Device Security Guide

📘

Minimum supported client version

The following versions are required for Device Security support

  • macOS: 1.0.20
  • Windows: 1.0.18
  • Android: 1.0.16
  • iOS: 1.0.20

Twingate enables you to define what it means for a device to be trusted and then incorporate these definitions into Security Policies for your Network or for individual Resources.

Device Security

Twingate supports two categories of device requirements, both of which can be incorporated into Security Policies.

  • Minimum OS Requirements: These requirements identify the minimum device requirements to access Twingate. These checks, using native device posture details from the Twingate desktop and mobile applications, can require checks such as hard drive encryption and screen lock passwords to be enabled.
  • Trusted Profiles: These requirements can be configured for policies requiring additional security. In addition to the native device posture checks, admins can also require a Trust Method. The Trust Method identifies devices that meet a more stringent device verification method.

These requirements are applied at the sign-in level and can also be associated with specific Resource Policies so that only specific devices can be used to access individual Resources.

Configuring Device Security

By default, all platforms are allowed with no native device posture checks.

If specific platforms should not be used to access Twingate, the Minimum OS Requirement for that platform can be set to block the particular OS. If specific platforms should have custom native device posture checks, those can be enabled for each Minimum OS Requirement.

Platform

Device posture check

Windows

  • HD Encryption
  • Screen Lock
  • Firewall
  • Antivirus

macOS

  • Screen Lock
  • Biometric Configuration

Linux

  • Firewall

iOS

  • Screen Lock
  • Biometric Configuration

Android

  • HD Encryption
  • Screen Lock
  • Biometric configuration
  • Antivirus

For more information on how device posture checks are collected, see here.

If your organization has specific devices marked as trusted, you can create a Trusted Profile for that platform. Manual Trust is the currently supported Trust Method, which indicates that the device must be manually selected as Trusted in order to meet this requirements. Additional device posture requirements can be added as well.

Configuring Policies

For sign-in, any device that meets any of the Minimum OS Requirements or Trusted Profiles can be used to access Twingate. Note that the minimum authentication requirements will also need to be met.

To enforce requirements on the devices that can be used to access a specific Resource, you can identify which groups of requirements are needed to satisfy that Resource Policy.

  • Any Device: Any device that meets Device Security requirements will be allowed, including devices that meet either Minimum OS Requirements or Trusted Profiles.
  • Only Trusted Devices: Only devices that meet Trusted Profile requirements will be allowed.
  • Custom: Only devices that meet the specified set of requirements will be allowed.

See the article on Security Policies for more information.

Common configurations

The following are examples of how you can configure Device Security and Security Profiles.

Scenario

Device Security configuration

Security Policies configuration

Only allow macOS and iOS, both with basic posture checks

  • Use Minimum OS Requirements to block OS access for Android, Windows, and Linux
  • Configure posture checks in Minimum OS Requirements for macOS and iOS
  • Create a policy that allows All Devices or a custom setting to just allow the macOS and iOS Minimum OS Requirements profiles

Employees' devices are marked as trusted; contractors are not

  • Configure Minimum OS Requirements to match the device posture checks needed for contractors' devices
  • Create Trusted Profiles for the platforms used by employees, ensuring that "Manual Trust" is selected as the Trust Method
  • Associate Trusted Profiles with the Resources that employees access
  • Associate Minimum OS Requirements with the Resources that contractors access

Blocks all Android devices except for test devices

  • Use Minimum OS Requirements to block OS access for Android
  • Create a Trusted Profile for Android, ensuring that "Manual Trust" is selected as the Trust Method and that all test devices are marked as Trusted
  • Add Android Trusted Profile as an allowed device

Did this page help you?