Documentation
Duo Trusted Endpoints - Workspace ONE Managed Device Deployment
Last Updated: October 31st, 2024Contents
Certificate-based Trusted Endpoint verification for Workspace ONE/AirWatch reached end-of-life on October 7, 2024. Duo device certificates will no longer renew after October 2024. Migrate existing iOS Certificate Configuration management integrations to iOS with App Config Configuration. Learn more about the end-of-life timeline and migration options in the Duo Trusted Endpoints Certificate Migration Guide.
Overview
Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from devices not trusted by your organization.
Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.
Before enabling the Trusted Endpoints policy on your applications, you'll need to allow REST API access for Duo to your managed mobile devices, or deploy Duo Desktop to Windows and macOS managed systems and sync identifiers for those systems from Workspace ONE into Duo.
This guide walks you through Workspace ONE configuration for Windows and macOS endpoint clients and Android and iOS mobile devices.
Mobile Trusted Endpoints and Verified Duo Push: Trusted endpoint verification of iOS and Android devices with Duo Mobile uses the standard Duo Push approval process and will not prompt for a Duo Push verification code, even if the effective authentication methods policy for the user and application has "Verified Duo Push" enabled.
Requirements
- Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.
- Access to the Workspace ONE Console as an administrator with the rights to create roles, accounts, and device profiles.
- Directory Services enabled within the Workspace ONE Console with an account in the directory that will be used as an Admin Account within Workspace ONE.
Create a Duo Admin and API Key in Workspace ONE
Create a read-only API user and role and an API key in Workspace ONE for Duo to obtain managed endpoint information. Duo will use this account to synchronize your Windows device identifiers from Workspace ONE. The imported identifiers will be used to determine device trust when Windows devices access your protected applications.
You only need to do this once, and can then use the same Duo admin credentials and API key for each Workspace ONE management integration you configure in Duo, even if they are for different device operating systems.
Create an API Role for Duo
-
Log in to the Workspace ONE console as an administrator and go to Accounts → Administrators → Roles.
-
Click the Add Role button. Enter Duo API Role as the Name and add a Description for the new role on the "Create Role" page.
-
Click on the "API" category on the left and then locate REST in the API category list. Check the box in the "Read" column to grant the new Duo API role read access to devices. Click Save to create the role.
Create a Duo Admin Account
Determine whether you plan to create an admin for Duo using an account synced from an external directory or a "Basic" (local) account before you begin.
We recommend using a directory account over a "Basic" account because Workspace ONE enforces password expiration for "Basic" user types every 30 days. While the password is expired, your Trusted Endpoint Integration with Workspace ONE will not work, and you will need to reset the password to restore functionality.
Use of a directory account is not subject to the 30-day password expiration.
-
Navigate to Accounts → Administrators → List View in the Workspace ONE console.
-
Click the Add button and choose Add Admin → Directory → Next on the pop-up menu.
-
Enter the following information on the "Add Admin" form (for a Directory admin):
Admin Type Directory Directory Name Default Domain Select the correct domain from the drop-down, if not already selected. Username Search for an account in your directory to use and click Select User. -
Click Next to go to the "Roles" tab.
-
On the "Roles" tab, choose your Organization Group from the list presented. Locate and select the "Duo API Role" read-only role you created earlier in the Role list.
-
Click the Next button on the "Details" page. You can optionally fill in the fields on the Details page.
-
On the “Settings“ tab, leave "Two Factor Authentication" as the default, choose None in the “Notification” section, and leave the "User Credentials" option selected in the “API” section.
-
Click Save to create a Directory admin.
-
Click the Add button and choose Add Admin on the pop-up menu.
-
Enter the following information on the "Add Admin" form (for a Basic admin):
Admin Type Basic Username Create a username. Password Create a password. Confirm Password Enter password again. Require password Toggle switch to on if you would like to change your password at next login. First Name and Last Name Enter a first and last name for the Duo admin user (e.g. "Duo" "Admin"). Email Address Enter an email address for the Duo admin user. Time Zone Select your time zone. Locale Select your language/region. Initial Landing Page Leave as the default option. -
Click the Next button to go to the "Roles" section, then click the Add Role button.
-
Choose your Organization Group from the list presented. Locate and select the "Duo API Role" read-only role you created earlier in the Role list.
-
Click the Next button on the "Details" page. You can optionally fill in the fields on the Details page.
-
Click the Next button to go to the “Settings“ section and ensure that you select the "User Credentials" option for the API.
-
On the “Settings“ tab, leave "Two Factor Authentication" as the default, choose None in the “Notification” section, and leave the "User Credentials" option selected in the “API” section.
