# Device Trust {% hint style="info" %} This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). {% endhint %} ### Overview Device Trust is a security mode that enables your organization to configure StrongDM to work with endpoint management software, such as CrowdStrike and SentinelOne. When running in Device Trust mode, the StrongDM client provides signals on the host machine's Device Trust status when evaluating [policies](https://docs.strongdm.com/admin/access/policies) that require it. The information that is provided to the policy evaluation indicates whether the machine hosting the client has an endpoint agent running and if it has flagged any vulnerabilities. If any of these conditions are violated, the client can be logged out and any active resource connections are severed. StrongDM admins can enable Device Trust for all users, including service accounts. Moreover, admins can specify users and roles to be excluded from Device Trust enforcement. This page describes how to set up Device Trust in the Admin UI. ### Prerequisites * Enablement requires that your organization have software from a supported Device Trust provider running on user workstations. * You must have administrative access to your organization’s Device Trust provider account. * You must enact [policies](https://docs.strongdm.com/admin/access/policies) that use Device Trust as a condition of access in order to trigger Device Trust checks. ### Admin UI Configuration 1. In the Admin UI, go to **Settings** > **Device Trust**. 2. Click the lock to change the settings. 3. For **Enable Device Trust for Your Organization?**, select **Enabled** to enable it. Then click **Save**. 4. For **Default User Enforcement** you can choose whether you wish for users to have Device Trust enforced on them by default, or to be exempt by default. 5. Consider which user(s) and/or role(s), if any, that you want to be excluded from Device Trust enforcement. Before fully activating Device Trust, you can make exceptions for specific users and roles so that Device Trust is enforced for all users and roles except the ones you exclude. To make an exception for a user, go to the user’s **Settings** tab and check the relevant option for **Device Trust Enforcement**. To make an exception for a role, go to the role’s **Settings** tab. 6. Go back to **Settings** > **Device Trust** to configure the remaining settings. 7. For **Provider**, choose your endpoint management software provider (for example, CrowdStrike or SentinelOne). 8. Complete the remaining [settings](#device-trust-provider-settings-and-requirements) for your selected provider. In these settings, "agent" refers to the endpoint agent that is installed on the user’s workstation. The agent monitors the user workstation’s posture and assesses whether the given workstation is in a positive or negative integrity state. 9. **Allow service accounts to run without the agent** allows you to exempt service account machines that are not enrolled with your Device Trust provider. 10. Save when you’re done. 11. Lastly, ensure that [policies](https://docs.strongdm.com/admin/access/policy-creation#device-trust-context) are configured to forbid or permit resource access based on the Device Trust status of a user’s workstation. ### Device Trust provider settings and requirements #### **Cisco Duo** **Settings** | Setting | Requirement | Description | | ------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------- | | **Integration Key** | Required | Integration key copied from your Duo application settings in Duo Admin | | **Management URL** | Required | Duo Admin API hostname/endpoint (for example, `api-a12b3-c45.duosecurity.com`) copied from your Duo application settings in Duo Admin | | **Secret Key** | Required | Secret key copied from your Duo application settings in Duo Admin | **Additional requirements for Duo** * In order for StrongDM to communicate with Duo, your Duo Admin application must have the “Grant read resource” permission enabled. You can check that your application has the correct permissions in **Duo Admin** > **Dashboard** > **Applications**. * The StrongDM control plane calls out to Duo [API endpoints](https://duo.com/docs/adminapi#endpoints) to get device trust information. Duo limits usage of those endpoints to [Duo Premier and Duo Advantage](https://duo.com/editions-and-pricing) customers. In addition, some response information is available only with Duo Premier. #### **CrowdStrike** **Settings** | Setting | Requirement | Description | | ----------------- | ----------- | ---------------------------------------------------------------------------------------------------------------- | | **Base URL** | Required | CrowdStrike base address (for example, `https://your-cloud-region.crowdstrike.com`) | | **Client ID** | Required | CrowdStrike client ID | | **Client Secret** | Required | CrowdStrike client secret | | **Member CID** | Optional | CrowdStrike customer identification (CID), which is found on the sensor download page of the CrowdStrike Console | | **Provider** | Required | Select **CrowdStrike** | | **Score** | Required | Numeric value, from 1 to 100, that indicates the security posture for the host | **Additional requirements for CrowdStrike** The minimum scopes required when creating your CrowdStrike credentials are: * Hosts (Read) * Zero Trust Assessment (Read) #### **Microsoft Defender** **Settings** | Setting | Requirement | Description | | ------------------ | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Client ID** | Required | Client ID for your Microsoft Defender app, available on the app's Overview page | | **Client Secret** | Required | Client Secret for your Microsoft Defender app, copied after creating it in your app by selecting **Add a certificate or secret** in the **Client credentials** section | | **Max Risk Score** | Required | "None", "Informational", "Low", "Medium", "High" | | **Tenant ID** | Required | Tenant ID for your Microsoft Defender app, available on the app's Overview page | **Additional requirements for Defender** The application requires the `Machine.Read.All` permission added within the **WindowsDefenderATP** API. To add the permission, follow these steps. 1. Go to **API permissions** > **Add a permission**. 2. In the **APIs my organization uses** table, search for and select **WindowsDefenderATP**. 3. On the resulting screen, search for and select the `Machine.Read.All` permission. This action may require approval from an administrator. #### **SentinelOne** **Settings** | Setting | Requirement | Description | | ------------------ | ----------- | -------------------------------------------------------------------------------------------------------- | | **API Token** | Required | SentinelOne API token, which can be generated in the SentinelOne management console in the user settings | | **Management URL** | Required | SentinelOne Management URL (for example, `https://example-management-url.sentinelone.net/`) | | **Provider** | Required | Select **SentinelOne** | **Additional requirements for SentinelOne** SentinelOne API calls require authentication, and SentinelOne's recommended authentication is API token (that is, `ApiToken`). Your SentinelOne credentials need to have view permissions for the app(s) you want to monitor. API tokens are generated in the SentinelOne Management Console or your API request, and each token is valid for six months. Because of this expiration, you must rotate/regenerate your API token every six months, if SentinelOne is your Device Trust provider type. You can see your token's expiration date when viewing your user account in the SentinelOne Management Console. For information, please refer to SentinelOne API documentation. ### User Administration Particular users can have a Device Trust setting that is explicit and independent of the organization-wide controls. The values available when editing a user's profile are: * **Default**: Device Trust is enforced for this user if the organization's global settings require Device Trust to be enforced. * **Exempt**: Device Trust is not enforced for this user, regardless of global settings. * **Required**: Device Trust is enforced for this user, regardless of global settings. ### User Experience When Device Trust is enabled, administrators can use [policies](https://docs.strongdm.com/admin/access/policies) to check the device status of any users with it enabled. This check can then be used to validate whether their device posture as reported by the agent is still good. If their device posture is not acceptable, the policies can force further actions such as MFA re-authentication, request to log the user's reasons for particular actions, or forcibly log out the user. If the user is using the CLI and is forcibly logged out, all connections are severed. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/access/policies/device-trust.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.