Skip to content

Device Profiles

Overview

Device Profiles determine the trust level of a connecting endpoint rather than the user, and helps with authorizing application access to that endpoint. This trust is established even before the user logs in and is authorized for application access.

The Device Profile policy is applicable at the Gateway level. However, for it to be effective, following two conditions are to be met:

  1. the Endpoint Security license should be applied on the Gateway

  2. the EPS should be enabled for the HySecure Domain on which the endpoint would attempt the connection

Device profile contains a set of Host Scan policies and the corresponding applications which would get blocked with matching Host Scan policies. The Host Scan policies help define the endpoint information like AV product being used at the endpoint, firewall at endpoint etc.

Important

Blocked applications configured in Device profiles, takes precedence over the allowed applications in the Application Group for Access Control policies.

HySecure Administrator can create three types of Device Profiles:

  • Mandatory Profile
  • Normal Profile, one for each Profile Security Level
  • Quarantine Profile

HySecure Administrator can create only one Quarantine Profile and one Mandatory Profile. However, multiple Normal Profiles, one each for the different Profile Security Level, can be created.

Flow of evaluating Device Profiles

When an endpoint attempts a connection to the HySecure Gateway, the Device Profiles are evaluated in the following order:

  • Mandatory Profile

    This profile is checked for the minimum pre-requisites which should be satisfied as per the Host Scan policies configured for this profile

  • Normal Profiles with Security Level

    Post satisfying the mandatory profile, the endpoint details are scanned against the normal profiles with increasing Security Level number which primarily indicates a reduced trust level. The first match gives the Device Profile for the connecting endpoint

  • Quarantine profile

    If none of the configured normal profiles are matched, the connecting device would fall in the Quarantine profile and applications are blocked as per the ones configured in this profile

Mandatory Profile

This is a system profile which contains a set of Host Scan policies that must be satisfied by all connecting endpoints before the user can login into HySecure Gateway. Using mandatory profile, administrators can enforce that all the connecting endpoints comply with certain minimum requirements. An example of Mandatory Profile would be enforcing login from endpoints with a particular AV solution updated with latest signatures and logging in from a specific domain.

Only one mandatory profile is allowed which means that this would be a pre-requisite for all logins to the HySecure. If the endpoint machine fails any of the policies of Mandatory Profile, the user is denied login into HySecure Gateway. The configured remediation information is sent to the user.

Mandatory profile does not contain any access list as it will only enforce the selected host scan policies on all connecting endpoints. The allowed application list can be enforced through the normal profile with a configured security level.

Normal Profile with Security Level

Multiple profiles with varying security levels can be created. This helps in setting more blocked applications for endpoints with reduced trust levels.

For e.g. a Device Profile with a lower Security level i.e. higher trust, can enforce Host Scan policies for AV, Domain and Critical Windows Update. This can possibly block no application.

A relatively higher security level i.e. relatively lower trust level device profile can enforce just AV and moderate Windows updates blocking a small set of applications.

An even higher security level i.e. an even lower trust level device profile can then enforce just the AV and hence blocking a relatively larger set of applications.

Important

  • Security Level 1 is considered as highest trust level and 10 is considered as the lowest trust level

  • There can be just 1 Normal Device Profile for each of the Security Levels

  • The device profiles get matched from the ones with Security Level 1 to the ones with Security level 10

Quarantine Profile

For a connecting endpoint, if none of the normal profiles match, the applications indicated in the Quarantine profile would get blocked. This is an optional system profile which does not contain any policies but just the list of application which the user would not be able to access if the endpoint from which s/he is connecting, does not satisfy any of the normal device profiles.

Important

  • A Quarantine profile does not contain any Host Scan policy list as it is a fallback, no-scan profile.

  • If no quarantine profile exists and the endpoint does not satisfy any other profile, then the endpoint is denied login into HySecure Gateway.

Device Profile List

To get the list of Device Profile created and eventually create Device Profile, perform the following steps:

  1. Open the Management console and expand ENDPOINT MANAGEMENT

  2. Select Device Profile from the sub menu

  3. All the created Device Profiles will be visible on this page in a tabular manner with the following information of each user:

# Field Description
1 Profile Name Defines the identifier for the Profile
2 Profile Security Level Security Trust level of the profile. Lower value means higher trust.
3 Profile Description Enter the description of the profile for an easy recall

Creating Profile

  1. On the HySecure management console, expand Endpoint Management \ Device Profiles.
  2. Click Add to create a new profile.
  3. Provide basic information for the profile as indicated in the table below
  4. In the "Policies" block, click on the Add Policies to Profile link to add policies to this profile (see the next section Add Policies to Profile for more information). The Policies which are added here must be satisfied by the End Point Devices to fall in this Device Profile.
  5. Click on the Block Applications to Profile link to block applications to this profile. By default all the applications are allowed to users. The applications added here will be blocked if the user falls into this Device Profile.
  6. Click Submit to create the Security Profile or click Reset to clear all data from this screen.

