Third-party integration with device posture

In addition to the native scans offered by the Device Posture service, the Device Posture service can also be integrated with the following third-party solutions on Windows and macOS.

• Jamf Pro
• Microsoft Intune
• CrowdStrike

Jamf Pro integration with Device Posture

Jamf Pro, an Apple mobile device management (MDM) software and security provider, helps organizations configure and secure their Apple devices.

Important:

For the Jamf Pro integration with Device Posture to work on iOS devices, administrators must push the Citrix Workspace app from the Jamf Pro portal. For details, see Push the Citrix Workspace app from the Jamf Pro portal.

Configure Jamf Pro integration

Jamf Pro integration configuration is a two-step process.

1. Establish trust between Citrix Device Posture service and Jamf Pro service.

2. Configure policies to use Jamf Pro information.

Establish trust between Citrix Device Posture service and Jamf Pro service

Perform the following steps to establish trust between Citrix Device Posture service and Jamf Pro service.

1. Sign into Citrix Cloud, and then select Identity and Access Management from the menu.
2. Click the Device Posture tab, and then click Manage.

3. Click the Integrations tab.

   

   Note:

   Alternatively, customers can navigate to the Device Posture option on the left navigation pane of the Secure Private Access service GUI, and then click the Integrations tab.

4. Click the ellipsis button in the Jamf Pro box, and then click Connect. The Configure Jamf Pro Integration pane appears.

5. Enter the client ID, client secret, and Jamf Pro URL and then click Save.

   Note:

   • You can obtain the API client ID from the Jamf Pro portal.
   • Ensure that you select the Read Computers and Read Mobile Devices scopes with read permissions for establishing the trust.
   • The Jamf Pro URL is provided by Jamf for each customer account. The Jamf Pro URL is in the format https://<organization name>.jamfcloud.com.

The integration is considered successful after the status changes from Not Configured to Configured.

If the integration is not successful, the status appears as Pending. You must click the ellipsis button, and then click Reconnect.

Configure device posture policies

1. Click the Device Scans tab and select the platform (macOS/iOS) for which this policy is created.

2. Click Create device policy.

   

3. In Policy rules, select Jamf Pro.
4. Select a condition, and then select the values to be matched.
   • Auto Enrolled - To check if the Apple device is automatically enrolled into the Jamf system during the initial setup.
   • Managed - To check if the device is managed by Jamf Pro.
   • Time Since Last Contacted - Applicable for macOS only. To check the time (in minutes) since the device last communicated with the Jamf Pro server.
   • Time Since Last Inventory Updated - Applicable for iOS only. To check the time (in minutes) since the device last communicated with Jamf Pro to update its inventory data.

5. Click + to add additional qualifiers.

   Note:

   You can use this rule with other rules that you configure for Device Posture.

6. In Policy result based on the conditions that you have configured, select one of the following.

   • Compliant
   • Non-compliant
   • Denied login
7. Enter the name for the policy and set the priority.
8. Click Create.

Push Citrix Workspace app from Jamf Pro portal to iOS devices

For the Jamf Pro integration to work with Device Posture on iOS devices, admins must push the Citrix Workspace app from the Jamf Pro portal to the iOS devices. Perform the following steps:

1. Sign in to your Jamf Pro MDM.
2. Add the Citrix Workspace app that you want to manage.
3. Link the app in the App store.
4. Create an app configuration policy for the app.

5. Add the following XML to the app configuration.

   <dict>
       
   <key>UDID</key>
   
   <string>$UDID</string>
   
   </dict>
   
   <!--NeedCopy-->
   

Microsoft Intune integration with Device Posture

Microsoft Intune classifies a user’s device as compliant or registered based on its policy configuration. During user login into Citrix Workspace, device posture can check with Microsoft Intune about the user’s device status and use this information to classify the devices within Citrix Cloud as compliant, non-compliant (partial access), or even deny access to the user login page. Services like Citrix DaaS and Citrix Secure Private Access in turn use device posture’s classification of devices to provide contextual access (Smart Access) to virtual apps and desktops, and SaaS and Web apps respectively.

Important:

The Device Posture administrator must use an Intune account with the “Global Administrator” role to configure the Intune integration.

Configure Microsoft Intune integration

Intune integration configuration is a two-step process.

1. Integrate device posture with Microsoft Intune service. This is a one-time activity that you do to establish trust between Device Posture and Microsoft Intune.

