deviceTRUST for Windows 20.1.110 is now available. See the release notes for more information.

Getting Started

deviceTRUST requires some essential configuration steps to be performed to enable deviceTRUST functionality for your virtual sessions or for your endpoints.

Scenario: End-User Computing (EUC)

We will guide you step-by-step through all essential deviceTRUST installation and configuration steps to enable deviceTRUST with a Security State use case within your End-User Computing environment:

End-User Computing
End-User Computing

We will perform the following steps:

  1. Step 1: Download the deviceTRUST setup binaries
  2. Step 2: Install the deviceTRUST Host on a Microsoft Server 2016 RDSH / Citrix XenApp server
  3. Step 3: Install the deviceTRUST Console
  4. Step 4: Enter your deviceTRUST license
  5. Step 5: Install the deviceTRUST Client on a Microsoft Windows endpoint
  6. Step 6: Activate the deviceTRUST Client on an IGEL UD Pocket endpoint
  7. Step 7: Configure users that are managed by deviceTRUST
  8. Step 8: Enable the Security State Enforcement for Remote Device use case
  9. Step 8: Check that access is denied when the deviceTRUST Client is not installed.
  10. Step 9: Test the Security State use case from a Microsoft Windows endpoint
  11. Step 10: Update the Security State context to require a specific IGEL UMS server for IGEL endpoints
  12. Step 11: Test the Security State use case with an IGEL endpoint

Step 1: Download the deviceTRUST setup binaries

Within your evaluation kit, your license certificate or your Not-for-Resale (NFR) kit you will find your personalized product license. The latest deviceTRUST software can be downloaded here.

Step 2: Install the deviceTRUST Host on a Microsoft Server 2016 RDSH / Citrix XenApp server

Start the installation of the deviceTRUST Host onto your Microsoft Server 2016 RDSH / Citrix XenApp server. Follow the steps in the section Installing the Host to complete the installation.

Step 3: Install the deviceTRUST Console

To configure the deviceTRUST Host using the Local Policy Editor, the deviceTRUST Console must be installed on the same machine as the deviceTRUST Host. Alternatively, configuration can be deployed using a Group Policy Object (GPO) by installing the deviceTRUST Console on the same machine as your Group Policy management tools. Follow the steps in the section Installing the Console to complete the installation.

The deviceTRUST Console includes a node within the Group Policy management tools at COMPUTER CONFIGURATION\POLICIES\DEVICETRUST CONSOLE (or COMPUTER CONFIGURATION\DEVICETRUST CONSOLE when using the Local Policy Editor) which can be used to model the context of a user, and then act on changes to that context by triggering custom actions within your environment.

The deviceTRUST Console
The deviceTRUST Console

Step 4: Enter your deviceTRUST license

Your personal product license will have been sent to you within your evaluation kit, your license certificate or your Not-for-Resale (NFR) kit.

To add the license into the deviceTRUST configuration on the Microsoft Server 2016 RDSH / Citrix XenApp server, navigate to DEVICETRUST CONSOLE and click on the SETTINGS tab. Select LICENSING and enter your deviceTRUST license, before clicking on the OK button and clicking SAVE in the top right toolbar.

Enabling deviceTRUST
Enabling deviceTRUST

deviceTRUST is now enabled and will work for all users connecting to that Microsoft Server 2016 RDSH / Citrix XenApp server with deviceTRUST Host installed. To check if you have added a valid deviceTRUST license, open the Windows Event Log and navigate to APPLICATION AND SERVICE LOGS\DEVICETRUST\ADMIN and check for the existence of event ID 11 which states that your deviceTRUST license is valid.

Valid deviceTRUST license
Valid deviceTRUST license
Note:
  • When deploying configuration using a Group Policy Object, a call to `gpupdate` will be necessary to apply the new policy.
  • Existing user sessions will not get the updated policy until their next logon.

Step 5: Install the deviceTRUST Client on a Microsoft Windows endpoint

Install a deviceTRUST Client on a Microsoft Windows endpoint by following the steps in the section Installing the Client on Microsoft Windows endpoints to complete the installation.

Step 6: Activate the deviceTRUST Client on an IGEL UD Pocket endpoint

Activate the deviceTRUST Client within the IGEL OS by following the steps in the section Installing the Client to complete the configuration.

Step 7: Configure users that are managed by deviceTRUST

By default, all users except local administrative accounts are managed by deviceTRUST. However, this can be changed by navigating to the DEVICETRUST CONSOLE and clicking on the SETTINGS tab. Select LICENSING and then the USERS tab.