A success message confirms that the Security Profile has been created.

Name Description
Profile Name: Name to identify the Profile.
Security Level: Identifies the Security Trust Level. Lower value means higher security trust level. An endpoint is always scanned again ascending order of security trust level.
Mandatory Profile: To create Mandatory Profile, click on the check box for Mandatory Profile. If Mandatory Profile is already created then this field will be disabled. You can create only one Mandatory Profile.
Quarantine Profile: To create Quarantine Profile, click on the check box for Quarantine Profile. If Quarantine Profile is already created then this field will be disabled. Only one Quarantine Profile can be created. The Endpoint machine which fails normal Device Profiles, will fall into this profile.
Profile Description: Enter Profile description for an easy recall.

Policies

Add Host Scan policies which must be checked under this profile. A device satisfying all Host Scan policies will be eligible to fall under this profile.

Adding Policies to Profile

  1. When creating a Device Profile, you can add policies to it using these steps:

  2. On the Create Profile screen, click on the Add Policies to Profile link.

    The Add Policy to Profile screen appears.

  3. Select the policies in the left table that you want to apply to this profile and click Add.

    The selected policies move from the left table to the right side table on the screen. 4. Click Submit to select the policies for this profile, or click Cancel to abort.

    The popup window will close and the name of the policies will appear in the Policies box on the Create Profile page. 5. Click Submit to save changes or click Reset to remove all data from the screen.

    Note Changes to Profile are not applied until after you have clicked the Submit button on the Create Profile or the Modify Profile screen.

Blocked Applications

This section is meant to specify applications which needs to be denied to endpoint which falls under this profile. All application are allowed to all device profiles by default.

  1. When creating a Device Profile, you can add applications to be blocked using these steps:

  2. On the Create Profile screen, click on the Block Applications to Profile link. The Add/Block Applications to/from Profile screen appears.
  3. Select the applications in the Applications table that you want to block and click Add. The selected applications move from the Applications table on the left side to the Selected Applications table on the right side of the screen.
  4. Click Submit to select the applications for this profile, or click Cancel to abort. The popup window will close and the name of the applications will appear in the Applications box on the Create Profile page.
  5. Click Submit to save changes or click Cancel to remove all data from the screen.
    Note : Changes to Profile are not applied until after you have clicked the Submit button on the Create Profile or the Modify Profile screen.

Browser Cache Settings

When enabled HySecure will cleanup cache created by browser or other components after logout from HySecure.

Name Description
Clear Browser Cache Delete temporary Internet files created by browser
Clear Cookies Delete stored browser cookies
Clear Browsing History Delete history of visited links
Clear Typed URLs Delete history of URLs typed by user
Clear Desktop Run History Delete the command executed by user from Run menu item of start menu in Windows.
Clear Recent File History Delete the history created by Windows for recently opened files
Clear Recycle Bin Contents Delete all data in recycle bin

Data Protection Settings: Specify data protection settings

Block Clipboard: If enabled, on a device falling under this profile, access to clipboard will be disabled to the user and applications running on the endpoint.

Modifying Profile

  1. On the HySecure management console, expand Endpoint Management \ Device Profiles.
  2. Type the profile name in the Search Profiles field.
  3. If entering multiple names, separate names with a comma. Type [*] to view all profile names.
  4. Click Show to view the search results.

  5. Click on the check box for the profile you want to edit and click Modify.

    The Modify Profile screen appears. 6. Modify profile details as needed. Refer to Create Profile section while making the entries. 7. Click Modify to save changes or click Cancel to cancel the changes made.

Deleting Profile

  1. In the Edit Profile screen described above, click on the box for the Profiles you want to delete.
  2. To select all profiles, click on the Check all check box below the table.
  3. Click Delete to delete the selected profiles.

  4. When prompted for deletion confirmation, click OK to delete the profiles or click Cancel to abort.

    Example of End User Notification when Falling Endpoint Security SCAN 5. When a user logs in the Endpoint Scan initiates and displays any warnings or restrictions to the user.