Limitations for Device Posture support

  1. Auto updates of Operating System (OS)

If you're using Device posture on Ubuntu, automatic detection of OS upgrades is possible only if configured with apt unattended-upgrades package See AutomaticSecurityUpdates in Ubuntu documentation.

  1. Device Certificates

Device certificates are detected for certificate profiles only if they are configured in these two forms:

  • Using the NSS-Shared DB in Linux Cert Management.
    a.The private key must be added as an identity and must show up when you run certutil -d sql:$HOME/.pki/nssdb -K
    b. A certificate must exist with the same alias as the private key from the above command.

  • Certificates are stored as flat files in a directory.
    a. Only $HOME/.certs directory is supported.
    b. Only container formats with these extensions are supported, .p12, .pfx
    c. If the organization manages certs and keys separately, EAA supports the following formats - .key for private keys and .crt for certificates
    d. For private keys, EAA only supports PKCS1 and PKCS8 private keys encoded in PEM format. EAA supports rsa, ecdsa, and ed25519 private keys
    e. For certificates, EAA supports any PEM encoded valid x509 certificate.

  1. SIA integration is not supported.

  2. Anti-malware support

On Ubuntu, anti-malware products that are managed by systemd, and can be queried using systemctl command are supported. Supported systemctl command and systemd services are:

systemctl commandsystemd service
ClamAVclamav-freshclam.service, clamav-daemon.service
  1. Firewall status - On Ubuntu, Uncomplicated Firewall (UFW) is supported. See UncomplicatedFirewall in Ubuntu documentation. Uncomplicated firewall manages IP table rules. IP table rules can be added independently bypassing Uncomplicated Firewall.

  2. Installed browsers - For Ubuntu, browsers are detected only if they are installed with dpkg or snap. Other installation methods including moving a binary into the path or manual configuration is not detected.

Dpkg detection is possible for the following:

BrowserPackage name
Google Chromegoogle-chrome-stable

Snap detection is possible for the following:

BrowserPackage name