Device-only Resource Policies

Applicability

This policy setting can only be applied to Resource Policies.

Functionality

By default, all Resource Policies include both user authentication requirements and device requirements. Setting a Resource Policy to device-only results in a policy that only checks device requirement rules. Even if a Resource Policy has been set to device-only, the Network Sign In Policy must always include user authentication requirements, and its validity is always checked before Resource access is authorized.

As an example, a device-only policy can be created to allow devices marked as trusted to access a Resource without any additional user authentication requirements as long as the user is signed in to the Twingate client and the session is still valid.

To disable user authentication requirements, select the Disable option next to "Authentication Requirements". The screenshot below shows the resulting state. Authentication requirements may be re-enabled in the same configuration screen.

Network Sign In Policy evaluation

As shown in the screenshot above, even when user authentication requirements are disabled for a Resource Policy, the Network Sign In policy is always enforced, and must always include a user authentication rule as a minimum. The following rules apply when evaluating a device-only policy:

  • The Network Sign In Policy requirements must be valid and active. In the example above, the Network Sign In Policy is set to a session length of 30 days. This means that the user must have authenticated successfully within the last 30 days and the device requirements must be met for the policy above to authorize user access to a Resource protected by this policy.
  • The Network Sign In Policy session is maintained between restarts unless the user explicitly logs out in the Twingate Client. This means that Resources behind device-only policies are immediately accessible after either machine restart or after re-launching the Twingate Client as long as the user last authenticated within the Network Sign In Policy session length. This allows both frictionless access to low-risk Resources for users and access to system Resources before an interactive user session is available (see: Windows Start Before Logon).

Note: Resource Policy sessions are never maintained between restarts or Client re-launches, and users must always re-authenticate to access Resources behind standard Resource Policies.

Requirements

Device-only policies are only supported with the following minimum Client versions:

Platform

Version

Windows

v1.0.14

macOS

v1.0.17

Linux

v1.0.32

iOS

v1.0.17

Android / ChromeOS

Coming soon


Did this page help you?