Device Posture – Preview

The Device Posture service ensures that the devices meet certain conditions to provide access to the corporate resources through Citrix Workspace such as Citrix DaaS (virtual apps and desktops) and Secure Private Access (SaaS and Web apps, TCP, and UDP apps). To have a zero trust-based framework for remote access, establishing device trust is the key. Device Posture service tries to accomplish zero trust by checking the device for compliance (managed/BYOD and security posture).

How it works

The admin defines device posture policies to determine whether the devices are allowed or denied login and access to resources. Following are the high-level conditions used to classify a device as compliant or non-compliant.

• Compliant devices

  • A device that meets the preconfigured policies when it is used to log in to the company network.

• Non-compliant devices

  • Devices not running on Windows or macOS. In the current release, device posture is supported only with Windows and macOS platforms.
  • No device posture policy is defined for a device, but device posture is enabled.
  • A device that does not match defined policies. In the current release, admins must explicitly configure the deny options for such devices.
• In the current release, Device Posture is supported only with Windows and macOS platforms. When the users log in from other devices, those devices are classified as non-compliant.
• A device is classified as compliant if it meets the preconfigured conditions when it is used to log on to the company network.
• If Device Posture is enabled and no device posture policy is defined for a device, that device is classified as non-compliant.
• A device that fails to meet the conditions is denied access to the company network.
• If a device does not match any of the policies, then it is configured as non-compliant. In the current release, admins must explicitly configure the deny options for such devices.

The classification of “compliant” and “non-compliant” devices is passed onto Citrix DaaS and Citrix Secure Private Access service that in turn uses the device classification to provide contextual access/smart access. The following figure illustrates a sample use case.

Note:

• The device posture policies must be configured specifically for each platform. For example, for macOS, an admin can allow access for the devices that have a specific OS version. Similarly, for Windows, the admin can configure policies to include a specific authorization file, registry settings, and so on.
• Device posture scans are done only during pre-authentication/before login.
• For definitions of “compliant” and “non-compliant,” see [Definitions](/en-us/citrix-secure-private-access/device-posture.html#definitions].

Scans supported by device posture

Device posture is supported only with Windows version 22.6.1.5 and later and macOS version 22.06.1 and later.

Third-party integration with Device Posture

Device Posture is integrated with Microsoft Endpoint Manager (MEM) on Windows and macOS.

For details on MEM integration configuration, see Microsoft Endpoint Manager integration with Device Posture.

Prerequisites

Sign up here for preview: https://podio.com/webforms/27886155/2183565.

Configure device posture policy

The device posture policy is a combination of expressions/conditions that a device must meet to gain access to the resources. A set of expressions/conditions makes up a policy and a set of policies make up the entire device posture. Each policy is attached with one of the actions namely compliant, non-compliant, and denied login. In addition, each policy is associated with a priority and the policy evaluation stops if a policy evaluates to true and the associated action is taken.

1. Sign in to Citrix Cloud, and then select Identity and Access Management from the hamburger menu.

2. Click the Device Posture, tab and then click Manage.

   

   For the first-time users, the Device Posture landing page prompts you to create a device posture policy. Device posture policy must individually be configured for each platform. Once you create a device posture policy, it gets listed under the appropriate platforms.

   

   A policy comes into effect only after device posture is enabled. To enable device posture, slide the Device posture is disabled toggle on the right hand top corner to ON.

3. Click Create device policy.
4. Enter a name for the policy.

5. In Platform, select the platform for which you want to apply a policy.

   Note:

   You can change the platform from Windows to macOS or conversely irrespective of the tab that you selected on the Device Posture home page.

6. Add one or more expression/conditions as per your requirement. You can add qualifiers to some of the expressions as well.

   Note:

   Each platform can have a maximum of 10 policies and each policy can have a maximum of 10 expressions/conditions.

7. In Priority, enter the order in which the policies must be evaluated.

   • You can enter a value between 1 through 100. It is recommended that you configure deny policies with higher priority, followed by non-compliant, and finally compliant.
   • Priority with the lower value has the highest preference.
   • Only the policies that are enabled are evaluated based on the priority.

   

8. In Select Rule, select the check that you want to perform as part of Device Posture and select the conditions that must be matched.

