deviceTRUST 19.2 is now available and includes the new macOS Client and an updated iOS Client. See the release notes for more information.

Policy category: Policy Reference

  1. Policy setting: Enable deviceTRUST
  2. Policy setting: Whitelist of users controlled by deviceTRUST
  3. Policy setting: Blacklist of users not controlled by deviceTRUST

deviceTRUST can be configured and managed either from a Local Policy or from a Microsoft Active Directory Group Policy. Launch the relevant policy editor and navigate to COMPUTER CONFIGURATION\ADMINISTRATIVE TEMPLATES\DEVICETRUST.

Configuration GPO

Note:
  • A snapshot of the deviceTRUST configuration is taken during the logon of each user. Therefore, changes to the configuration do not apply to active user sessions until their next logon.

Policy setting: Enable deviceTRUST

Enables or disables deviceTRUST.

  • When ENABLED, all of the functionality offered by deviceTRUST will be provided for any configured users. To enable deviceTRUST, a valid license must be supplied. A license can be obtained from the deviceTRUST Portal. The Windows Event Viewer should be used to confirm that the license is valid.

  • When DISABLED, deviceTRUST will sit in a largely dormant state, offering none of its functionality.

The default behavior is disabled.

Policy setting: Whitelist of users controlled by deviceTRUST

Configures a whitelist of users that will be controlled by deviceTRUST.

This policy works together with the ‘Blacklist of users not controlled by deviceTRUST’ policy, with blacklisted users taking precedence over whitelisted users.

User and security group names can be supplied in the format DOMAIN\UserName or DOMAIN\SecurityGroupName, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

The default behavior whitelists all users.

Policy setting: Blacklist of users not controlled by deviceTRUST

Configures a blacklist of users that are not controlled by deviceTRUST.

This policy works together with the ‘Whitelist of users controlled by deviceTRUST’ policy, with blacklisted users taking precedence over whitelisted users.

User and security group names can be supplied in the format DOMAIN\UserName or DOMAIN\SecurityGroupName, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

The default behavior does not blacklist any users.