Create a posture check

This guide walks you through creating a new posture check. After you create a check, you must apply it to a service policy to enforce a security requirement on connecting identities.

MAC address check

MAC address check

This check verifies the physical hardware address of the client device's network interface, restricting access only to devices with approved MAC addresses.

---

Configuration steps

1. From the console, select your network from the dropdown in the left-hand menu.

2. Click Posture Checks from the same menu.

3. Click the plus icon (+) to create a new posture check.

4. Fill in the Required fields:

   • Name: Enter a unique name for the check that describes its purpose (e.g., require-trusted-mac).
   • Select or create posture check attributes: Enter an attribute (e.g., #mac-check) to use when applying this check to a service policy.
   • Type: Select MAC Address Check from the dropdown menu.

5. Configure the specific requirements for the MAC Address Check:

   • MAC Addresses: Enter one or more MAC addresses that the client device must possess to pass the check. Use the standard format (e.g., AA:BB:CC:11:22:33).

6. (Optional) Toggle Show more options to ON to configure custom tags:

   • Custom tags: Use the Name and Value fields to attach non-functional metadata to the posture check for tracking or inventory purposes.

7. Click Save.

Operating system check

Operating system check

This check verifies that the client device is running one of the selected operating systems and, optionally, falls within a specified version range.

---

Configuration steps

1. (Optional) Toggle Show more options to ON to configure custom tags:

2. Click Posture Checks from the same menu.

3. Click the plus icon (+) to create a new posture check.

4. Fill in the Required fields:

   • Name: Enter a unique name for the check that describes its purpose (e.g., require-trusted-mac).
   • Select or create posture check attributes: Enter an attribute (e.g., #mac-check) to use when applying this check to a service policy.
   • Type: Select Operating System Check from the dropdown menu.

5. Select the operating systems: For each required operating system listed, click the toggle switch from NO to YES to enable it. You can select one or more operating systems.

   • Example: If your policy requires access from either a company-issued macOS laptop or a Windows machine, toggle macOS and Windows to YES.

6. Define version requirements (Optional): For each operating system you enabled, you can specify version requirements in the following fields:

   The values entered in these fields are evaluated using a valid Semver 2.0 statement. This allows you to define specific acceptable version ranges by major, minor, and patch levels. For operating systems without an explicit patch level, their build number is used for validation.

   • Min version: Enter a Semver statement to define the minimum acceptable version or range. The client device must satisfy this requirement (e.g., >=1.2.7).
   • Max version: Enter a Semver statement to define the maximum acceptable version or range. The client device must satisfy this requirement (e.g., <1.3.0 or <2.0.0).
   note

   You can use operators like >=, >, =, <, <=, and || *to create complex version ranges in either field.

   Semver range examples:

   • To match versions 1.2.7 through 1.2.99: Enter >=1.2.7 in Min version and <1.3.0 in Max version.
   • To match versions 1.2.7 and later: Enter >=1.2.7 in Min version and leave Max version blank.
   • For complex rules like matching 1.2.7 or 1.2.9 up to 2.0.0: the statement 1.2.7 || >=1.2.9 <2.0.0 would be entered into the relevant field.

7. (Optional) Toggle Show more options to ON to configure custom tags:

   • Custom tags: Use the Name and Value fields to attach non-functional metadata to the posture check for tracking or inventory purposes.

8. Click Save (following the initial steps from your main how-to guide).

When to use version requirements

You should use Min version to enforce security updates and patches, ensuring that devices accessing critical services aren't running known vulnerable versions. You might use Max version if a new, unstable operating system version is known to break critical client applications and you want to prevent users from connecting until the software is certified.

Process (multi) check

Process (multi) check

This check verifies that one or more specific software processes are running on the client device and confirms their authenticity and location. This provides constant validation that important software is running in order to pass the posture check. (e.g., antivirus, firewall).

