Use a device certificate for managed device authentication

Products

Symantec ZTNA

Issue/Introduction

In many cases there would be different access or activity policies assigned for users coming from managed vs. unmanaged devices.
A common policy is restricting users from downloading files or from performing changes in specific applications (like database management consoles or administrative settings) when coming from unmanaged devices.

One of the methods to differentiate between managed and unmanaged is by provisioning each managed device with a device/client certificate.
This functionality is available in most modern device management solutions (such as JAMF, Intune, Airwatch and others).
Once devices in your organization are provisioned with device/client certificate you can use the Managed Device condition with the Client Certificate option in Secure Access Cloud (SAC) to define access or activity policies for managed vs. unmanaged devices.

Resolution

In order to use the device certificate you should first upload the public key of the certificate authority (or chain) used to issue the device certificates.

Step 1: Upload the public key of the certificate authority, used to issue the device certificates, to SAC.

This step defines which certificates would be accepted by SAC when sent from the client. In addition, the CA certificate is used to limit the list of certificates presented to the end user to show only the certificates generated by the CA.

1. Navigate to Settings → Authentication, scroll to the Client Certificate section and press on the ‘upload file’ button:

2. Select the certificate containing the public key of the certificate authority. You should see the certificate field populated (similar to the image below) and then click on ‘Save’.

Note: The file should be in pem format

Step 2: Define a managed device condition in an access policy to require client certificate authentication.

After you have uploaded the CA certificate, you can start using the ‘client certificate’ option in the managed device condition.

1. Navigate to the policies page and edit an existing or create a new access policy.
2. After selecting the entities and applications, scroll to the condition section and click on ‘add condition’:

3. In the conditions select the ‘managed device’ condition:

4. Click on the added condition to select the type of authentication:

5. In the ‘authentication’ modal select ‘Client Certificate’:

6. Save the policy.

Now all the entities defined in the access policy will be required to present a client certificate when accessing the applications defined in the policy.

Step 3: The end-user is certificate prompt.

Once a policy is defined, the defined users will be prompted to present a client certificate issued by the CA in question when accessing the applications defined in the policy.

Note: The client certificate is searched in the user’s certificate store by the browser and is based on browser specific implementations.

1. Supported browsers are:

1. Firefox for Windows version 74 or higher.
2. Firefox for Mac version 75 or higher.
3. Chrome for Windows version 37 or higher.
4. Chrome for Mac version 37 or higher.

2. End-user experience:

1. When a user browses to an application which requires a client certificate, a browser pop-up will show prompting the end-user to select the relevant certificate.

Note: Only certificates issued by the CA uploaded to SAC in step 1 will be shown in the dialog.

2. Once the user has provided the certificate, the SAC will evaluate the validity of the certificate and will allow/deny access based on the access policy and the validity of the certificate upon policy configuration.