Define versions

The Versions page lets you specify the following information about the required OS, browser, and Enterprise Application Access Client versions the user's device.

• Up-to-date. This parameter represents the most recent fully patched releases of all supported major versions (except the latest). This category is automatically updated and displayed in the OS and EAA Client tabs. For the OS tab, two rules apply:

  • By default, all up-to-date versions are automatically selected. When a new latest version is released, the previous latest version is automatically displayed and selected in the up-to-date versions section. You have to deselect this version if you wish to exclude it.

  • Upgraded up-to-date versions are automatically added to the up-to-date list. For example, when the OS vendor updates the existing Catalina 10.15.7 (19H114) version that you have allowed for users' devices, the newly released version automatically replaces Catalina 10.15.7 (19H114) in the up-to-date list. The new up-to-date version is also automatically selected, which means that all Catalina versions are allowed for users' devices. Also, the device posture calculation is going to be evaluated on the basis of the latest Catalina version.

If an up-to-date version that you have not allowed is updated, the upgraded version that appears on the up-to-date list is not selected.

• Custom. This parameter lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

📘

For the OS tab, any custom versions entered as a macOS version number are converted to build numbers and populated in the custom field. If you don't want to allow a particular build number, you have to remove it from the Custom field.

• Grace period. This parameter applies to the latest and up-to-date categories. It is the amount of time allowed for devices in your environment to be upgraded to the most recent release of the relevant major version before they are marked non-compliant. The grace period begins when the most recent release becomes available.

Devices that are denied access to an application because they are not updated by the end of the grace period receive a remediation message.

Information is summarized in the following tabs:

• OS. Displays the latest, up-to-date, and custom versions of supported operating systems. For desktop devices, you can select/deselect the desired up-to-date versions from the list of versions supported by the respective vendor. You can also configure custom versions by specifying a build number or a set of builds and determine a grace period.

📘

Note:

If you're using Device posture on Ubuntu, automatic detection of OS upgrades is possible only if configured with apt unattended-upgrades package See AutomaticSecurityUpdates in Ubuntu documentation.

• Installed Browsers. Displays the latest supported installed browser versions. It also lets you specify a grace period and custom versions.

  📘

  This signal tells EAA to check for the presence of installed browsers on the system. It does not check the browser that is used for accessing applications.

Relation between the Latest, Grace period, and Custom fields for Installed Browsers.

Browsers have a version format as [Major].[Minor].[Build].[Patch]. For example, if the latest release of Chrome browser version is 137.0.7151.55, then the major is 137, minor is 0, build is 7151, and the patch is 55.

Let us understand how Grace period and Custom is used to control the device posture based on installed browsers.

Let’s consider a major release as 137.x.x.x. After it is released:

• It is updated as the Latest supported version
• The previous major version 136.x.x.x enters a grace period
• After the grace period, all 136.x.x.x versions are blocked unless explicitly added to the custom version or end-user upgrades to the latest version which is 137.x.x.x

📘

Note

Even if a new patch is released for 136.x.x.x after the grace period, it is not considered a complaint unless it is present in the custom version.

Consider the example shown below:

The Latest version of Chrome in the Installed Browsers is 137.0.7151.68. The Grace period is 7 days. The admin has added 136.0.7103.113 and 137.0.7151.40 as custom releases. After the 7 day period, all older versions in 136.x.x.x series except 137.0.7151.40 and 136.0.7103.113 will be blocked.

• EAA Client. Displays the latest, up-to-date, and custom EAA Client versions. For desktop devices, you can select/deselect the desired up-to-date versions from the list of versions supported by the respective vendor. You can also configure custom versions by specifying a build number or a set of builds, and specify a grace period.

• ZT Client. Displays the latest, up-to-date, and custom ZT Client versions. For desktop devices, you can select/deselect the desired up-to-date versions from the list of versions supported by the respective vendor. You can also configure custom versions by specifying a build number or a set of builds, and specify a grace period.

The latest and up-to-date version and build numbers are updated by ​Akamai​ as they become available; you don't need to take any additional action. When a new version is added to the Versions page, the grace period specifies the number of days until the previous version is considered to be out of date. Clients should update by this time in order to be considered to be running the latest version. The default grace period for all versions is set to 180 days.

Updates on the Versions page may affect a device's risk assessment based on the configured risk tiers and tags. For example, consider the following sequence of events:

• The latest macOS version is 10.15.7 (19H114).

• The low tier requires the latest macOS version.

• According to OS Versions, the latest macOS version is updated to 11.0.1 (20B50) with a grace period of five days.

• After the grace period expires, a device still running 10.15.7 (19H114) is no longer considered a low-tier device.

• Automatically with the release of 11.0.1 (20B50), the 10.15.7 (19H114) version is added and selected under the up-to-date versions.

📘

For macOS and Windows, all rules are evaluated on the basis of build numbers. The macOS build numbers are displayed in parenthesis and in an alphanumeric format, for example, 19H524. The Windows build numbers are displayed in parenthesis and in a numeric format, for example, 19042.870.

1. In the Enterprise Center navigation menu, select Application Access > Device Posture > Versions.

2. In OS, perform the following tasks:

   a. In Up-to-date, for desktop operating systems, you can deselect versions that you don't want to allow for users' devices.

   b. In Custom, enter version numbers for mobile devices and build numbers for desktop devices that you want to allow for users' devices.

For example, to support Windows 7 devices, enter 7601.24511.

The entered value must exactly match the value reported by the device. Both macOS and Windows use the build number for this purpose. The macOS build numbers are displayed in parenthesis and in an alphanumeric format, for example, 19H524. The Windows build numbers are displayed in parenthesis and in a numeric format, for example, 19041.870.

c. In Grace period, accept the default time of 180 days or specify another value.

3. In Installed Browsers, perform the following tasks:

a. In Custom, enter browser versions that you want to allow.

b. In Grace period, accept the default time of 180 days or specify another value.

4. In EAA Client, perform the following tasks:

a. In Up-to-date, for desktop operating systems, you can deselect versions that you do not want to allow for users' devices.

b. In Custom, enter version numbers that you want to allow.

c. In Grace period, accept the default time of 180 days or specify another value.

5. Click Save.
   The Save Version Changes dialog appears.
   Device Posture recalculates the impact of version changes and displays the number of devices that match your existing tiers and tags. This also updates the Device Posture dashboard.
6. Click Save Versions to save changes or Cancel to delete the changes.

Next steps:
You can apply OS, installed browsers, and EAA Client versions, as a part of tier and tag configuration to evaluate the security posture of devices and allow or deny access to applications.

To check versions of EAA Client, installed browsers, and the operating system running on the selected device, go to the Device Details report that can be displayed from the inventory or device history reports.