Guide

Define versions

Suggest Edits

The Versions page lets you specify the following information about the required OS, browser, and Enterprise Application Access Client versions the user's device.

  • Up-to-date. This parameter represents the most recent fully patched releases of all supported major versions (except the latest). This category is automatically updated and displayed in the OS and EAA Client tabs. For the OS tab, two rules apply:

    • By default, all up-to-date versions are automatically selected. When a new latest version is released, the previous latest version is automatically displayed and selected in the up-to-date versions section. You have to deselect this version if you wish to exclude it.

    • Upgraded up-to-date versions are automatically added to the up-to-date list. For example, when the OS vendor updates the existing Catalina 10.15.7 (19H114) version that you have allowed for users' devices, the newly released version automatically replaces Catalina 10.15.7 (19H114) in the up-to-date list. The new up-to-date version is also automatically selected, which means that all Catalina versions are allowed for users' devices. Also, the device posture calculation is going to be evaluated on the basis of the latest Catalina version.

If an up-to-date version that you have not allowed is updated, the upgraded version that appears on the up-to-date list is not selected.

  • Custom. This parameter lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

📘

For the OS tab, any custom versions entered as a macOS version number are converted to build numbers and populated in the custom field. If you don't want to allow a particular build number, you have to remove it from the Custom field.

  • Grace period. This parameter applies to the latest and up-to-date categories. It is the amount of time allowed for devices in your environment to be upgraded to the most recent release of the relevant major version before they are marked non-compliant. The grace period begins when the most recent release becomes available.

Devices that are denied access to an application because they are not updated by the end of the grace period receive a remediation message.

Information is summarized in the following tabs:

  • OS. Displays the latest, up-to-date, and custom versions of supported operating systems. For desktop devices, you can select/deselect the desired up-to-date versions from the list of versions supported by the respective vendor. You can also configure custom versions by specifying a build number or a set of builds and determine a grace period.

📘

Note:

If you're using Device posture on Ubuntu, automatic detection of OS upgrades is possible only if configured with apt unattended-upgrades package See AutomaticSecurityUpdates in Ubuntu documentation.

  • Installed Browsers. Displays the latest supported installed browser versions. It also lets you specify a grace period and custom versions.

    📘

    This signal tells EAA to check for the presence of installed browsers on the system. It does not check the browser that is used for accessing applications.

  • EAA Client. Displays the latest, up-to-date, and custom EAA Client versions. For desktop devices, you can select/deselect the desired up-to-date versions from the list of versions supported by the respective vendor. You can also configure custom versions by specifying a build number or a set of builds, and specify a grace period.

  • ZT Client. Displays the latest, up-to-date, and custom ZT Client versions. For desktop devices, you can select/deselect the desired up-to-date versions from the list of versions supported by the respective vendor. You can also configure custom versions by specifying a build number or a set of builds, and specify a grace period.

The latest and up-to-date version and build numbers are updated by ​Akamai​ as they become available; you don't need to take any additional action. When a new version is added to the Versions page, the grace period specifies the number of days until the previous version is considered to be out of date. Clients should update by this time in order to be considered to be running the latest version. The default grace period for all versions is set to 180 days.

Updates on the Versions page may affect a device's risk assessment based on the configured risk tiers and tags. For example, consider the following sequence of events:

  • The latest macOS version is 10.15.7 (19H114).

  • The low tier requires the latest macOS version.

  • According to OS Versions, the latest macOS version is updated to 11.0.1 (20B50) with a grace period of five days.

  • After the grace period expires, a device still running 10.15.7 (19H114) is no longer considered a low-tier device.

  • Automatically with the release of 11.0.1 (20B50), the 10.15.7 (19H114) version is added and selected under the up-to-date versions.

📘

For macOS and Windows, all rules are evaluated on the basis of build numbers. The macOS build numbers are displayed in parenthesis and in an alphanumeric format, for example, 19H524. The Windows build numbers are displayed in parenthesis and in a numeric format, for example, 19042.870.

  1. In the Enterprise Center navigation menu, select Application Access > Device Posture > Versions.

  2. In OS, perform the following tasks:

    1. In Up-to-date, for desktop operating systems, you can deselect versions that you don't want to allow for users' devices.

    2. In Custom, enter version numbers for mobile devices and build numbers for desktop devices that you want to allow for users' devices.

For example, to support Windows 7 devices, enter 7601.24511.

The entered value must exactly match the value reported by the device. Both macOS and Windows use the build number for this purpose. The macOS build numbers are displayed in parenthesis and in an alphanumeric format, for example, 19H524. The Windows build numbers are displayed in parenthesis and in a numeric format, for example, 19041.870.

  1. In Grace period, accept the default time of 180 days or specify another value.

  2. In Browser, perform the following tasks:

    1. In Custom, enter browser versions that you want to allow.

    2. In Grace period, accept the default time of 180 days or specify another value.

  3. In EAA Client, perform the following tasks:

    1. In Up-to-date, for desktop operating systems, you can deselect versions that you do not want to allow for users' devices.

    2. In Custom, enter version numbers that you want to allow.

    3. In Grace period, accept the default time of 180 days or specify another value.

  4. Click Save.
    The Save Version Changes dialog appears.
    Device Posture recalculates the impact of version changes and displays the number of devices that match your existing tiers and tags. This also updates the Device Posture dashboard.

  5. Click Save Versions to save changes or Cancel to delete the changes.

Next steps:
You can apply OS, installed browsers, and EAA Client versions, as a part of tier and tag configuration to evaluate the security posture of devices and allow or deny access to applications.

To check versions of EAA Client, installed browsers, and the operating system running on the selected device, go to the Device Details report that can be displayed from the inventory or device history reports.

Updated about 2 years ago