Security

Does anyone know to use the Insight database to see how long an endpoint has had "Unknown" Onguard posture? I would like to wait or delay posture enforcement after boot up, for say, 10 minutes prior to doing a CoA, to give the client a chance to check in.

 

Thanks,

Evan

You can create two custom attributes in the endpoint repository to handle this. This is a common deployment method.

 

Here's the two attributes (you can change the names):

 

Create a few endpoint update enforcement profiles for each health status:

 

Create an endpoint update enforcement profile that stamps the current time:

 

Now, you'll need to create a time attribute in [Time Source] that is your acceptable window for a valid posture token. In this example, it's two days:

 

 

Now to put it all together, in your Health Check WebAuth service, add the two Last Known X enforcement profiles to each rule (the time one should be added to all of them and you'll want to switch between the correct posture token depending on the rule).

 

Now in your authentication service, you can do something like this:

Be sure [Endpoints Repository] and [Time Source] are added as authZ sources.

What happens if it is the first time it has checked in or the attribute for LKP Token does no exist? I do not want to deny access right away.

They would hit whichever rule you have for unknown posture. This setup is to
handle folks that have already passed posture in the past X hours/days to
allow the grace period.

What about a grace period for all unknown postures?

You would just set your access role with a session timeout that will
disconnect the user after X time.

I'm confused by your enforcement policy logic. When would a future time (two days from now or even beyond the grace period) ever not be greater than a time in the past (last know posture time)?

Good catch! Too much multitasking 😀

 

That time source query should be a subtract instead of an add like below:

localtimestamp(0)- interval '2 days' as two_days_ago

Then the rule would be: