I can suggest the following Options.
Option 1 - If you want to use two differernt WebAuth services for staff and student.
Update an endpoint attribute during Layer2 authenticaiton for staff devices and try that attribute in the service rule.
For ex:
Update an endpoint attribute like Staff_Device = true during the user authentication.
And use that attribute in the service rule for WebAuth.
1. | Host | CheckType | MATCHES_ALL | Health |
2. | Endpoint | Staff_Device | EQUALS | true |
Option 2 - If you decide to use a single Web Auth service.
Do update the endpoint attribute as discussed above and use two different posture policies under a single WebAuth service. Keep the staff policy in the top position and map the student policy below the staff policy. This way the student devices will fail over to the second policy and evaluated for health check.
You will have challenge when the staff device is not complaint with the staff policy and follow the one for students. But this can be addressed with few additional conditions in the enforcement policy like below.
(Tips:Posture EQUALS HEALTHY (0)) AND (Posture:Applied Policy EQUALS Staff_Policy) AND (Endpoint:Staff_Device EQUALS true) | Healthy Agent Bounce |
The above options are well suited for the WebAuth service with "Health Check Only".
If you have Authentication + Health Checks enabled for OnGuard agent, then you can skip the endpoint update and just perform the checks for user group from AD and Applied policy.
Like:
(Tips:Posture EQUALS HEALTHY (0)) AND (Posture:Applied Policy EQUALS Staff_Policy) AND (Authorization:AD Groups EQUALS Staff) | Healthy Agent Bounce |