---

Configuration steps

1. (Optional) Toggle Show more options to ON to configure custom tags:

2. Click Posture Checks from the same menu.

3. Click the plus icon (+) to create a new posture check.

4. Fill in the Required fields:

   • Name: Enter a unique name for the check that describes its purpose.
   • Select or create posture check attributes: Enter an attribute to use when applying this check to a service policy.
   • Type: Select Process Check (for a single process) or Process Multi Check (for multiple processes) from the dropdown menu.

5. If you selected Process Multi Check, an additional dropdown appears:

   In the Process multi details semantic dropdown, select the logical operator:

   • AllOf: All configured processes must pass the check for the posture check to succeed.
   • AnyOf: Any one of the configured processes must pass for the posture check to succeed.

6. Under Process Details, configure the following for the single process (Process Check) or for each required process (Process Multi Check):

   1. Operating System: Select the specific operating system this check applies to.

   2. Hashes: Enter one or more cryptographic hash values (e.g., SHA-256) of the executable file.

      The client device's agent verifies that the running process's hash matches one of the values you provide here, ensuring the file has not been tampered with.

   3. Path: Enter the exact file path to the executable on the client device (e.g., /usr/bin/myagent).

   4. Fingerprint: Enter the public key fingerprint of the application's code signing certificate.

   This option uses signer fingerprints (SHA-1 thumbprints) of valid signing certificates to verify the process, proving it was signed by a trusted authority.

7. (Optional) Toggle Show more options to ON to configure custom tags:

   Custom tags: Use the Name and Value fields to attach non-functional metadata to the posture check for tracking or inventory purposes.

8. Click Save.

Windows domain check

Windows domain check

This check verifies that the client device is joined to one or more specific Windows domains, which helps confirm the device's organizational trust level.

---

Configuration steps

1. (Optional) Toggle Show more options to ON to configure custom tags:

2. Click Posture Checks from the same menu.

3. Click the plus icon (+) to create a new posture check.

4. Fill in the Required fields:

   • Name: Enter a unique name for the check that describes its purpose.
   • Select or create posture check attributes: Enter an attribute to use when applying this check to a service policy.
   • Type: Select Windows Domain Check from the dropdown menu.

5. Under Windows Domain Details, enter the fully qualified domain names (FQDNs) that the client device must be joined to. Enter each domain name and press Enter or Tab to add it to the list of required domains.

6. (Optional) Toggle Show more options to ON to configure custom tags:

   • Custom tags: Use the Name and Value fields to attach non-functional metadata to the posture check for tracking or inventory purposes.

7. Click Save.

Multi-factor check

Multi-factor check

This check verifies that the client device requires multi-factor authentication (MFA) to access the device upon certain events, ensuring strong user identity confirmation. Specifically, this check requires the use of a Time-based One-Time Password (TOTP) application (such as Google Authenticator, Microsoft Authenticator, etc.) to generate and verify a unique, temporary code when the user authenticates.

---

Configuration steps

1. From the console, select your network from the dropdown in the left-hand menu.

2. Click Posture Checks from the same menu.

3. Click the plus icon (+) to create a new posture check.

4. Fill in the Required fields:

   • Name: Enter a unique name for the check that describes its purpose.
   • Select or create posture check attributes: Enter an attribute to use when applying this check to a service policy.
   • Type: Select Multi Factor from the dropdown menu.

5. Under Multi Factor Details, configure the following requirements:

   • Timeout (seconds): Set the maximum duration (in seconds) that the device can remain unlocked before MFA is required again. A value of 0 means MFA is required immediately upon the event trigger.
   • Require on Wake: Toggle to Require if the user must perform MFA when the device wakes from sleep or hibernation.
   • Require on Unlock: Toggle to Require if the user must perform MFA when the device is unlocked (e.g., after the screen saver or inactivity).

6. (Optional) Toggle Show more options to ON to configure custom tags:

   • Custom tags: Use the Name and Value fields to attach non-functional metadata to the posture check for tracking or inventory purposes.

7. Click Save.

More info

• Posture checks overview