Skip to content

Device Profile

Overview

Device Profiles determine the trust level of a connecting endpoint, rather than the user, and help authorize application access to that endpoint. This trust is established even before the user logs in and is authorized for application access.

The Device Profile policy is applicable at the Gateway level. However, for it to be effective, the following two conditions must be met:

  1. The Endpoint Security license should be applied to the Gateway.

  2. Endpoint Security should be enabled for the HySecure Domain that the endpoint attempts to connect to.

The Device Profile contains a set of Host Scan policies and the corresponding applications that would get blocked with matching Host Scan policies. The Host Scan policies define endpoint information, such as AV products in use, the firewall, etc.

Important

  • Allow/Block applications configured based on Device profiles take precedence over the allowed applications in the Application Group for Access Control policies.

  • The display will be customized based on the type of device, such as a laptop, tablet, mobile phone, or any other endpoint device.

The HySecure Administrator can create three types of Device Profiles:

  • Normal Profile, one for each Profile Security Level
  • Mandatory Profile
  • Quarantine Profile

The HySecure Administrator can create only one Quarantine Profile and one Mandatory Profile. However, multiple Normal Profiles, one for each different Profile Security Level, can be created.

Flow of evaluating Device Profiles

When an endpoint attempts a connection to the HySecure Gateway, the Device Profiles are evaluated in the following order:

  • Mandatory Profile

    This profile is checked against the minimum prerequisites as defined by the Host Scan policies configured for this profile.

  • Normal Profile with Security Level

    After satisfying the Mandatory profile, the endpoint details are scanned for Normal profiles with higher Security Level numbers, which primarily indicate a reduced trust level. The first match gives the Device Profile for connecting the endpoint.

  • Quarantine profile

    If none of the configured Normal profiles are matched, then the connecting device will fall into the Quarantine profile, and applications are blocked as per the ones configured in this profile.

Mandatory Profile

This is a system profile that contains a set of Host Scan policies that all connecting endpoints must satisfy before the user can log in to the HySecure Gateway. Using the Mandatory profiles, administrators can enforce that all the connecting endpoints comply with certain minimum requirements. An example of a Mandatory profile would be enforcing endpoint login with a particular AV solution updated with the latest signatures and logging in from a specific domain.

Only one Mandatory profile is allowed, making it a prerequisite for all logins. If the endpoint machine fails any policy in the Mandatory profile, the user is denied login to the HySecure Gateway. The configured remediation information will be sent to the user.

The Mandatory profile does not contain any access list, as it will only enforce the selected Host Scan policies on all connecting endpoints. The allowed application list can be enforced through the Normal profile with a configured security level.

Normal Profile with Security Level

Multiple profiles with varying security levels can be created. This helps in setting more blocked applications for endpoints with reduced trust levels.

E.g., A Device Profile with a lower security level, i.e., higher trust, can enforce Host Scan policies for AV, Domain, and Critical Windows Update. This can block no application.

A relatively higher security level, i.e., lower trust level, Device Profile can enforce just AV and moderate Windows updates, blocking a small set of applications.

An even higher security level, i.e., an even lower trust level, can be enforced by the Device Profile, which can block a relatively larger set of applications.

Important

  • Security Level 1 is considered as the highest trust level, and 10 is considered the lowest trust level.
  • There can be just 1 Normal Device Profile for each of the Security Levels.
  • The Device Profiles get matched from the ones with Security Level 1 to the ones with Security Level 10.

Quarantine Profile

For a connecting endpoint, if none of the Normal profiles match, the applications indicated in the Quarantine profile would get blocked. This is a system profile that only includes a list of applications that the user won't be able to access if the device they are connecting from doesn't meet the normal device profiles. This profile doesn't contain any policies.

Important

  • A Quarantine profile does not contain any Host Scan policy list, as it is a fallback, no-scan profile.
  • If no Quarantine profile exists and the endpoint does not satisfy any other profile, then the endpoint is denied login into HySecure Gateway.