Guide
TrainingSupportCommunity

Configure tiers and tags

Suggest Edits

With tiers and tags you can group together enterprise devices that have the same values for a certain type of signals.
You can then use your tiers and tags in the application access control (ACL) rules that allow you to control the application traffic and protect your data. See Control access to applications.

Anti-malware Profiles

For Windows, macOS, or Ubuntu, with anti-malware profiles, you can collect anti-malware signals that help you to monitor the security posture of enterprise devices. There are two types of anti-malware entries that you may select as values for the Anti-malware Status criterion:

  • Any Vendor. Reports if any anti-malware is installed and considered active on the user's device.

  • Custom. Checks for the specific vendor's anti-malware.

For more information, see Configure an anti-malware profile.

Biometrics

For Android or iOS you can check if the biometric authentication is enabled on the mobile device. Biometrics are features such as fingerprint readers or facial recognition systems.

Select Biometrics > Enabled.

Carbon Black Policy

For Windows, macOS, or Ubuntu you can check if the selected Carbon Black policy is protecting the device.

You can specify the policy name only if previously you had selected the Enabled checkbox in the Integrations tab. For more information, see Integrate with VMware Carbon Black.

Carbon Black Status

For Windows, macOS, or Ubuntu, you can check if the Carbon Black agent is running on the device.

Select Carbon Black Status > Healthy.

You can set this condition only if previously you had selected the Enabled checkbox in the Integrations tab. For more information, see Integrate with VMware Carbon Black.

Certificate Profiles

For Windows, macOS, or Ubuntu, you can configure a tier or tag with this criterion to verify device certificates and identify devices that do not comply with parameters defined in the certificate profile. You may select up to three certificate profiles if they are configured.

For more information, see Configure a certificate profile.

Compromised Device - ETP

For Windows or macOS, you can check if ETP has determined the device to be compromised or not.

Configure Compromised Device - ETP > Not Detected as a criterion.

You can set this condition only if ETP and EAA are both on the same contract.

📘

Device Posture only collects this information from devices running EAA Client.

See Secure Internet Access Enterprise Product guide to learn more about Secure Internet Access Enterprise.

See Collect signals from SIA to learn more about the SIA integration.

Note: SIA integration is not supported on Ubuntu.

CrowdStrike Status

For Windows, macOS, or Ubuntu, you can check if a device's Falcon sensor is regularly communicating with the CrowdStrike cloud.

Configure CrowdStrike Status > Healthy as a criterion.

You can set this condition only if previously you had selected Enabled in Integrations. For more information, see Integrate with CrowdStrike.

Disk Encryption

For Windows, macOS, or Ubuntu, you can check the disk encryption status on the device.

Configure Disk Encryption > Enabled as a criterion.

EAA Client Status

Determines the status of the EAA Client connector running on Windows, macOS, or Ubuntu devices. If it runs, the status is either Healthy or Unhealthy.

This health-check is an indicator of possibly risky devices in the enterprise network.

If the status is Healthy, it means that the EAA Client is communicating with the ​Akamai​ cloud as expected, and providing device posture updates.

If the status is Unhealthy, it means that the EAA Client may have an issue communicating with the ​Akamai​ Cloud, and the device posture signal may not be accurate.

EAA Client Version

For Windows, macOS, or Ubuntu, you can check the EAA Client version running on devices. Latest is the default value.

  • Latest. Represents the most recent fully patched release of the newest major browser version of the EAA Client. This category is automatically updated.

  • Latest+. Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.

  • Up-to-date. Represents the most recent fully patched releases of all supported major versions (except the latest) of the EAA Client. This category is automatically updated.

  • Up-to-date+. Includes patch releases to the up-to-date version that have not been released to general availability.

  • Custom. Lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

    📘

    If you have selected Custom, make sure that the EAA Client tab specifies EAA Client custom values for desktop devices. If no custom values are specified, the device does not match the tier or tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

ZT Client Status

Determines the status of the ZT Client running on devices. If it runs, the status is either Healthy or Unhealthy.

This health-check is an indicator of possibly risky devices in the enterprise network.

If the status is Healthy, it means that the ZT Client is communicating with the ​Akamai​ cloud as expected, and providing device posture updates.

If the status is Unhealthy, it means that the ZT Client may have an issue communicating with the ​Akamai​ Cloud, and the device posture signal may not be accurate.

ZT Client Version

For Windows or macOS, you can check the ZT Client version running on devices. Latest is the default value.

  • Latest. Represents the most recent fully patched release of the newest major browser version of the ZT Client. This category is automatically updated.

