Use device posture for application access

Device posture is an Enterprise Application Access (EAA) feature where administrators set the security criteria that desktop and mobile devices must meet to access applications in a network. In ​SIA​, you can apply device posture to your application and visibility control (AVC) configuration. As you define user and group exceptions for a blocked application, you can select the device risk level that must apply for users or groups to access a web application or perform an application operation.

Risk tiers or risk levels for device posture are configured in EAA. Tiers contain rules with criteria and values that EAA uses to determine whether a device is a low, medium, or a high risk. Administrators define criteria based on desktop or mobile device operating systems. Criteria includes browser version, operating system version, firewall status, ETP Client status, ETP Client version, EAA Client status, and more. Administrators select the criteria and define the values for the low or medium tiers. All devices that do not satisfy the criteria for the low or medium tiers are considered a high risk and are automatically blocked from accessing applications. To learn more about tiers, see Define risk assessment criteria and About device posture in the Enterprise Application Access guide.

As you configure exceptions to a blocked application or application operation, you can select from these device risk levels:

  • Low Only. Indicates that devices must meet the requirements of the low tier.
  • Low & Medium. Indicates that devices must meet the requirements of the low or medium tiers.

When applying exceptions to a blocked application or application operation:

  • Selected users and groups can access an application or application operation if their device meets the requirements defined for a risk level.
  • If no user or group is selected, all users with devices that meet the risk level requirements are granted access.

Also, note:

  • If the device risk level is ever unknown and a device risk level exception is configured, ​SIA​ blocks access to the application or operation.

  • If the device risk level changes after a user authenticates, it takes up to 30 minutes for the new risk level to affect the user’s session.


Administrators can monitor devices through the Device Posture dashboard and the Device Posture reports in EAA. For more information on the dashboard, see Device Posture dashboard and Device Posture reports in the Enterprise Application Access guide.

In ​SIA​, the threat event and proxy activity reports show the device risk level that’s associated with events or activity. You can filter report data by the device risk level. The Reason dimension also indicates when device posture was configured as an exception for any of the traffic.

​SIA​ device posture requirements

Before you can select device posture risk levels in a policy, your organization must:

  • Have an Enterprise Application Access (EAA) License. Your organization must be licensed for the EAA Enterprise edition.
  • Run EAA Client on user devices. Users need to be running EAA Client on their device. For more information on EAA Client, see About EAA Client in the Enterprise Application Access guide.
  • Configure risk tiers in EAA. Administrators must configure risk tiers in EAA. For more information, see Define risk tiers in the Enterprise Application Access guide.
  • Enable Device Posture in identity providers. To enable device posture, see Enable device posture.
  • Enable the ​SIA​ Proxy and authentication in ​SIA​ policies.

Enable device posture

Complete this procedure to enable device posture in an identity provider (IdP) configuration. This procedure assumes that you are modifying an existing identity provider where ETP Client is enabled. To add an identity provider, see Add an identity provider.

Before you begin:

To enable device posture:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

  2. Click the name of the identity provider where you want to enable device posture.

  3. In the Client section, select Enable Device Posture.

  4. Click Save to save your identity provider or click Save and Deploy to both save and deploy the identity provider.

Next Steps:

  1. If you save the IdP without deploying, you can use these options to deploy it.

    • Deploy IdP configuration changes as described in Deploy configuration changes.

    • In the IdP configuration, you can click the icon next to the Ready for Deployment status. A deployment icon also appears next to a failed deployment status in case you need to deploy the IdP again. This action starts the deployment process.

  2. Assign the IdP to a policy. For more information, see Require authentication to access a website or web application.