Configure your device posture policy

The Smart Device, Device Location, Network Locations, Browser and OS subpolicies let you establish additional restrictions for devices registered in the service and evaluate their security posture.

In Smart Device, you can define the following requirements that devices registered in ‚ÄčAkamai MFA‚Äč must meet before they can be used for authentication purposes:

  • In Screen Lock, set the rule that requires users to enable screen lock protection on their registered devices.

    If the device doesn't match this requirement, the user receives a policy violation error.
    Additionally, the user can't authenticate with ‚ÄčAkamai MFA‚Äč and access the protected resources.

  • In Device Attestation, set the rule to assure that the user's mobile device is not compromised or jailbroken. See iOS DeviceCheck and Android SafetyNet Attestation for more details.

    If the device doesn't match this requirement, the user receives a policy violation error.
    Additionally, the user can't authenticate with ‚ÄčAkamai MFA‚Äč and access the protected resource.

  • In Biometric Lock, set the rule that requires the user to enable biometric lock on their registered device.

    With the biometric rules set, you add biometric verification to the authentication process. Consequently, the user has to complete the biometric check, and next, confirm their identity using the phone security key or push notification.

    The user has to complete the biometric verification regardless if the phone is locked or unlocked.

    If the device doesn't match the biometric lock subpolicy, the user receives a policy violation error. Additionally, the user can't authenticate with ‚ÄčAkamai MFA‚Äč and access the protected resource.

The Device Location subpolicy lets you configure ‚ÄčAkamai MFA‚Äč to trace the geographical location of the user‚Äôs access device. For users connected using a VPN service, ‚ÄčAkamai MFA‚Äč identifies the VPN location.

To configure the device location access control rules, specify three lists with countries and regions, and assign each of them with one of the following ‚ÄčAkamai MFA‚Äč policies:

  • Enforce. Devices belonging to this group are required to authenticate with ‚ÄčAkamai MFA‚Äč before they can access the protected applications. If the Enforce group is empty, the policy is enforced for all device locations (subject to the Bypass and Deny entries). If the Enforce group has entries, the service enforces ‚ÄčAkamai MFA‚Äč authentication for device locations listed here and denies all others (subject to the Bypass entries).
  • Bypass. The ‚ÄčAkamai MFA‚Äč authentication for devices belonging to this group is skipped. It is not recommended to apply this policy to devices connected to the enterprise network. Use it if you want to omit the secondary authentication in the pre-deployment phase when you‚Äôre still setting up your ‚ÄčAkamai MFA‚Äč service.
  • Deny. Devices belonging to this group are not allowed to authenticate with ‚ÄčAkamai MFA‚Äč and are blocked from accessing the enterprise applications.

The Device Location subpolicy groups devices accessing your protected applications into three different groups on the basis of their geographical location and requires them to comply with the assigned access rule, giving you more granular control over your enterprise resources.

The Network Locations subpolicy lets you configure ‚ÄčAkamai MFA‚Äč to apply actions based on the user‚Äôs network location (CIDRs). For users connected using a VPN service, ‚ÄčAkamai MFA‚Äč gets the VPN IP address.

To configure the access control rules based on the network location of the device accessing your enterprise resources, specify three lists of network locations by entering their CIDRs and assign each of them with one of the following ‚ÄčAkamai MFA‚Äč policies:

  • Enforce. Devices belonging to this group are required to authenticate with ‚ÄčAkamai MFA‚Äč before they can access the protected applications. If the Enforce group is empty, the policy is enforced for all network locations (subject to the Allow and Deny entries). If the Enforce group has entries, the service enforces ‚ÄčAkamai MFA‚Äč authentication for network locations listed here and denies all others (subject to the Allow entries).
  • Allow. The ‚ÄčAkamai MFA‚Äč authentication for devices belonging to this group is skipped. It is not recommended to apply this policy to devices connected to the enterprise network. Use it if you want to omit the secondary authentication in the pre-deployment phase when you‚Äôre still setting up your ‚ÄčAkamai MFA‚Äč service.
  • Deny. Devices belonging to this group are not allowed to authenticate with ‚ÄčAkamai MFA‚Äč and are blocked from accessing the enterprise applications.

This subpolicy arranges devices accessing your protected applications into three different groups on the basis of their network location (CIDRs). Devices, depending on the group that they belong to, are required to comply with the assigned access rule, giving you more granular control over your enterprise resources.

The Browser subpolicy lets you determine the required and denied versions on devices used to access protected applications.
By default, any browser is allowed unless you set a specific policy on that browser. You can specify an individual policy on all known browsers that are the following Chrome, Microsoft Edge, Mozilla Firefox, and Safari. For example, you can set Safari > Allow to allow all versions of the Safari browser. If you set Safari > Deny, you deny all versions of that browser. Additionally, you can specify a Minimum version of a particular browser to require this particular version or later versions.

For unknown browsers, such as Brave or Internet Explorer, you can set a separate policy to determine if that browser is allowed or denied by using the All Unknown Browsers setting.

If the device doesn‚Äôt match the browser requirements, the user receives a policy violation error. Additionally, the user can't authenticate with ‚ÄčAkamai MFA‚Äč and access the protected resource.

The OS (Operating system) subpolicy lets you determine the required and denied OS versions running on devices used to access protected applications and receive push notifications. By default, any OS is allowed unless you set a specific policy on that browser. You can specify an individual policy on all known operating systems that are the following Android, iOS, Linux, macOS, and Windows. For example, you can set Android > Allow to allow all Android OS versions. If you set Android > Deny, you deny all versions of that OS. Additionally, you can specify a Minimum version of a particular OS to require this particular version or later versions. For example:

  • To support Android 9.1, enter 9.1

  • To support iOS 14, enter 14

  • To support macOS High Sierra, enter 10.13

  • To support Windows 7, enter 7.

For Linux, the browser header reports a generic Linux version that doesn't correspond to any of the Linux distributions. For this reason, the Minimum version setting can't be applied for devices that are running the Linux OS.

For unknown operating systems, such as Windows Phone or Raspberry pi, you can set a separate policy to determine if that OS is allowed or denied.

If the device doesn‚Äôt match the OS subpolicy, the user receives a policy violation error. Additionally, the user can't authenticate with ‚ÄčAkamai MFA‚Äč and access the protected resource.

How to

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Policies.

  2. On the Policies page, navigate to the policy that you want to edit and click the policy's name to display its settings.
    The policy configuration page displays.

  3. In the sidebar menu, select Smart Device, Device Location, Network Locations, Browser, and OS to enable the edition of these settings.

  4. In Smart Device, enable additional restrictions, such as Biometric Lock or Device Attestation that must be met by users' devices.

  5. In Device Location, click Configure and assign your locations to the Enforce, Bypass and Deny groups. Click Continue to save your settings.

  6. In Network Locations, assign your network locations to the Enforce, Bypass and Deny groups by specifying their IPv4 or IPv6 address ranges in CIDR format.

  7. In Browser, allow or deny browser versions on devices used to access the protected applications.

  8. In OS, allow or deny OS versions running on devices used to access the protected applications.

  9. Click Save & Deploy.

    This overwrites and saves your newly added device posture settings configuration.


Did this page help you?