Configuring Device Checks for Windows Clients

Configuring Device Checks for Windows Clients

This article describes the step-by-step process to configure Device Checks on end-point devices per user and user group.

InstaSafe Secure Access (ISA) enables administrators to define rules that check endpoint devices for mandatory compliances. These rules determine whether a device is allowed to connect. As a result, non-compliant endpoints are prevented from accessing corporate resources.

On the ISA web console, administrators can create objects for each type of Device Checks.

Currently the following types of Device Checks can be created:

Type
Device Check
Check Value
Comments
Antivirus
Antivirus
<Name>
Name of the Antivirus software. For example, Trend Micro

AntiVirusStatus
Installed


AntiVirusStatus
UptoDate


AntiVirusStatus
Enabled


SEPLastAVUpdate
<date>
For Symantec Endpoint Protection
Anti-Spyware
AntiSpyWare
<Name>
Name of the Anti-spyware software. For example, Kaspersky

AntiSpywareStatus
Installed


AntiSpywareStatus
UptoDate


AntiSpywareStatus
Enabled

Firewall
Firewall
<Name>
Name of the firewall software. For example, McAfee

FirewallStatus
Installed


FirewallStatus
Enabled

Domain Join
DomainName
<Name>
Name of the domain. For example, alphatech.local  
Operating System
OS Version
<version ID>
For example, 10.0.18363

ServicePack
Service Pack 4
For Windows 7

HotFix
<KB Name>
For example, KB123456

  Device Checks of the same type must be configured by creating one Device Check object with multiple values. For example, the Device Check type of Windows OS version may contain the values 8, 10, or 11. Each value must be separated by the pipe symbol as in "8|10|11".

   Once a Device Check object is created, the object must be added to a user or user group.

   When multiple objects are added to a user or user group, the connecting device must meet all the conditions defined in the objects. If the connecting device fails to meet any one of the conditions, the connection will be refused.

  A Device Check object can be created with two values separated by the pipe symbol “|” for OR operation, where either of the conditions must be true.

  When enforcing Device Check on a user or user group multiple Device Check objects, all the conditions must be true. This means that if one of the checks doesn’t hold true, Device Check will not permit the user to connect the ISA User Agent from that device.

For more information on Device Check, refer to the KB article, Device Check Explained.


  1. Log into the ISA web console with administrator credentials.
  2. Navigate to the DEVICES & CHECKS > Device Checks page.
  3. Click on Add.
  4. On the Add device check window, enter the following information:
      1. Rule Name: Enter a name for this object, preferably that which illustrates the condition defined in the object. For example, Windows Version.
      2. OS: click on the drop-down list to select the operating system. In this example, Microsoft Windows.
      3. Check: click the drop-down list to select the condition to check for. For example, OS Version.
      4. Check value: enter the value for the condition defined under Check. For example, 8, 10, or 11. Multiple values can be entered here by separating them with the pipe symbol. 
      5. Click Save and Add New
  5. The new Device Check object has been created.
  6. Navigate to the USERS & GROUPS > Users page.
  7. On the Users page, click on the name of a user to edit it.
  8. Click the Edit button.
  9. Scroll Down.
  10. Toggle the Device checks button to enable it.
  11. Click inside the Select device checks box. 
  12. From the drop-down list, select the Device Check object.
  13. Click Update at the bottom to save this change. 
This user must meet the condition defined in the Device Check object before being able to connect the ISA User Agent successfully. 

Add a Device Check Object and assign to a user group

 

  1. Navigate to the DEVICES & CHECKS > Devices page and click the Add button
  2. On the Add device check window, enter the following information:
      1. Rule Name: Enter a name for this object, preferably that which illustrates the condition defined in the object. In this example, Antivirus.
      2. OS: click on the drop-down list to select the operating system. In this example, Microsoft Windows.
      3. Check: click the drop-down list to select the condition to check for. For example, Antivirus.
      4. Check value: enter the name or names of the antivirus software. In this example, Windows Defender|Trend Micro. Since multiple values are entered, they are separated by the pipe symbol. 
      5. Click Save and Add New
  3. The new object will be listed on the page.
  4. Navigate to the USERS & GROUPS > User Groups page.
  5. Click on the name of a user group listed here.
  6. In the Group details window, click the Edit button.
  7. Toggle the Device checks button to enable it.
  8. Click inside the Select device checks box. 
  9. From the drop-down list, select the Device Check objects one by one to add it. 
  10. Click Update to save the change. 

Users in this group must meet all the conditions defined in the Device Check objects before being able to connect the ISA User Agent successfully. If even one of the conditions is not met, the ISA User Agent connection will fail with a similar error message:



Examples of other Device Check Failures

Domain Name Check Failed

In Domain Check Failed

OS Version Check Failed





Conclusion

Device Check is an effective way to further secure shared resources by forcing the remote end-devices to fulfil certain parameters before remotely accessing them.