  • Latest+. Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.

  • Up-to-date. Represents the most recent fully patched releases of all supported major versions (except the latest) of the ZT Client. This category is automatically updated.

  • Up-to-date+. Includes patch releases to the up-to-date version that have not been released to general availability.

  • Custom. Lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

    📘

    If you have selected Custom, make sure that the ZT Client tab specifies ZT Client custom values for desktop devices. If no custom values are specified, the device does not match the tier or tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

EAA Client Installed Status

For Windows, macOS, or Ubuntu, you can check if the EAA Client is installed on the device.

Configure EAA Client Status > Installed as a criterion.

ETP Client Installed Status

For Windows or macOS, you can check if the ETP Client is installed on the device.

Configure ETP Client Status > Installed as a criterion.

Firewall Status

For Windows, macOS, or Ubuntu, you can check the firewall status on the device.

To verify the firewall status, you need to configure Firewall Status > Good as a tag or tier criterion.
Depending on the device's operating system (OS), the firewall status refers to different firewall solutions.

  • On macOS, it's the status of the OS built-in firewall. To learn more about the macOS firewall solution, see Firewall security in macOS.
  • On Windows, it's the status of either the Windows firewall—Microsoft Defender Firewall—or any third-party firewall running and reporting to Windows Security Center. To learn more about the Windows firewall solution, see Firewall and network protection in Windows Security.
  • On Ubuntu, Uncomplicated Firewall (UFW) is supported. See UncomplicatedFirewall in Ubuntu documentation. Uncomplicated firewall manages IP table rules. IP table rules can be added independently bypassing Uncomplicated Firewall.

Installed Browser Version

For Windows, macOS, or Ubuntu, you can configure a tag or tier that indicates a required installed browser versions based on the values specified on Application Access > Device Posture > Versions > Installed Browsers tab.

📘

This feature does not verify the browser used for application access.

  • Latest. Represents the most recent fully patched release of the newest major browser version. This category is automatically updated.

  • Latest+. Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.

  • Custom. Lets you manually configure versions not represented in latest version. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

    📘

    If you have selected Custom, make sure that the Installed Browsers tab specifies custom values for applicable browsers. If no custom values are specified, the device does not match the tier or tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

For Ubuntu, browsers are detected only if they are installed with dpkg or snap. Other installation methods including moving a binary into the path or manual configuration is not detected.

Dpkg detection is possible for the following:

BrowserPackage name
Google Chromegoogle-chrome-stable
Firefoxfirefox
Chromiumchromium
Operaopera-stable

Snap detection is possible for the following:

BrowserPackage name
Firefoxfirefox
Chromiumchromium
Operaopera

Joined Domains

For Windows, if end-users are registered with an Active Directory domain, and are accessing an application using EAA from a domain joined laptop or machine, you can add it to a tier or tag. This adds the ability to configure joined domains as a criteria inside a device posture rule.

Jailbroken

For Android or iOS you can indicate if a given device is jailbroken or rooted.

Select to your tier or tag rule Jailbroken > Not Detected.

Mobile EAA Client version

For Android or iOS you can check the EAA Client version running on mobile devices. Latest is the default value.

  • Latest. Represents the most recent fully patched release of the newest major browser version of the EAA Client. This category is automatically updated.

  • Latest+. Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.

  • Custom. Lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

    📘

    If you have selected Custom, make sure that the EAA Client tab specifies EAA Client custom values for mobile devices. If no custom values are specified, the device does not match the tier/tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

OS Version

On Windows, macOS, or Ubuntu, you can use this condition to detect the OS version running on devices.

Select one or more of the following values:

  • Latest. Represents the most recent fully patched release of the newest major version of an operating system. This category is automatically updated.

  • Latest+. Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.

  • Up-to-date. Represents the most recent fully patched releases of all supported major versions (except the latest) of the operating system. This category is automatically updated.

  • Up-to-date+. Any OS version that's between up-to-date and latest. For example, if macOS Catalina gets a beta build, it will be covered in up-to-date+, as Big Sur is latest and Catalina is up-to-date.

Select this option if you want to allow your users to use developer/beta versions of the OS.

  • Custom. Lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.

    📘

    If you have selected Custom, make sure the OS Versions tab specifies custom OS values. If no custom values are specified, the device does not match the tier or tag.

When multiple values are selected, a device matches the tier/tag if it is running any of the selected values.

Screen Lock

For Android or iOS you can check the status of the device's screen lock.

Select Screen Lock > Enabled as a criterion.

Updated 8 months ago