9. Click Add Rule to create multiple rules. An AND condition is applied on multiple rules.

10. In Then the device is: based on the conditions that you have configured, select one of the following.

    • Compliant (full access is granted)
    • Non-compliant (Restricted access is granted)
    • Denied login
11. Click Create.

Important:

You must turn the Enable when created toggle switch to ON in the Device Posture home page for the device posture policies to take effect. Before you enable the policies, it is recommended that you ensure that the policies are correctly configured and you are performing these tasks in your test setup.

Edit a device posture policy

You can search for the policy you want to edit under the respective platform in the Device Posture page.

From this page, you can enable, disable, edit, or delete a policy from this page. You can edit all the fields in the policy.

Contextual access based on device posture

After a device is allowed to log in post the device posture verification, the devices are classified as compliant and non-compliant. This information can be used by the Secure Private Access service and Citrix DaaS to provide contextual access.

Important:

The syntax for the device classification tags must be entered in the same manner as shown in the following examples for Citrix Secure Private Access and Citrix DaaS respectively. Else, the Device Posture service fails to retrieve the device classification information.

• Citrix Secure Private Access: In the Create Access Policies page, for the Device posture check condition, enter one of the following values in custom tags.

  • Compliant – For compliant devices
  • Non-Compliant - For non-compliant devices

  

• Citrix DaaS: In the Edit Delivery Group > Access Policy page, enter the value Workspace in Farm. In Filter, enter one of the following values.

  • COMPLIANT – For compliant devices
  • NON-COMPLIANT - For non-compliant devices

  

End-user flow

Once the device posture policies are set and device posture is enabled, the following is the end-user flow:

1. Access the Citrix Workspace URL, <https://<your custom workspace URL>. The device posture scans the end device.

2. Click Open Link to start the scan.

   

3. If the prompt expires, the users are redirected back to the page that displays the options, Check again and Download plug-in. The user must click Check again.

   

Device posture results

Based on the device posture policy conditions, three possibilities can occur:

• If the device meets the condition that is qualified to deny access, the following screen is displayed.

  

• If the device is a compliant device, the user gets unrestricted access.

  

• If the device is a non-compliant device, the user gets limited access.

  

Troubleshooting some common errors

Following are typical errors with self-help troubleshooting tips.

• If a scan fails with an unexpected error, the scan displays a transaction ID. Share this ID with your Citrix contact for resolving the issue.

• You can view the logs for possible system errors. If the logs do not help, contact your Citrix contact.

  

  • %localappdata%\Citrix\EPA\dpaCitrix.txt
  • %localappdata%\Citrix\EPA\epalib.txt

Device Posture service quality

• Performance: Under ideal conditions, the Device Posture service adds an additional 2 seconds of delay during the login. This delay might increase depending on additional configurations such as device certificate, third-party integrations like Microsoft Endpoint Manager (MEM).
• Resiliency: Device Posture service is highly resilient with multiple POPs to ensure that there is no downtime.

Points to note regarding Device Posture configuration

• Custom workspace URLs do not work with the Device Posture service.
• Any changes in the device posture configuration do not take effect immediately. It might take around 10 minutes for the changes to take effect.
• If you have enabled the Service Continuity option in Citrix Workspace and if the Device Posture service is down, users might be unable to sign in to Workspace. This is because Citrix Workspace enumerates apps and desktops based on local cache on the user device.
• If you have configured long lived token and password on Citrix Workspace, the device posture scan does not work for this configuration. The devices are scanned only when the users log on to Citrix Workspace.
• If the size of the expressions is large (greater than 2000 bytes), the Windows EPA client displays an error as it does not handle chunked response encoding.
• Only 19 MAC addresses can be configured as part of the MAC address scan.
• More than one expression of type File/Process/Registry is not supported (single expression or across expressions).
• MAC address is case-sensitive and must be configured in the GUI in upper case only.

Definitions

The following are the definitions of the terms “compliant” and “non-compliant” in reference to the Device Posture service.

• Compliant: The device is compliant to the conditions set by the admins using the policy configuration for the device posture scans.
• Non-compliant: The device is non-compliant in reference to the policies that are configured for the device posture scans.