Configure Device Posture profiles

On the Device Posture Signal Configuration page, you can configure the following profiles:

  • Anti-malware
  • Certificate

Configure an anti-malware profile

Anti-malware profiles allow you to configure a set of parameters to verify the presence of active anti-malware software on enterprise devices.

On the Signal Configuration page, under Anti-malware Profiles, you can find all configured anti-malware profiles. With this feature, you can collect anti-malware signals that help you to evaluate the security posture of enterprise devices. There are two types of anti-malware profiles:

  • The Any Vendor profile. This profile can be neither modified nor deleted. It checks if any anti-malware software is installed and considered active on the user's device:

    • On macOS, this corresponds to a preset list of anti-malware software that is detected by the EAA Client.

    • On Windows, this indicates any active anti-malware software registered with Windows Security Center.

  • Custom anti-malware profiles. You can configure a custom anti-malware profile for a specific vendor per operating system to confirm if its software is installed and considered active on the device.

The following is the list of supported vendors that you can select for each of the operating systems. You can set the same or different anti-malware vendor for macOS and Windows.

OSVendors
WindowsAvast, AVG, Avira, Bitdefender, Carbon Black, Cisco, CrowdStrike, Cylance, ESET, FireEye, Forti Client, Kaspersky, K7, Malwarebytes, McAfee, Microsoft, Norton, SentinelOne, Quick Heal, Sophos, Symantec, Trend Micro, Webroot, Windows Defender.
macOSAvast, AVG, Avira, Bitdefender, Carbon Black, CrowdStrike, ESET, Intego, Kaspersky, Malwarebytes, McAfee, Norton, SentinelOne, Sophos, Symantec, Tanium, Trend Micro, Webroot, Cylance, Microsoft Defender.
UbuntuAnti-malware products that are managed by systemd, and can be queried using systemctl command are supported. integrate with only systemctl service are supported. If systemctl is disabled or if configured differently, then it is not detected. Version numbers are not captured.
systemctl commandsystemd service
Esetesets.service
Sophossav-protect.service
ClamAVclamav-freshclam.service, clamav-daemon.service
Comodocmdavd.service
CrowdStrikefalcon-sensor.service
Sentinelsentinelone.service
CarbonBlackcbagentd.service

You can apply the N/A (Not Applicable) value for one of the operating systems in your custom anti-malware profile if you're not interested in checking the anti-malware status of devices with that OS. N/A means that this profile won't be used to check the presence of active anti-malware software on devices with that operating system. So, for example, if you want to configure an anti-malware profile only for macOS devices, you can set the N/A value for Anti-malware for Windows and Anti-malware for Ubuntu criterion.

📘

You can set up to four additional anti-malware profiles. When you try to create the fifth profile, you receive an error message. In this situation, you have to delete one of the existing profiles, except the Any Vendor profile that cannot be deleted. Then, you can proceed with the creation of the new anti-malware profile.

  1. In the Enterprise Center navigation menu, select Application Access > Device Posture > Signal Configuration.

  2. Scroll down to Anti-malware Profiles.

  3. In the Any Vendor profile, verify that the Any Vendor value is set for macOS, Windows, or Ubuntu.

  4. To configure an additional anti-malware profile, click Add Anti-malware Profile (+).

The table below contains parameters that you have to configure for each custom anti-malware profile.

FieldDescription
NameEnter a unique anti-malware profile name.

You can later select this anti-malware profile by its name and apply it as a value for the Anti-malware Profile tier/tag criterion, and use it to configure application access control rules (ACLs).

Anti-malware for macOS, Windows, or UbuntuSelect from the list of supported vendors one of the anti-malware programs to check if its software is active on the device. See above the list of the supported programs.

You can set the same or different anti-malware vendor for macOS, Windows, or Ubuntu.

If you want to configure the custom anti-malware profile for only one of the available operating systems, you can apply Any Vendor or N/A value for the other OS. For example, assume that you want to check the status of Carbon Black software on macOS devices.

  • With the Any Vendor parameter set for Windows and Ubuntu, this profile will be used to check the presence of any anti-malware software on devices with that operating system.

  • With the N/A (Not Applicable) parameter set for Windows and Ubuntu, this profile won't be used to check the presence of active anti-malware software on devices with that operating system.

  1. Click Save and, next, Create Anti-malware Profile.

Next steps:
After you created an anti-malware profile, signals collected from devices that have installed the selected vendor's anti-malware are checked against anti-malware profile parameters.

Now you may apply your anti-malware profile as a part of tier and tag configuration to evaluate security posture of devices, and allow or deny access to applications. See Configure tiers and tags.

Each device in your deployment will now be evaluated against any configured anti-malware profile and you may also use anti-malware profiles as criteria for creating inventory reports. See Create an inventory report.

The device history report provides you with the names of profiles that are met by a particular device. See Create a device history report.

