Configure your device posture policy

The Smart Device, Browser and OS subpolicies let you establish additional restrictions for devices registered in the service and evaluate their security posture.

In Smart Device, you can define the following requirements that devices registered in ​Akamai MFA​ must meet before they can be used for authentication purposes:

  • In Screen Lock, set the rule that requires users to enable screen lock protection on their registered devices.

    If the device doesn't match this requirement, the user receives a policy violation error.
    Additionally, the user can't authenticate with ​Akamai MFA​ and access the protected resources.

  • In Device Attestation, set the rule to assure that the user's mobile device is not compromised or jailbroken. See iOS DeviceCheck and Android SafetyNet Attestation for more details.

    If the device doesn't match this requirement, the user receives a policy violation error.
    Additionally, the user can't authenticate with ​Akamai MFA​ and access the protected resource.

  • In Biometric Lock, set the rule that requires the user to enable biometric lock on their registered device.

    With the biometric rules set, you add biometric verification to the authentication process. Consequently, the user has to complete the biometric check, and next, confirm their identity using the phone security key or push notification.

    The user has to complete the biometric verification regardless if the phone is locked or unlocked.

    If the device doesn't match the biometric lock subpolicy, the user receives a policy violation error. Additionally, the user can't authenticate with ​Akamai MFA​ and access the protected resource.

The Browser subpolicy lets you determine the required and denied versions on devices used to access protected applications.
By default, any browser is allowed unless you set a specific policy on that browser. You can specify an individual policy on all known browsers that are the following Chrome, Microsoft Edge, Mozilla Firefox, and Safari. For example, you can set Safari > Allow to allow all versions of the Safari browser. If you set Safari > Deny, you deny all versions of that browser. Additionally, you can specify a Minimum version of a particular browser to require this particular version or later versions.

For unknown browsers, such as Brave or Internet Explorer, you can set a separate policy to determine if that browser is allowed or denied by using the All Unknown Browsers setting.

If the device doesn’t match the browser requirements, the user receives a policy violation error. Additionally, the user can't authenticate with ​Akamai MFA​ and access the protected resource.

The OS (Operating system) subpolicy lets you determine the required and denied OS versions running on devices used to access protected applications and receive push notifications. By default, any OS is allowed unless you set a specific policy on that browser. You can specify an individual policy on all known operating systems that are the following Android, iOS, Linux, macOS, and Windows. For example, you can set Android > Allow to allow all Android OS versions. If you set Android > Deny, you deny all versions of that OS. Additionally, you can specify a Minimum version of a particular OS to require this particular version or later versions. For example:

  • To support Android 9.1, enter 9.1

  • To support iOS 14, enter 14

  • To support macOS High Sierra, enter 10.13

  • To support Windows 7, enter 7.

For Linux, the browser header reports a generic Linux version that doesn't correspond to any of the Linux distributions. For this reason, the Minimum version setting can't be applied for devices that are running the Linux OS.

For unknown operating systems, such as Windows Phone or Raspberry pi, you can set a separate policy to determine if that OS is allowed or denied.

If the device doesn’t match the OS subpolicy, the user receives a policy violation error. Additionally, the user can't authenticate with ​Akamai MFA​ and access the protected resource.

How to

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Policies.

  2. On the Policies page, navigate to the policy that you want to edit and click the policy's name to display its settings.
    The policy configuration page displays.

  3. In the sidebar menu, select Smart Device, Browser, and OS to enable the edition of these settings.

  4. In Smart Device, enable additional restrictions, such as Biometric Lock or Device Attestation that must be met by users' devices.

  5. In Browser, allow or deny browser versions on devices used to access the protected applications.

  6. In OS, allow or deny OS versions running on devices used to access the protected applications.

  7. Click Save & Deploy.

    This overwrites and saves your newly added device posture settings configuration.


Did this page help you?