-
Click Save to create the admin.
Create the Duo REST API Key
-
Navigate to Groups & Settings → All Settings → System → Advanced → API → Rest API in the Workspace ONE console.
-
Click Add to generate a new REST API key. This appends a new row in the existing API keys table.
-
Click into the blank Service field for the newly-generated API key to type in a service name for this API key (like "Duo API"). You can also enter additional identifying information in the Description field.
-
Leave the "Account Type" set to Admin and click Save.
Windows Configuration
This integration relies on having Duo Desktop present on your Workspace ONE-managed Windows endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device identifiers reported by Duo Desktop with managed device information obtained from Workspace ONE in a nightly sync via read-only API access (note this sync can't be manually initiated or rescheduled at this time).
Prerequisites
-
Deploy Duo Desktop for Windows 10 and later to your Workspace One-managed endpoints. Refer to the Duo Desktop documentation to learn about different options for deploying the application.
Note that you do not need to configure a Duo Desktop policy in order to use Workspace ONE with Duo Desktop.
-
Create the Duo API user, role, and API key in Workspace ONE if you did not already do so, and have the admin account credentials and API key information available to enter into the Duo Admin Panel when needed.
Create the Workspace ONE with Duo Desktop Integration
- Log in to the Duo Admin Panel and navigate to Devices → Trusted Endpoints.
- If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
- On the "Add Management Tools Integration" page, locate Workspace ONE in the list of "Device Management Tools" and click the Add this integration selector.
- Choose Windows from the "Recommended" options, and then click the Add button.
The new Workspace ONE with Duo Desktop integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Please note that this integration requires Duo Desktop to be installed on the device to be considered trusted.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Workspace ONE with Duo Desktop management integration page to complete the configuration steps.
Enter Workspace ONE Info in Duo
-
Return to your Workspace ONE Windows management integration page in the Duo Admin Panel if you navigated away.
-
Enter the following information into the blank fields under step 4 of the Workspace ONE "Windows Configuration Instructions" section:
Admin Username Enter the Duo admin username you created in Workspace ONE. Admin Password Enter the password for the Duo admin user you created in Workspace ONE. API Key Enter the REST API key you created for Duo in Workspace ONE. Domain Name Enter your organization's Workspace ONE domain. Your domain name will be the API server URL that can be found on the Workspace ONE console by navigating to Groups & Settings → All Settings → System → Advance → Site URLs. -
Click the Test Configuration button to verify Duo's API access to your Workspace ONE instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Workspace ONE configuration steps and entered the right information in the Duo Admin Panel.
-
After you successfully test your configuration, click the Save & Configure button.
At this point the configured integration is disabled and applies to no users until you finish your deployment.
Verify Windows Device Information with Search
After you configure the connection between Workspace ONE and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.
macOS Configuration
This integration relies on having Duo Desktop present on your Workspace ONE-managed macOS endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device identifiers reported by Duo Desktop with managed device information obtained from Workspace ONE in a nightly sync via read-only API access (note this sync can't be manually initiated or rescheduled at this time).
Prerequisites
-
Deploy Duo Desktop for macOS 10.13 and later to your Workspace One-managed endpoints. Refer to the Duo Desktop documentation to learn about different options for deploying the application.
Note that you do not need to configure a Duo Desktop policy in order to use Workspace ONE with Duo Desktop
-
Create the Duo API user, role, and API key in Workspace ONE if you did not already do so, and have the admin account credentials and API key information available to enter into the Duo Admin Panel when needed.
Create the Workspace ONE with Duo Desktop Integration
- Log in to the Duo Admin Panel and navigate to Devices → Trusted Endpoints.
- If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
- On the "Add Management Tools Integration" page, locate Workspace ONE in the list of "Device Management Tools" and click the Add this integration selector.
- Choose macOS from the "Recommended" options, and then click the Add button.
The new Workspace ONE with Duo Desktop integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Please note that this integration requires Duo Desktop to be installed on the device to be considered trusted.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Workspace ONE with Duo Desktop management integration page to complete the configuration steps.
Enter Workspace ONE Info in Duo
-
Return to your Workspace ONE macOS management integration page in the Duo Admin Panel if you navigated away.
-
Enter the following information into the blank fields under step 4 of the Workspace ONE "Windows Configuration Instructions" section:
Admin Username Enter the Duo admin username you created in Workspace ONE. Admin Password Enter the password for the Duo admin user you created in Workspace ONE. API Key Enter the REST API key you created for Duo in Workspace ONE. Domain Name Enter your organization's Workspace ONE domain. For example, if you access the Workspace ONE console at https://acmecorp.awmdm.com then you'd enter acmecorp.awmdm.com as the domain name. -
Click the Test Configuration button to verify Duo's API access to your Workspace ONE instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Workspace ONE configuration steps and entered the right information in the Duo Admin Panel.
