Device Profiles

Overview

Device Profiles determine the trust level of a connecting endpoint rather than the user and help with authorizing application access to that endpoint. This trust is established even before the user logs in and is authorized for application access.

The Device Profile policy is applicable at the Gateway level. However, for it to be effective, the following two conditions must be met:

The Endpoint Security license should be applied on the Gateway.
The Endpoint Security should be enabled for the HySecure Domain on which the endpoint would attempt the connection.

The Device Profile contains a set of Host Scan policies and the corresponding applications that would get blocked with matching Host Scan policies. The Host Scan policies help define the endpoint information, such as the information related to AV products being used, the firewall, etc.

Important

Allow/Block applications configured based on Device profiles take precedence over the allowed applications in the Application Group for Access Control policies.
The display will be customized based on the type of device, such as a laptop, tablet, mobile phone, or any other endpoint device.

The HySecure Administrator can create three types of Device Profiles:

Normal Profile, one for each Profile Security Level
Mandatory Profile
Quarantine Profile

The HySecure Administrator can create only one Quarantine Profile and one Mandatory Profile. However, multiple Normal Profiles, one for each different Profile Security Level can be created.

Flow of evaluating Device Profiles

When an endpoint attempts a connection to the HySecure Gateway, the Device Profiles are evaluated in the following order:

Mandatory Profile

This profile is checked for the minimum pre-requisites which should be satisfied as per the Host Scan policies configured for this profile.
Normal Profile with Security Level

Post satisfying the Mandatory profile, the endpoint details are scanned for the Normal profiles with an increasing Security Level number which primarily indicates a reduced trust level. The first match gives the Device Profile for connecting the endpoint.
Quarantine profile

If none of the configured Normal profiles are matched, then the connecting device will fall into the Quarantine profile and applications are blocked as per the ones configured in this profile.

Mandatory Profile

This is a system profile that contains a set of Host Scan policies that must be satisfied by all connecting endpoints before the user can log in to the HySecure Gateway. Using the Mandatory profiles, administrators can enforce that all the connecting endpoints comply with certain minimum requirements. An example of a Mandatory profile would be enforcing login from endpoints with a particular AV solution updated with the latest signatures and logging in from a specific domain.

Only one Mandatory profile is allowed which means that this would be a pre-requisite for all logins to the HySecure. If the endpoint machine fails any of the policies of the Mandatory profile, then the user is denied login into the HySecure Gateway. The configured remediation information will be sent to the user.

The Mandatory profile does not contain any access list as it will only enforce the selected Host Scan policies on all connecting endpoints. The allowed application list can be enforced through the Normal profile with a configured security level.

Normal Profile with Security Level

Multiple profiles with varying security levels can be created. This helps in setting more blocked applications for endpoints with reduced trust levels.

E.g., A Device Profile with a lower security level, i.e., higher trust can enforce Host Scan policies for AV, Domain, and Critical Windows Update. This can block no application.

A relatively higher security level, i.e. lower trust level Device Profile can enforce just AV and moderate Windows updates blocking a small set of applications.

An even higher security level i.e. an even lower trust level Device Profile can enforce just the AV and hence block a relatively larger set of applications.

Important

Security Level 1 is considered as the highest trust level, and 10 is considered the lowest trust level.
There can be just 1 Normal Device Profile for each of the Security Levels.
The Device Profiles get matched from the ones with Security Level 1 to the ones with Security Level 10.

Quarantine Profile

For a connecting endpoint, if none of the Normal profiles match, the applications indicated in the Quarantine profile would get blocked. This is a system profile that only includes a list of applications that the user won't be able to access if the device they are connecting from doesn't meet the normal device profiles. This profile doesn't contain any policies.

Important

A Quarantine profile does not contain any Host Scan policy list, as it is a fallback, no-scan profile.
If no Quarantine profile exists and the endpoint does not satisfy any other profile, then the endpoint is denied login into HySecure Gateway.

View Device Profiles

To view the list of Device Profiles and manage them:

Log on to the Management Console.
Go to Policies > Endpoint Security Policies > Device Profiles
The page lists all the profiles in a tabular manner with the following information:

Field	Description
Profile Name	Displays the identifier of the device profile.
Profile Security Level	Displays the security trust level of the profile ranging from 1 to 20, with 1 being the highest.
Profile Description	Displays the profile description for easy recall.

Add a new Device Profile

Log on to the Management Console.
Go to Policies > Endpoint Security Policies > Device Profiles and click Add.
Provide basic information for the profile as indicated in the table below.

Name	Description
Profile Name	Enter the identifier of the device profile.
Security Level	Select the security level from the drop-down list. Endpoints are scanned in ascending order of Security Trust Level, with 1 being the highest trust level.
Mandatory Profile	Click to create a mandatory profile. The creation of at least one Normal profile is necessary to create a Mandatory profile. If one already exists, this field is disabled - only one mandatory profile is allowed.
Quarantine Profile	To create a Quarantine Profile, click the button. Creating at least one Normal profile is necessary to create a Mandatory profile. If it's already created, the field will be disabled. Only one Quarantine Profile can exist; any endpoint failing all other device profiles will be assigned to it. If no quarantine profile exists and the endpoint does not meet any other profile, the endpoint is denied login into HySecure Gateway.
Profile Description	Provide a profile description for easy recall.
Policies	Click Add Policies to Profile to add policies to the profile.
Blocked Applications	Click Blocked Applications to block the applications to the profile.

Add Policies to Profile

Add the policies that need to be complied with by the endpoint to allow a user to log in.

Click the Add Policies to Profile link and select profiles to add to the list of mandatory compliance.
Click Add and Submit.

Blocked Applications

Deny specific applications to endpoints under this profile. All applications are allowed by default.

Click the Block Applications to Profile link on the Create Profile screen to access the Add/Block Applications from the Profile screen.
Block apps by selecting them in the Application table and clicking Add and Submit.

Modify Profile

Log on to the Management console.
Go to Policies > Endpoint Security Policies > Device Profiles.
Click the check box against the profile you want to edit and click Modify.
Modify profile details as needed. Refer to the Add Profile section for details.
Click Modify to save changes.

Delete Profile

Log on to the Management console.
Go to Policies > Endpoint Security Policies > Device Profiles.
Click the check box against the profile you want to edit and click Delete.
click OK to delete the profiles when prompted for deletion confirmation.