From both inventory and device history reports, you can display the Device Details report where you can find the following information:

  • Anti-malware. Displays the status of the anti-malware software that is installed on the device. The status can be:

    • Active (). On macOS, the active status means that Device Posture detected a specific anti-malware program as running on the device. On Windows, the active status means that Device Posture verified that a specific anti-malware program is installed, running and actively protecting the device.

    • Inactive (). On macOS, the inactive status is not reported. On Windows, the inactive status means that Device Posture verified that a specific anti-malware program is installed and running but not actively protecting the device.

📘

With versions of EAA Client earlier than 2.4.0, it is not possible to determine which of the installed anti-malware programs is active. The older versions of EAA Client can only confirm that at least one of the supported anti-malware programs installed on the device is active.

As long as one of the program's statuses is active, Device Posture marks the Any Vendor profile as passed.

  • Unknown - status cannot be determined (yellow circle).

Refers to Windows devices running the EAA Client version earlier than 2.4.0. For those devices it is not possible to determine which of the installed anti-malware programs is active. Consequently those devices are assigned the unknown status.

The unknown status is not applicable to macOS devices. As mentioned above, macOS devices don't report the inactive status. Consequently, if any anti-malware software is detected on the device, it's always considered active.

  • Anti-malware Profile(s). Displays the list of configured anti-malware profiles and their statuses for the selected device.

    • Passed (). Identifies the profiles that are met by the selected device.

    • Failed (). Identifies the profiles that aren't met by the selected device.

Configure a certificate profile

Certificate profiles allow you to configure a set of parameters to verify certificates present on a device. After you have defined certificate profiles you can apply them to tiers and tags configuration to allow or deny access to applications. Signals collected from enterprise devices can also be monitored in the Device Details report for any device on your system using device posture.

See Certificates in EAA to learn more about the use of certificates in Enterprise Application Access.

📘

This feature does not verify that the browser used for accessing your protected resources is using the certificate specified as part of certificate profiles. It does verify the presence of certificates and related parameters on the device.

Prerequisites

📘

Only external type OCSP servers can be configured as part of a certificate profile.

You only need to configure OCSP if you are going to select the Check Revocation Status (OCSP Server) option when you're configuring the certificate profile.

Certificate requirements:

  • In order to pass verification the device certificate must have a private key and be signed by the configured Certificate Authority (CA).

  • EAA Client will verify certificates stored in the following locations on the user's device:

    • macOS: System.keychain located in /Library/Keychains/System.keychain

    • Windows: CERT_SYSTEM_STORE_LOCAL_MACHINE/My located in SystemCertificates. For more information, see Microsoft guide on System Store Locations.

  1. In the Enterprise Center navigation menu, select Application Access > Device Posture > Signal Configuration.

  2. Go to Certificate Profiles and click Add Certificate Profile (+).
    You may create up to three certificate profiles.

  3. Configure certificate profile parameters. The table below includes both mandatory and optional parameters. The obligatory parameters are marked with an asterisk.

FieldDescription
Certificate profile name*Enter a meaningful certificate profile name.

You can later select the certificate profile by its name in the list of tiers and tags criteria and apply your certificate profile to configure application access control rules (ACLs).

Signed by*Select a Certificate Authority (CA) that will perform device certificate verifications. Device certificates from the System Store on Windows or Keychain on macOS are considered for verification by checking if the certificates are signed by the selected CA.
TPM attestedIn Windows, EAA verifies if the device certificate is protected by the Trusted Platform Module (TPM). See TPM to learn more.

This parameter is optional.

Check Revocation Status (OCSP Server)Enable and select from external OCSP servers to check certificate revocation status. Enabling this option activates the drop-down menu to select a OCSP Server to use for verification.

This parameter is optional. To enable the verification of the OCSP revocation status, you should have previously configured an external OCSP server.

Certificate profiles configured to use an OCSP server to verify certificate status behave as follows:

  1. If the OCSP server is not reachable, the certificate status is returned as good.

  2. New devices will have their certificates verified within approximately 15 minutes.

  3. After the initial successful revocation verification, the certificate status will be verified with the configured OCSP server every 6 hours.

Fail Certificate Profile Evaluation when:

You can enable this feature only if you previously selected the Check Revocation Status (OCSP Server)parameter.

Select one or both of the following options that let you increase the authentication assurance level by denying access to users in those cases:
  • OCSP responder is unreachable. Prevents the user from accessing the application when the OCSP server used to validate the certificate is down.

  • OCSP responder returns unknown. Prevents the user from accessing the application when the OCSP server used to validate the certificate can't find the certificate's serial number in the server's database.

  1. Click Save.

Next steps:
After you created a certificate profile, signals collected from devices where it is installed are checked against certificate profile parameters.

Now you may apply your certificate profile as a part of tier and tag configuration to evaluate security posture of devices and allow or deny access to applications.

Each device in your deployment is now be evaluated against any configured certificate profiles and you may also use certificate profiles as criteria for creating inventory reports. See Create an inventory report and Create an inventory report for devices matching certificate profiles.