Getting Started for Remoting and DaaS

deviceTRUST requires some simple but essential configuration steps to be performed to enable deviceTRUST functionality for your remoting and DaaS environments. We will guide you step-by-step through simple deviceTRUST installation and configuration steps to enable deviceTRUST with a compliance check template within your remoting or DaaS environment.

We will perform the following steps:

1. Step 1: Download the deviceTRUST setup binaries
2. Step 2: Install the deviceTRUST Host
3. Step 3: Install the deviceTRUST Console
4. Step 4: Enter your deviceTRUST License
5. Step 5: Install the deviceTRUST Client on a Microsoft Windows device
6. Step 6: Import the Security State for Remote Device template
   1. Step 7: Check that access is denied when the deviceTRUST Client is not installed
7. Step 8: Test the Security State template from a Microsoft Windows device

Step 1: Download the deviceTRUST setup binaries

The latest deviceTRUST software can be found on our Download page and your personalized license can be found within your product license certificate.

Step 2: Install the deviceTRUST Host

Start the installation of the deviceTRUST Host on your remoting or DaaS host system, which can be Amazon WorkSpaces, Citrix Virtual Apps and Desktops (CVAD), Microsoft Azure Virtual Desktop (AVD), Microsoft Remote Desktop Session Host (RDSH) or VMware Horizon View. Follow the steps in the section Installing the Host to complete the installation.

Step 3: Install the deviceTRUST Console

To configure and to apply contextual security policies to the deviceTRUST Host you need to use the deviceTRUST Console. The deviceTRUST Console supports various ways to provide the contextual security policies to the deviceTRUST Host. Those options are using the Local Policy Editor, a Group Policy Object (GPO) or file-based.

Within the Getting Started Guide, for simplicity, we use the Local Policy Editor to quickly and efficiently create, edit, and use contextual security policies. Follow the steps in the section Installing the Console to complete the installation.

The deviceTRUST Console includes a node within the Local Policy Editor COMPUTER CONFIGURATION\DEVICETRUST CONSOLE which can be used to model the context of a user, and then act on changes to that context by triggering custom actions within your environment.

Step 4: Enter your deviceTRUST License

To add the license into the deviceTRUST contextual security policy open the Local Policy Editor and navigate to DEVICETRUST CONSOLE and click on the SETTINGS tab. Select LICENSING and enter your deviceTRUST license, before clicking on the OK button and clicking SAVE in the top right toolbar.

deviceTRUST is now enabled and will work for all users except local administrators connecting to that remoting or DaaS host system with deviceTRUST Host installed. To check if you have added a valid deviceTRUST license, open the Windows Event Log and navigate to APPLICATION AND SERVICE LOGS\DEVICETRUST\ADMIN and check for the existence of event ID 11 which states that your deviceTRUST license is valid.

Step 5: Install the deviceTRUST Client on a Microsoft Windows device

Within the Getting Started Guide, for simplicity, we will only install the deviceTRUST client on a Microsoft Windows device. Other device operating systems are also supported and an overview of how to install the deviceTRUST client on the particular operating system can be found on the Installation Client page. Now follow the steps in the section Installing the Client on Microsoft Windows device to complete the installation.

Step 6: Import the Security State for Remote Device template

We will use the deviceTRUST Console to create a contextual security policy which controls access to the shell depending upon the security state of the remote device. The deviceTRUST Console includes a set of templates which can be used to quickly implement a use case. Launch the deviceTRUST Console and click on the TEMPLATES button on the homepage, or select SHARING in the top right of the navigation bar and then IMPORT FROM TEMPLATE.

Select the COMPLIANCE CHECK template category, click on the SECURITY STATE FOR REMOTE DEVICE template, choose IMPORT TEMPLATE and finally click OK to dismiss the summary message.

Click on CONTEXT within the navigation bar to view the imported contexts and then select the SECURITY STATE context definition.

The context is set to the value of the left-most path where all conditions successfully evaluate. If no path is found, then the default value is used. For the SECURITY STATE context, a Windows device is PROTECTED if either:

• WINDOWS DEFENDER STATUS is ACTIVE
• and WINDOWS DEFENDER REAL TIME PROTECTION is TRUE
• and WINDOWS FIREWALL ACTIVE PROFILE DISABLED is empty

or:

• SECURITY PRODUCT STATUS is ACTIVE for SECURITY PRODUCT CATEGORY of ANTIVIRUS
• and SECURITY PRODUCT STATUS is ACTIVE for SECURITY PRODUCT CATEGORY of FIREWALL

If these conditions are not met then the SECURITY STATE context is set to UNPROTECTED.

Click on ACTIONS within the navigation bar to view the imported actions. Most deviceTRUST templates come with an action that notifies the user about a context status and another action that actively controls access to the session or to applications. By default, only the notifying action is enabled and the active action is disabled.

For the next step, we disable the SECURITY STATE - CONDITIONAL ACCESS - NOTIFICATION action and enable the SECURITY STATE - CONDITIONAL ACCESS - ENFORCEMENT action to actively respond to the security state context. The respective action can be switched on or off accordingly via the action overview page or within the action definition.

Actions execute a sequence of tasks when a trigger occurs, such as LOGON, RECONNECT, CONTEXT CHANGE etc, and optionally filtered by the value of a context. For the SECURITY STATE - CONDITIONAL ACCESS - ENFORCEMENT action, whenever the DEVICETRUST CLIENT becomes UNAVAILABLE or the SECURITY STATE context becomes UNPROTECTED, access to the shell will be denied with an appropriate text.

Click on the SAVE icon which will be highlighted within the navigation bar.

Step 7: Check that access is denied when the deviceTRUST Client is not installed

From a device without the deviceTRUST Client installed, connect to your remoting or DaaS host system. Because the remote device does not have an active deviceTRUST Client, the access will be denied with the following message:

Step 8: Test the Security State template from a Microsoft Windows device

From a Microsoft Windows device with the deviceTRUST Client installed, connect to your remoting or DaaS host system. Toggle the state of the Windows Defender Firewall to see how deviceTRUST can simply and dynamically control access to the shell depending on the firewall state of the remote device.

Next steps

You have now successfully implemented your first use case with deviceTRUST for your remoting and DaaS environment. Feel free to check out our additional use cases that come as templates with the deviceTRUST Console:

Troubleshooting

If your deviceTRUST installation or configuration does not work as expected, you can use the Troubleshooting for Remoting and DaaS guide to start troubleshooting.