MDM posture checks let you use device compliance data from your mobile device management (MDM) solution as the authoritative source for Prisma® Access Agent tunnel authorization.

The Endpoint Manager will integrate directly with MDM solutions like Microsoft Intune to query device attributes at pre-defined polling intervals. Upon successful user authentication, the Prisma Access Agent performs pre-defined device authorization checks against Microsoft Intune to determine whether to allow or block the tunnel to Prisma Access. Tunnel establishment to NGFW or Prisma Access gateways is only allowed if the endpoint meets the following criteria:

If a device is not enrolled or falls out of compliance, the Prisma Access Agent will block tunnel establishment, tear down any active tunnels, clear its gateway configuration, and notify the user of the non-compliant status.

The Endpoint Manager will continue to monitor device posture and enforce access dynamically based on device state changes, network changes, or at predefined frequencies. This gives your security team a single source of truth for device compliance rather than maintaining parallel policies across MDM and HIP.

Prisma Access automatically handles API throttling responses from the MDM vendor and retries failed requests, so temporary MDM API errors do not require manual intervention.

MDM posture checks require two components in Strata Cloud Manager: an MDM integration that defines your MDM vendor type and API credentials, and an MDM compliance check setting in your agent configuration that activates enforcement. When the MDM compliance check setting is disabled, Prisma Access does not query the MDM tenant even if an integration is configured, which lets you set up and validate the integration before turning on enforcement.