Device-only Resource Policies


This policy setting can only be applied to Resource Policies.


By default, all Resource Policies include both user authentication requirements and device requirements. Setting a Resource Policy to device-only results in a policy that only checks device requirement rules. Even if a Resource Policy has been set to device-only, the Network Sign In Policy must always include user authentication requirements, and its validity is always checked before Resource access is authorized.

As an example, a device-only policy can be created to allow devices marked as trusted to access a Resource without any additional user authentication requirements as long as the user is signed in to the Twingate client and the session is still valid.

To disable user authentication requirements, select the Disable option next to "Authentication Requirements". The screenshot below shows the resulting state. Authentication requirements may be re-enabled in the same configuration screen.

Network Sign In Policy evaluation

As shown in the screenshot above, even when user authentication requirements are disabled for a Resource Policy, the Network Sign In policy is always enforced, and must always include a user authentication rule as a minimum. The following rules apply when evaluating a device-only policy:

  • The Network Sign In Policy requirements must be valid and active. In the example above, the Network Sign In Policy is set to a session length of 30 days. This means that the user must have authenticated successfully within the last 30 days and the device requirements must be met for the policy above to authorize user access to a Resource protected by this policy.
  • The Network Sign In Policy session is maintained between restarts unless the user explicitly logs out in the Twingate Client. This means that Resources behind device-only policies are immediately accessible after either machine restart or after re-launching the Twingate Client as long as the user last authenticated within the Network Sign In Policy session length. This allows both frictionless access to low-risk Resources for users and access to system Resources before an interactive user session is available (see: Windows Start Before Logon).

Note: Resource Policy sessions are never maintained between restarts or Client re-launches, and users must always re-authenticate to access Resources behind standard Resource Policies.


Device-only policies are only supported with the following minimum Client versions:











Android / ChromeOS

Coming soon

Did this page help you?