-
After you successfully test your configuration, click the Save & Configure button.
At this point the configured integration is disabled and applies to no users until you finish your deployment.
Verify macOS Device Information with Search
After you configure the connection between Workspace ONE and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.
Android Configuration
Duo determines trusted device status on Android devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Workspace ONE MDM's API access.
Prerequisites
- Create the Duo API user, role, and API key in Workspace ONE if you did not already do so, and have the admin account credentials and API key information available to enter into the Duo Admin Panel when needed.
Create the Workspace ONE Integration
- Log in to the Duo Admin Panel and navigate to Devices → Trusted Endpoints.
- If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
- On the "Add Management Tools Integration" page, locate Workspace ONE in the list of "Device Management Tools" and click the Add this integration selector.
- Choose Android from the "Recommended" options, and then click the Add button.
The new Workspace ONE integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Workspace ONE management integration page to complete the Android configuration steps.
Configure Duo Mobile Distribution
-
Log on to the Workspace ONE console as an administrator. Click the Add drop-down at the top of the page, then click Public Application.
-
On the "Add Application" page, set the "Platform" to Android.
-
Set the "Source" to SEARCH APP STORE.
-
Enter Duo Mobile in the "Name" field and click Next to search for it in the Google Play Store.
-
Click on Duo Mobile in the Google Play Store search results, and then click Approve for the Duo Mobile app.
-
Configure app options like "Categories" on the "Details" tab if desired. Click SAVE & ASSIGN when done.
-
Go to the "Assignments" tab for the Duo Mobile app, click Assign, and then click Add Assignment.
-
On the "Duo Mobile - Add Assignment" page, select your desired assignment group or groups.
-
Go to the "Application Configuration" section. Set it to ENABLED to reveal the Duo Mobile Trusted Endpoints Send Configuration fields.
-
Locate the "Trusted Endpoint Identifier" managed configuration field and enter {DeviceUid} as the value.
-
Return to your Workspace ONE Android management integration page in the Duo Admin Panel.
-
Copy the "Trusted Endpoints Configuration Key" value from the Android Configuration Instructions of your Duo Workspace ONE management integration (it will look similar to DJPO0S0HLJD0ASDHTDD). Paste this into Workspace ONE as the Trusted Endpoints Configuration Key value.
-
Click Add and then click Save and Publish in Workspace ONE to complete the app publishing process.
Enter Workspace ONE Info in Duo
-
Return to your Workspace ONE Android management integration page in the Duo Admin Panel.
-
Enter the following information into the blank fields under step 4 of the Workspace ONE "Android Configuration Instructions" section:
Admin Username Enter the Duo admin username you created in Workspace ONE. Admin Password Enter the password for the Duo admin user you created in Workspace ONE. API Key Enter the REST API key you created for Duo in Workspace ONE. Domain Name Enter your organization's Workspace ONE domain. For example, if you access the Workspace ONE console at https://acmecorp.awmdm.com then you'd enter acmecorp.awmdm.com as the domain name. -
Click the Test Configuration button to verify Duo's API access to your Workspace ONE instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Workspace ONE configuration steps and entered the right information in the Duo Admin Panel.
-
After you successfully test your configuration, click the Save & Configure button.
At this point the configured integration is disabled and applies to no users until you finish your deployment.
Verify Android Device Information with Search
After you configure the connection between Workspace ONE and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.
iOS Configuration
Duo determines trusted device status on iOS devices by leveraging the installed and activated Duo Mobile application on a given device to verify device information. To enable this verification you'll need to grant Duo read-only access to those devices via your Workspace ONE MDM's API access.
Prerequisites
- Create the Duo API user, role, and API key in Workspace ONE if you did not already do so, and have the admin account credentials and API key information available to enter into the Duo Admin Panel when needed.
Create the Workspace ONE with App Config Integration
- Log in to the Duo Admin Panel and navigate to Devices → Trusted Endpoints.
- If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
- On the "Add Management Tools Integration" page, locate Workspace ONE in the list of "Device Management Tools" and click the Add this integration selector.
- Choose iOS from the "Recommended" options, and then click the Add button.
The new Workspace ONE with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Please note that this integration takes advantage of managed app configuration and therefore Duo Mobile must be installed by your MDM for the device to be considered trusted.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Workspace ONE with App Config management integration page to complete the configuration steps.
