Prisma Access Browser
Configure Prisma Access Browser Device Posture Attributes
Table of Contents
Expand All
|
Collapse All
Prisma Access Browser Docs
Configure Prisma Access Browser Device Posture Attributes
Prisma Access Browser
Device Posture AttributesDefine the device posture attributes that determine device group
membership.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
In
Prisma Access Browser
, you can add attributes as match criteria when you add or edit a device group.
Because Prisma Access Browser
policy rules are enforced at the device group level, the
attributes provide granular security that ensures the devices that Prisma Access Browser
allows to access your apps are adequately maintained and adhere with your
security standards before they are allowed access to your network resources. For
example, before allowing access to your most sensitive apps, you might want to
ensure that the devices accessing the apps have encryption enabled on their hard
drives. In this case, you would create a device group with an attribute that only
allows devices that have encryption enabled. The following sections detail the
attributes you can use to determine device group membership for Windows and macOS
devices. To learn about the attributes for controlling device group membership for
mobile devices, see Configure Prisma Access Browser Mobile Device Posture Attributes. Windows and macOS OS Versions
Creating a device group that uses the device's operating system as a posture is a
good way to make sure that users have specific versions of the OS. If you add an
OS version attribute as match criteria for a device group,
Prisma Access Browser
checks the device OS version matches the attribute you defined before allowing
membership in the device group.Define the list of acceptable operating system versions for the
Prisma Access Browser
posture mechanism to check as follows. - When you add or edit a device group, add the OS version attribute.
- Select the Windows or macOS versions, editions, and build numbers to allow into the device group and then clickSave.
Serial Number
Creating a device group that uses device serial numbers as match criteria is a
good way to ensure that only specific devices have access to the
Prisma Access Browser
. Before you can add a serial number attribute to a device
group, you must create a .txt or .csv file containing the list of serial
numbers. The file you create can't exceed 600 KB. While the serial number often appears on a sticker or label on the device, these
numbers aren't always accurate. Use the following methods to get the correct
serial number.
- Windows devices—Enter thewmic bios get serialnumbercommand from the command line.
- macOS devices—Find the serial number in the System Settings.
- When you add or edit a device group, add the serial number attribute.
- Drag and drop or browse for the file containing the list of serial numbers.
- If necessary, remove any serial numbers that you do not want to include in the group.
- ClickSet.
Client Certificate
To ensure that only devices that use a client certificate signed by your
organization for authentication, create a client certificate attribute as match
criteria for your device groups so that you can distinguish between managed and
unmanaged devices. To use a client certificate attribute, you must upload the
intermediate certificate or intermediate or root certificate to create the
attribute. When determining if a client certificate matches the issuer
certificate in the attribute,
Prisma Access Browser
matches against the
authorityKeyIdentifier
. If you need to trust
multiple CAs, you can upload multiple certificates. For the device to match the
client certificate attribute it must meet the following requirements:- Windows devices—The client certificate must reside in the personal certificates store (). The certificate must contain a private key and the issuer must match the issuer certificate. You can compare the thumbprint of the certificates. The authroity key identifier must also match the issuer certificate identifier.StartManage user certificatesPersonalCertificates
- macOS devices—From the Launcher, search for Keychain Access. Click Certificates, and search for the required certificate. Validate that the company client certificate exists and that the authority key identifier matches the issuer certificate identifier.
Device groups can match against multiple certificates. To add a new Issuer (root
or intermediate) certificate:
- When you add or edit a device group, add the client certificate attribute.
- Drag and drop one or more certificate .PEM files to the Issuer certificates dialog.
- ClickSet.
System Encryption
File system encryption protects data-at-rest, protecting against a range of
potential attacks and cybersecurity risks. When you enable the
File
system encryption
attribute in a device group, Prisma Access Browser
verifies that encryption is enabled on the device OS before allowing access
to the device group. If you enable this attribute, Prisma Access Browser
will only
allow devices with BitLocker (Windows) or FileVault (macOS) enabled into the
device group. For the device to pass the file system encryption check it must
meet the following requirements:- Windows devices—The BitLocker status must be On, Locked, or Encryption in Progress. Note that when Windows Update runs it temporarily disables BitLocker and it won't pass thePrisma Access Browsercheck during this time.
- macOS devices—Turn on FileVault on the Security & Privacy screen to enable file encryption or toggle it usingsudo fdesetup status.
Active Screen Lock
Active screen lock mechanisms limit device access to authorized users only,
preventing malevolent players from gaining access to confidential information on
the device in the event that the user steps away from the device. When you
enable the
Active screen lock
attribute in a device
group, Prisma Access Browser
verifies that the device is enabled with an automatic
screen lock, password, PIN, biometric, or similar lock feature before allowing
access to the group. To pass this check, a device must meet the following
requirements:- Windows devices—To pass thePrisma Access Browsercheck the Windows device must be enabled with either Windows power options that require login to resume or sign-in options to enable the screen lock.
- macOS devices—On macOS devices, the active screen lock is based on code that thePrisma Access Browserdevelopers contributed to the Chromium project. Find this setting underin the Lock Screen section and ensure thatSystem PreferencesSecurity & PrivacyGeneralRequire password after screen saver begins or display is turned offhas a value.
