Cisco Secure Connect - ZTNA Endpoint Posture Profile
Overview
Endpoint posture profiles is an optional security requirement that can be attached to ZTNA rules. Posture ensures the endpoint connecting meets the security requirements defined in the profile. This document covers ZTNA client-based and clientless (browser-based) posture profiles.
Related pages
Profile Config
- Navigate to Secure Connect -> Policies -> Endpoint Posture
- Select Zero trust network access and Browser-based access
- In the upper right corner, click + Add profile
Client-based Access ZTNA Posture
Client-based ZTNA posture the following posture checks for Windows, macOS, Apple iOS and Samsung endpoints. The example and table below document the supported checks across the different operating systems.
- After hitting + Add profile, give your posture profile a good descriptive Profile name and select Client-based
- Proceed by configuring at least 1 of the following posture conditions:
Example Posture
Checks & Operating Systems Support
| Check | Windows | macOS | Apple iOS | Samsung (Android) |
| Operating System | Yes | Yes | Yes | Yes |
| Firewall | Yes | Yes | No | No |
| Endpoint Security Agent | Yes | Yes | No | No |
| System Password | Yes | Yes | No | No |
| Disk Encryption | Yes | Yes | No | No |
- Operating Systems
- Check the version of the operating system
- Offers a the following grace periods (0 days, 2 weeks, 1 month, 2 months, 3 months)
- Firewall
- Checks that the OS native firewall is active
- Endpoint Security Agent
- Checks that specific endpoint security agents are installed on the endpoint. Example: Cisco Secure Endpoint or Crowdstrike
- System Password
- Checks that the connecting endpoint has a password enabled.
- Disk Encryption
- Checks that the OS native disk encryption is enabled.
Cisco Secure Client ZTA (Zero Trust Access) module will install Duo Health App (DHA) which is a standalone client responsible for evaluating the endpoint posture status and reporting posture information to the cloud-posture service in every 5 minutes. The ZTA Proxy will retrieve information from the Duo cloud posture-service when users try to access an application (at CONNECT time).
Clientless (Browser-based) Access ZTNA Posture
Clientless (Browser-based) Access ZTNA posture is based on the provided user-agent by the endpoint browser. Endpoints with user agent modified can cause issues with browser-based posture.
- After hitting +Add profile, give your posture profile a good descriptive Profile Name and select Browser-based
- Proceed by configuring at least 1 of the following posture conditions:
Example Browser Posture
Operating System Requirement
Operating system and browser version is no longer supported. If you require location-based restrictions, work with support or your Cisco Sales rep to request the feature.
- Select the operating system(s)
- Add the requirement via the Add to profile button
Browser Requirement
-
Select the desired browser(s)
-
Add the requirement via the Add to profile button
Location Requirement
Location-based restrictions are no longer supported. If you require location-based restrictions, work with support or your Cisco Sales rep to request the feature.