Skip to content

Device Profile

Overview

Device Profiles determine the trust level of a connecting endpoint rather than the user, and helps with authorizing application access to that endpoint. This trust is established even before the user logs in and is authorized for application access.

The Device Profile policy is applicable at the Gateway level. However, for it to be effective, following two conditions are to be met:

  1. the Endpoint Security license should be applied on the Gateway

  2. the EPS should be enabled for the HySecure Domain on which the endpoint would attempt the connection

Device profile contains a set of Host Scan policies and the corresponding applications which would get blocked with matching Host Scan policies. The Host Scan policies help define the endpoint information like AV product being used at the endpoint, firewall at endpoint etc.

Important

Blocked applications configured in Device profiles, takes precedence over the allowed applications in the Application Group for Access Control policies.

HySecure Administrator can create three types of Device Profiles:

  • Mandatory Profile
  • Normal Profile, one for each Profile Security Level
  • Quarantine Profile

HySecure Administrator can create only one Quarantine Profile and one Mandatory Profile. However, multiple Normal Profiles, one each for the different Profile Security Level, can be created.

Flow of evaluating Device Profiles

When an endpoint attempts a connection to the HySecure Gateway, the Device Profiles are evaluated in the following order:

  • Mandatory Profile

    This profile is checked for the minimum pre-requisites which should be satisfied as per the Host Scan policies configured for this profile

  • Normal Profiles with Security Level

    Post satisfying the mandatory profile, the endpoint details are scanned against the normal profiles with increasing Security Level number which primarily indicates a reduced trust level. The first match gives the Device Profile for the connecting endpoint

  • Quarantine profile

    If none of the configured normal profiles are matched, the connecting device would fall in the Quarantine profile and applications are blocked as per the ones configured in this profile

Mandatory Profile

This is a system profile which contains a set of Host Scan policies that must be satisfied by all connecting endpoints before the user can login into HySecure Gateway. Using mandatory profile, administrators can enforce that all the connecting endpoints comply with certain minimum requirements. An example of Mandatory Profile would be enforcing login from endpoints with a particular AV solution updated with latest signatures and logging in from a specific domain.

Only one mandatory profile is allowed which means that this would be a pre-requisite for all logins to the HySecure. If the endpoint machine fails any of the policies of Mandatory Profile, the user is denied login into HySecure Gateway. The configured remediation information is sent to the user.

Mandatory profile does not contain any access list as it will only enforce the selected host scan policies on all connecting endpoints. The allowed application list can be enforced through the normal profile with a configured security level.

Normal Profile with Security Level

Multiple profiles with varying security levels can be created. This helps in setting more blocked applications for endpoints with reduced trust levels.

For e.g. a Device Profile with a lower Security level i.e. higher trust, can enforce Host Scan policies for AV, Domain and Critical Windows Update. This can possibly block no application.

A relatively higher security level i.e. relatively lower trust level device profile can enforce just AV and moderate Windows updates blocking a small set of applications.

An even higher security level i.e. an even lower trust level device profile can then enforce just the AV and hence blocking a relatively larger set of applications.

Important

  • Security Level 1 is considered as highest trust level and 10 is considered as the lowest trust level

  • There can be just 1 Normal Device Profile for each of the Security Levels

  • The device profiles get matched from the ones with Security Level 1 to the ones with Security level 10

Quarantine Profile

For a connecting endpoint, if none of the normal profiles match, the applications indicated in the Quarantine profile would get blocked. This is an optional system profile which does not contain any policies but just the list of application which the user would not be able to access if the endpoint from which s/he is connecting, does not satisfy any of the normal device profiles.

Important

  • A Quarantine profile does not contain any Host Scan policy list as it is a fallback, no-scan profile.

  • If no quarantine profile exists and the endpoint does not satisfy any other profile, then the endpoint is denied login into HySecure Gateway.