Device Posture

Device certificate check with Device Posture service

January 23, 2024

Contributed by:

To configure device certificate checks with the Device Posture service, admins must import an issuer certificate from their device. Once a valid issuer certificate is present in the Device Posture service, admins can use device certificate checks as part of device posture policies.

Points to note:
Device Posture service supports only PEM issuer certificate type.

For the device certificate check on Windows, the EPA client on the end device must be installed with administrative rights. For other checks, you do not require the local administrative rights. For details on the supported scans, see Scans supported by device posture.

To install the EPA client with administrative rights on Windows, run the following command in the location where the EPA client plug-in is downloaded.

msiexec /i epasetup.msi

The device certificate check with the Device Posture service does not support the certificate revocation check.
If a device certificate is signed by an intermediate certificate, then you must upload the complete chain containing the root and the intermediate certificates in a single PEM file.
Example: chain.pem

-----BEGIN CERTIFICATE-----
******************************
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
******************************
-----END CERTIFICATE

Upload device certificate

Click Settings on the Device Posture home page.
Click Manage, and then click Import Issue Certificate.
In Certificate Type, select the certificate type. Only the PEM type is supported.
In Certificate File, click Choose Certificate to select the issuer certificate.
Click Open, and then click Import.

Import device certificate

The selected certificate is listed in Settings > Issuer Certificates. You can import multiple certificates.

View imported certificates

Click Settings on the Device Posture home page.
In Issuer Certificates, click Manage.
The Issuer Certificates page lists the imported issuer certificates.

Imported certificate

Install the device certificate on the end device

Windows:

From the Start menu, open Computer Certificate manager.
Ensure that the certificate is installed in Certificates - Local Computer\Personal\Certificates.
- The Intended Purposes must include Client Authentication.
- The Issued By column must match the issuer name configured on the admin GUI.

Install certificate

macOS:

Open Keychain Access and then select System.
Click File > Import items to import the certificate.

The Issued by field must display the certificate issuer name.

Install certificate macOS

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Device certificate check with Device Posture service

January 23, 2024

Contributed by:

January 23, 2024

Contributed by:

Device certificate check with Device Posture service

Upload device certificate

View imported certificates

Install the device certificate on the end device

In this article