Skip to content

Device Profile

Overview

Device Profiles determine the trust level of a connecting endpoint rather than the user and help with authorizing application access to that endpoint. This trust is established even before the user logs in and is authorized for application access.

The Device Profile policy is applicable at the Gateway level. However, for it to be effective, the following two conditions must be met:

  1. The Endpoint Security license should be applied on the Gateway.

  2. The Endpoint Security should be enabled for the HySecure Domain on which the endpoint would attempt the connection.

The Device Profile contains a set of Host Scan policies and the corresponding applications that would get blocked with matching Host Scan policies. The Host Scan policies help define the endpoint information, such as the information related to AV products being used, the firewall, etc.

Important

  • Allow/Block applications configured based on Device profiles take precedence over the allowed applications in the Application Group for Access Control policies.

  • The display will be customized based on the type of device, such as a laptop, tablet, mobile phone, or any other endpoint device.

The HySecure Administrator can create three types of Device Profiles:

  • Normal Profile, one for each Profile Security Level
  • Mandatory Profile
  • Quarantine Profile

The HySecure Administrator can create only one Quarantine Profile and one Mandatory Profile. However, multiple Normal Profiles, one for each different Profile Security Level can be created.

Flow of evaluating Device Profiles

When an endpoint attempts a connection to the HySecure Gateway, the Device Profiles are evaluated in the following order:

  • Mandatory Profile

    This profile is checked for the minimum pre-requisites which should be satisfied as per the Host Scan policies configured for this profile.

  • Normal Profile with Security Level

    Post satisfying the Mandatory profile, the endpoint details are scanned for the Normal profiles with an increasing Security Level number which primarily indicates a reduced trust level. The first match gives the Device Profile for connecting the endpoint.

  • Quarantine profile

    If none of the configured Normal profiles are matched, then the connecting device will fall into the Quarantine profile and applications are blocked as per the ones configured in this profile.

Mandatory Profile

This is a system profile that contains a set of Host Scan policies that must be satisfied by all connecting endpoints before the user can log in to the HySecure Gateway. Using the Mandatory profiles, administrators can enforce that all the connecting endpoints comply with certain minimum requirements. An example of a Mandatory profile would be enforcing login from endpoints with a particular AV solution updated with the latest signatures and logging in from a specific domain.

Only one Mandatory profile is allowed which means that this would be a pre-requisite for all logins to the HySecure. If the endpoint machine fails any of the policies of the Mandatory profile, then the user is denied login into the HySecure Gateway. The configured remediation information will be sent to the user.

The Mandatory profile does not contain any access list as it will only enforce the selected Host Scan policies on all connecting endpoints. The allowed application list can be enforced through the Normal profile with a configured security level.

Normal Profile with Security Level

Multiple profiles with varying security levels can be created. This helps in setting more blocked applications for endpoints with reduced trust levels.

E.g., A Device Profile with a lower security level, i.e., higher trust can enforce Host Scan policies for AV, Domain, and Critical Windows Update. This can block no application.

A relatively higher security level, i.e. lower trust level Device Profile can enforce just AV and moderate Windows updates blocking a small set of applications.

An even higher security level i.e. an even lower trust level Device Profile can enforce just the AV and hence block a relatively larger set of applications.

Important

  • Security Level 1 is considered as the highest trust level, and 10 is considered the lowest trust level.
  • There can be just 1 Normal Device Profile for each of the Security Levels.
  • The Device Profiles get matched from the ones with Security Level 1 to the ones with Security Level 10.

Quarantine Profile

For a connecting endpoint, if none of the Normal profiles match, the applications indicated in the Quarantine profile would get blocked. This is a system profile that only includes a list of applications that the user won't be able to access if the device they are connecting from doesn't meet the normal device profiles. This profile doesn't contain any policies.

Important

  • A Quarantine profile does not contain any Host Scan policy list, as it is a fallback, no-scan profile.
  • If no Quarantine profile exists and the endpoint does not satisfy any other profile, then the endpoint is denied login into HySecure Gateway.