will be covered in up-to-date+, as Big Sur is latest and Catalina is up-to-date.

Select this option if you want to allow your users to use developer/beta versions of the OS.

  • Custom. Lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

    📘

    If you have selected Custom, make sure the OS Versions tab specifies custom OS values. If no custom values are specified, the device does not match the tier or tag.

When multiple values are selected, a device matches the tier/tag if it is running any of the selected values.

Screen Lock

For Android or iOS you can check the status of the device's screen lock.

Select Screen Lock > Enabled as a criterion.