2. Configure policies to use Microsoft Intune information.

Integrate device posture with Microsoft Intune

1. To access the Integrations tab, use one of the following methods:
   • Access the URL https://device-posture-config.cloud.com on your browser, and then click the Integrations tab.
   • Secure Private Access customers - On the Secure Private Access GUI, on the left side navigation pane, click Device Posture, and then click the Integrations tab.

   

2. Click the ellipsis button, and then click Connect. The admin is redirected to Azure AD to authenticate.

   

The following table lists the Microsoft Intune API permissions for integration with the Device Posture service.

After the integration status changes from Not Configured to Configured, admins can create a device posture policy.

If the integration is not successful, the status appears as Pending. You must click the ellipsis, button and then click Reconnect.

Configure device posture policies

1. Click the Device Scans tab and then click Create device policy.

   

2. Enter the name for the policy and set the priority.
3. Select the platform for which this policy is created.
4. In Policy rules, select Microsoft Endpoint Manager.
5. Select a condition, and then select the MEM tags to be matched.
   • For Matches any of, an OR condition is applied.
   • For Matches all of, an AND condition is applied.

   Note:

   You can use this rule with other rules that you configure for device posture.

6. In Then the device is: based on the conditions that you have configured, select one of the following.

   • Compliant (full access is granted)
   • Non-compliant (Restricted access is granted)
   • Denied login

For more details about creating a policy, see Configure device posture policy.

CrowdStrike integration with Device Posture

CrowdStrike Zero Trust Assessment (ZTA) delivers security posture assessments by calculating a ZTA security score from 1 to 100 for each end device. A higher ZTA score means that the posture of the end device is better.

Citrix Device Posture Service can enable contextual access (Smart Access) to Citrix Desktop as a Service (DaaS) and Citrix Secure Private Access (SPA) resources by using the ZTA score of an end device.

Device Posture administrators can use ZTA score as part of policies and classify the end devices as compliant, non-compliant (partial access), or even deny access. This classification can in turn be used by organizations to provide contextual access (Smart Access) to virtual apps and desktops, and SaaS and Web Apps. ZTA score policies are supported for Windows and macOS platforms.

Configure CrowdStrike integration

CrowdStrike integration configuration is a two-step process.

1. Establish trust between Citrix Device Posture service and CrowdStrike ZTA service. This is a one-time activity.

2. Configure access policies. The access policies use the CrowdStrike ZTA score as a rule to provide smart access to Citrix DaaS and Citrix Secure Private Access resources.

Establish trust between Citrix Device Posture service and CrowdStrike ZTA service

Perform the following steps to establish trust between Citrix Device Posture service and CrowdStrike ZTA service.

1. Sign into Citrix Cloud, and then select Identity and Access Management from the hamburger menu.
2. Click the Device Posture tab, and then click Manage.

3. Click the Integrations tab.

   

   Note:

   Alternatively, customers can navigate to the Device Posture option on the left navigation pane of the Secure Private Access service GUI, and then click the Integrations tab.

4. Click the ellipsis button in the CrowdStrike box, and then click Connect. The CrowdStrike Falcon Insight XDR integration pane appears.

5. Enter the client ID and client secret and then click Save.

   Note:

   • You can obtain the ZTA API client ID and client secret from the CrowdStrike portal (Support and resources > API clients and keys).
   • Ensure that you select the Zero Trust Assessment and Host scopes with read permissions for establishing the trust.

The integration is considered successful after the status changes from Not Configured to Configured.

If the integration is not successful, the status appears as Pending. You must click the ellipsis button, and then click Reconnect.

Step 2 - Configure device posture policies

Perform the following steps to configure policies to use the CrowdStrike ZTA score as a rule to provide smart access to Citrix DaaS and Citrix Secure Private Access resources.

1. Click the Device Scans tab and then click Create device policy.

   

2. Select the platform for which this policy is created.
3. In Policy Rule, select CrowdStrike.
4. For the Risk Score qualifier, select the condition, and then enter the risk score.

5. Click + to add a qualifier that checks if the CrowdStrike Falcon sensor is running.

   Note:

   You can use this rule with other rules that you configure for device posture.

6. In Policy result based on the conditions that you have configured, select one of the following.

   • Compliant
   • Non-compliant
   • Denied login

   

7. Enter the name for the policy and set the priority.
8. Click Create.