Customise the users managed by deviceTRUST
Customise the users managed by deviceTRUST

User and security group names can be supplied in the format DOMAIN\USERNAME or DOMAIN\SECURITYGROUPNAME, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

In the example above, DO NOT MANAGE LOCAL ADMINISTRATORS has been unchecked, and DOMAIN\ADMINISTRATOR has been added to the unmanaged user list. deviceTRUST will now control all users signing into the Microsoft Server 2016 RDSH / Citrix XenApp server, but will exclude the domain administrator DOMAIN\ADMINISTRATOR.

Note:
  • When deploying configuration using a Group Policy Object, a call to `gpupdate` will be necessary to apply the new policy.
  • Existing user sessions will not get the updated policy until their next logon.

Step 8: Enable the Security State Enforcement for Remote Device use case

We will use the deviceTRUST Console to create a configuration which controls access to the shell depending upon the security state of the remote device. The deviceTRUST Console includes a set of templates which can be used to quickly implement a use case. Launch the deviceTRUST Console and click on the TEMPLATES button on the homepage, or select SHARING in the top right of the navigation bar and then IMPORT FROM TEMPLATE.

The Templates button within the deviceTRUST Console
The Templates button within the deviceTRUST Console

Select the COMPLIANCE CHECK template category, click on the SECURITY STATE ENFORCEMENT FOR REMOTE DEVICE template, choose IMPORT TEMPLATE and finally click OK to dismiss the summary message.

Importing the Security State template
Importing the Security State template

Click on CONTEXT within the navigation bar, and then SECURITY STATE to view the imported context.

The Security State context
The Security State context

The context is set to the value of the left-most path where all conditions successfully evaluate. If no path is found, then the default value is used. For the SECURITY STATE context, a Windows device is PROTECTED if either:

  • WINDOWS DEFENDER STATUS is ACTIVE
  • and WINDOWS DEFENDER REAL TIME PROTECTION is TRUE
  • and WINDOWS FIREWALL ACTIVE PROFILE DISABLED is empty

or:

  • SECURITY PRODUCT ANTIVIRUS is ACTIVE
  • and SECURITY PRODUCT FIREWALL is ACTIVE

If these conditions are not met then the SECURITY STATE context is set to UNPROTECTED.

Click on ACTIONS within the navigation bar, and then SECURITY STATE ENFORCEMENT to view the imported action.

The Security State Enforcement Action
The Security State Enforcement Action

Actions execute a sequence of tasks when a trigger occurs, such as LOGON, RECONNECT, CONTEXT CHANGE etc, and optionally filtered by the value of a context. For the SECURITY STATE ENFORCEMENT action, whenever the SECURITY STATE context becomes UNPROTECTED, access to the shell will be denied.

Click on the save icon which will be highlighted within the navigation bar.

Note:
  • When deploying configuration using a Group Policy Object, a call to `gpupdate` will be necessary to apply the new policy.
  • Existing user sessions will not get the updated policy until their next logon.

Step 8: Check that access is denied when the deviceTRUST Client is not installed.

From a device without the deviceTRUST Client installed, remotely connect to your Microsoft Server 2016 RDSH / Citrix XenApp server. Because the endpoint does not have an active deviceTRUST Client, the access will be denied with the following message:

Attempting to logon from an untrusted device
Attempting to logon from an untrusted device

Step 9: Test the Security State use case from a Microsoft Windows endpoint

From a Microsoft Windows endpoint with the deviceTRUST Client installed, remotely connect to your Microsoft Server 2016 RDSH / Citrix XenApp server. Try toggling the enabled state of the Windows Firewall to see how deviceTRUST can simply and dynamically control access to the shell.

Testing the Security State use case
Testing the Security State use case

Step 10: Update the Security State context to require a specific IGEL UMS server for IGEL endpoints

Click on CONTEXT within the navigation bar, and then SECURITY STATE to view our context. Locate the DEVICE - IGEL UMS SERVER EQUALS UMS_SERVER_IP:30001 condition and click on the edit button.

Edit the IGEL UMS Server with the IP address of your IGEL UMS Server
Edit the IGEL UMS Server with the IP address of your IGEL UMS Server

Replace the text UMS_SERVER_IP:30001 with a suitable value for your IGEL UMS Server and click on OK. Next, locate the DEVICE - IGEL UMS CERT SERIAL and click on the edit button.

Edit the IGEL UMS Cert Serial with the serial number of your IGEL UMS certificate.
Edit the IGEL UMS Cert Serial with the serial number of your IGEL UMS certificate.

Replace the text UMS_CERTIFICATE_SERIAL with a suitable value for your IGEL UMS certificate and click on OK. Click on the save icon which will be highlighted within the navigation bar.

Note:
  • When deploying configuration using a Group Policy Object, a call to `gpupdate` will be necessary to apply the new policy.
  • Existing user sessions will not get the updated policy until their next logon.

Step 11: Test the Security State use case with an IGEL endpoint

Test drive this Security State use case with an IGEL endpoint. Only IGEL devices which use the specified UMS Server will be able to access the shell.