Active Endpoint Protection
Devices secured with active endpoint protection have antivirus, anti-malware,
firewall protection, and intrusion detection and prevention features, which work
in concert to identify and block malicious activity. If you enable the endpoint
protection attribute within the device group,
Prisma Access Browser
checks for
active endpoint protection before allowing the device into the device group. A
device must meet the following requirements to pass this check:- Windows devices—Prisma Access Browserchecks that Virus & threat protection is turned on in the Windows Security Center.
- macOS devices—Prisma Access Browserchecksto ensure that the device has active endpoint protection.System PreferencesExtensions
When configuring attributes to check for endpoint protection, you can select
specific endpoint protection vendors to check for on the device as follows:
- When you add or edit a device group, enable the endpoint protection attribute.
- Select the endpoint protection vendors you require devices accessing your network to use.
- (Optional) EnableVerify definitions are up to date (supported vendors only)to add an additional check to ensure that the endpoint protection software on the device is up-to-date.
- ClickSet.
Device Type
Use the device type attribute to ensure that the device group only contains
specific types of devices—such as laptops or desktops—as follows:
- Windows devices—Prisma Access Browserchecks to see if the device is a laptop or desktop based on whether or not it has a battery.
- macOS devices—Prisma Access Browserchecks the hardware device machine type.
If
Prisma Access Browser
can not determine the device type it identifies it as
unknown.CrowdStrike ZTA Scores
CrowdStrike Zero Trust Assessment (ZTA) delivers real-time security posture
assessments across all endpoints regardless of location, network, or user.
CrowdStrike ZTA enables enforcement of dynamic conditional access based on
device health and compliance checks that mitigate the risk to users and the
organization.
Prisma Access Browser
can use the ZTA assessment score as access
criteria.To use the ZTA score as part of the device posture assessment for determining
access to
Prisma Access Browser
you must:- Enable the ZTA score calculation for all devices ().Host setup and managementZero trust assessmenthosts
- Find your CrowdStrike Customer ID.You can find this inside your CrowdStrike user profile.
- Open a support ticket with CrowdStrike to enable the ZTA feature flag.This allowsPrisma Access Browserto access the CrowdStrike Agent ID. To open the support ticket, you will need the customer ID you just obtained.
- Integrate the ZTA score withPrisma Access Browser.After CrowdStrike enables the ZTA feature flag, you can integrate withas follows:
- When you add or edit a device group, selectCrowdStrike ZTA Score.
- Select the type of score you want to use:
- Basic—Use the overall score that CrowdStrike assigns to the device, based on a range ofLow(at least 65),Medium(at least 70),Strict(at least 80), orVery Strict(at least 95).
- Advanced—Fine-tune the configuration to select either a specificOverall security score, or aScore breakdown, based on the OS and sensor values. Use the sliders to select the required score.
- Enter theCrowdStrike customer identificationnumber associated with the CrowdStrike agent.Addadditional CrowdStrike IDs as needed to connect to all agents.
- ClickSet.
OS Password Policy
Use the OS password protection attribute to restrict device group membership to
devices that are password protected. You can also specify that the device must
have additional password policy enforced, such as password complexity, maximum
age, or maximum length. To determine this,
Prisma Access Browser
looks for the
following settings on the device:- Windows devices—Prisma Access Browserchecks the following Password Policy settings in the local Security Settings ():Security SettingsAccount PolicyPassword PolicyMaximum password age,Minimum password length, andPassword must meet complexity requirements.
- macOS devices—Prisma Access Browserchecks the local password requirements in the management configuration profile ():ManagementConfiguration profilesAddmacOSPasswordAllow simple value,Require alphanumeric value,Minimum length,Munimum number of complex characters,Expiration age, orHistory restriction.
- When you add or edit a device group, enable the OS password policy attribute.
- Select the endpoint protection vendors you require devices accessing your network to use.
- Select the password policy settings that must be enforced on devices for inclusion in the device group.
- ClickSave.
Device Manufacturer
Use the device manufacturer attribute to restrict device group membership to
Windows or macOS devices from selected manufacturers.
- When you add or edit a device group, enable the device manufacturer attribute.
- Select the device manufacturers you want to support in the device group.
- ClickSave.
System Integrity
Use the system integrity attribute to ensure that the device group only allows
devices that have advanced system integrity protection enabled.
Prisma Access Browser
determines if a device qualifies as follows:- Windows devices—Prisma Access Browserchecks to ensure that driver test signing is off and no kernel debugger is present. Additionally, on UEFI computers, it verifies that secure boot is enabled.
- macOS devices—Prisma Access Browserchecks to ensure that System Integrity Protection (SIP) and Gatekeeper are enabled.
Full OS Boot Mode
Enable this attribute to create a device group that requires the devices to run
in full boot mode. This excludes devices that are running in safe mode, recovery
mode, or devices running in a pre-installation environment.
Unprivileged Process
This attribute allows you to create device groups where the
Prisma Access Browser
runs without any elevated or root permissions.Device Management
This attribute allows you to create device groups that use approved device
management systems. The
Prisma Access Browser
supports the following systems: - Microsoft Intune
- Azure AD
- Active Directory (Windows only)
- Jamf (macOS only)
- When you add or edit a device group, enable the device management attribute.
- Select the device management systems you want to allow in the device group.
- ClickSet.