Diagnose Device Posture service transactions

Administrators can now diagnose and troubleshoot Device Posture Service transactions effectively. This update enhances troubleshooting capabilities in Citrix Monitor, providing detailed insights into Device Posture policy evaluation, compliance checks, and error diagnostics.

Understanding the Device Posture service evaluation flow

A typical Secure Private Access or VDI app access launch involves the following three stages:

  1. Pre-authentication: A basic endpoint hygiene check is conducted using Device Posture Service. Access is blocked before authentication if a device fails to meet compliance policies.

  2. Authentication: Authenticates the user in this stage. Authentication fails if there is credential mismatches or identity provider errors.

  3. Application access: The following two sub stages are involved in this stage:

    • Policy brokering and enumeration stage: When a user’s device context violates policy settings, access to applications is restricted.

    • Application launch stage: The final stage, where an application transaction completes using Citrix Enterprise Browser, Secure Private Access client, or native endpoint client.

Troubleshooting enhancements in Citrix Monitor

With this update, Citrix Monitor provides search-based Device Posture Service troubleshooting, allowing IT teams to:

  • Filter transactions by a user ID or transaction ID for targeted debugging.
  • Analyze policy evaluation outcomes such as whether a device is compliant, non-compliant, or blocked due to policy violations.
  • Pinpoint policy failures by examining detailed compliance checks, expected values, and real-time contextual values.
  • Review device metadata, policy configurations, and logs for deeper diagnostics.
  • Identify failed transactions due to system errors, with error messages linked to knowledge-base articles for quick resolution.

How IT teams can use the troubleshooting enhancement

Triaging Device Posture issues

Search a user-reported transaction ID to locate relevant Device Posture Service logs quickly. Review whether compliance checks passed or failed and determine root causes.

For example, when searching for a transaction ID, you can review the Device Posture check policy outcome—whether it was successful (compliant or non-compliant) or failed due to an error. The system provides the full context of the Device Posture Service evaluation, including client metadata, policy details, and other transaction details.

Device posture outcome

Investigating policy-based access blocks

When a device is non-compliant, IT can inspect the exact policy parameters that failed. The system provides side-by-side comparisons of the configured expected value to the device’s real-time data.

Device posture investigates

Admins can search for specific parameters in complex environments with multiple policies and verify whether the expected user context is present. The system visually highlights the failing condition if a parameter value mismatch occurs, accelerating root cause identification. Also, admins can navigate through policies to see which ones were evaluated and which ones generated the current transaction outcome.

Device posture large policy 1

To troubleshoot large working sets of policy parameters, you can search the parameters and see if the desired user context is present in real time.

Device posture large policy 2

For example, in the preceding screenshot, the highlighted field, when searched, resulted in no outcome (mentioned in the following image), suggesting that the parameter value did not match. This mismatch caused the condition result to be false and, failing that, the overall policy outcome to be denied.

Device posture large policy 3

Handling transaction failures and errors

If a policy evaluation fails due to a system error, the following details are displayed in Citrix Monitor:

  • Error descriptions with contextual details.
  • Links to troubleshooting documentation, enabling faster resolution.

Device posture error handling

Steps to Diagnose Device Posture Service transactions

  1. Copy the transaction ID of the failed or access-denied session from the end-user device.

    Access denied

  2. Sign into Citrix Cloud.
  3. On the DaaS tile, click Manage, and then click the Monitor tab.
  4. Enter the transaction ID in the Search field and click Details.

    Transaction details

You can view the transaction summary and the verification details of the configured Device Posture policies. The different values for policy evaluation are compliant, non-compliant, and deny.

Transaction summary

The Transaction Summary page provides the outcome of the Device Posture policy. For compliant, non-compliant, and denied results, the summary includes:

  • Platform: The OS of the client device.
  • Policy name: Name of the Device Posture policy.
  • Evaluation result: Indicates whether the Device Posture policy passed or failed.
  • Device Posture result: Indicates whether the Device Posture outcome is compliant, non-compliant, or denied.
  • Last scanned time: The time when the device was last scanned.

Verify configured policies

The Verify Configured Policies section provides comprehensive details of policy evaluation, including:

  • Reasons for failure.
  • The specific rule that failed.
  • Evidence collected.

This information allows admins to troubleshoot and take appropriate actions based on the policy details.

Device posture policy evaluation process

  1. Policy failure and rule identification:

    • Identify which rule failed and why it failed.
    • Collect evidence related to the failure.
  2. Outcome determination:

    • Depending on the policy evaluation, the outcome can be compliant, non-compliant, or denied.
    • If no policies match, the outcome is “no matching policy.”
  3. Viewing policy details:

    • Admins can view the details of each device policy for a specific transaction ID.
    • Use the backward and forward arrows to navigate through different policies.

    In cases of compliant, non-compliant, and denied results, the Device Posture policy evaluation includes the following information in the Verify Configured Policies section:

    • Policy name: Name of the device policy.
    • ID: The order in which the policy is evaluated.
    • Evaluation result: Indicates whether the Device Posture policy passed or failed.
    • Policy result: Indicates whether the Device Posture outcome is compliant, non-compliant, or denied.
    • Policy Conditions:

      • Type: The device scan type.
      • Condition criteria: The condition to evaluate the policy rule.
      • Expected value: The configured value of the policy condition.
      • Actual value: The evidence collected from the endpoint.
      • Condition result: Indicates whether the condition passed or failed.

Error code

When there is an issue and Device Posture fails to evaluate the policy, the error code is displayed.

If there is a failure, copy the error code and contact Citrix support.

The policy details and error codes simplify the triage and troubleshooting of user issues.

The following table provides the error code, error message, and solution for the error:

# Error message Error code Action
1 Failed to read configured policies. 0x0050001 Contact Citrix Support
2 Failed to evaluate endpoint scans. 0x0050002 Contact Citrix Support
3 Failed to process policies or expression. 0x0050003 Contact Citrix Support
4 Failed to save endpoint details. 0x0050004 Contact Citrix Support
5 Failed to process scan results from endpoints. 0x0050005 Contact Citrix Support
6 Failed to read Device Posture mode configuration. 0x0050006 Contact Citrix Support
Diagnose Device Posture service transactions