Configure Duo Mobile Distribution
-
Log on to the Workspace ONE console as an administrator. Click the Add drop-down at the top of the page, then click Public Application.
-
On the "Add Application" page, set the "Platform" to Apple iOS.
-
Set the "Source" to SEARCH APP STORE.
-
Enter Duo Mobile in the "Name" field and click Next to search for it in the App Store.
-
Click Select next to the Duo Mobile in the App Store search results.
-
Configure app options like "Categories" on the "Details" tab if desired. Click SAVE & ASSIGN when done.
-
Go to Resources → Settings → Assignment Groups, click Add Smart Group with fields selected, then click Save.
-
Under the "Enrollment Category", check the boxes next to the type of devices you want to use (this example has "Apple" and "Android" selected). Click Save.
-
Go to the Resources → Native → select Public list view → Duo Mobile.
-
Go to the "Assignment" tab and click on the Assign button, then click on the Add Assignment button. Fill in the following info and proceed to the next section:
Name Provide assignment name. Description Provide some description (optional). Assignment Groups Add an assignment group to whom you want to assign this app. Select the previously created smart group. Add Delivery Method Auto or On Demand. -
On the "Restrictions" tab, select "Remove On Unenroll", "Prevent Removal", "Prevent Application Backup", or "Make App MDM Managed if User Installed" if needed, and proceed to the next section. (Optional)
-
On the "Tunnel & Other Attributes" tab, select options if needed and proceed to the next section. (Optional)
-
On the "Application Configuration" tab, click the Send Configuration toggle button ON and click Add.
-
Return to the Duo Admin Panel.
-
Copy the Key under the "Trusted Endpoints Configuration Key" section and paste it into the Configuration Key field in Workspace ONE.
-
Select String from the "Value Type" drop-down in Workspace ONE.
-
Copy the Value under the "Trusted Endpoints Configuration Key" section and paste it into the Configuration Value field in Workspace ONE.
-
Click Add again.
-
Copy the Key under the "Trusted Endpoints Identifier" section and paste it into the Configuration Key field in Workspace ONE.
-
Select String from the "Value Type" drop-down in Workspace ONE.
-
Copy the Value under the "Trusted Endpoints Identifier" section and paste it into the Configuration Value field in Workspace ONE.
-
Click Save to create an assignment.
Enter Workspace ONE Info in Duo
-
Return to your Workspace ONE with App Config management integration page in the Duo Admin Panel.
-
Enter the following information into the "Enter API details" blank fields under step 5 of the Workspace ONE iOS configuration section:
Admin Username Enter the Duo admin username you created in Workspace ONE. Admin Password Enter the password for the Duo admin user you created in Workspace ONE. API Key Enter the REST API key you created for Duo in Workspace ONE. Domain Name Enter your organization's Workspace ONE domain. For example, if you access the Workspace ONE console at https://acmecorp.awmdm.com then you'd enter acmecorp.awmdm.com as the domain name. -
Click the Test Configuration button to verify Duo's API access to your Workspace ONE instance. You'll receive a "Configuration Successful!" message if everything's correct. If the test fails, verify that you completed the Workspace ONE configuration steps and entered the right information in the Duo Admin Panel.
-
After you successfully test your configuration, click the Save & Configure button.
At this point the configured integration is disabled and applies to no users until you finish your deployment.
Verify iOS Device Information with Search
After you configure the connection between Workspace ONE and Duo you can verify that a given device's information is being pulled into Duo by searching for the device identifier from the Duo Admin Panel. See Search for Device Identifiers to learn how.
iOS Certificate Configuration
End of Life Information
New Workspace ONE certificate deployment management integrations may no longer be created as of October 2021, and reached end of life on October 7. 2024. Duo device certificates will no longer renew after October 2024. You must migrate your certificate-based iOS Workspace ONE/AirWatch integration to Workspace ONE with App Config. See the Duo Knowledge Base article Guide to updating Trusted Endpoints iOS integrations from certificates to AppConfig for more information about migrating your iOS certificate-based management integrations to App Config.
Use of the Duo Desktop for trust attestation provides several advantages over the use of device certificates:
- It provides a more accurate assessment of your managed devices, and removes concerns about long-lived certificates present on devices no longer managed by your organization.
- It extends support to Firefox users. Trusted Endpoint certificate detection only works with Chrome, Edge, Safari, and Internet Explorer (depending on the management system).
- Improves trust detection for web browsers and thick client applications.
See the Duo Trusted Endpoints Certificate Migration Guide for more information.
Finish Trusted Endpoints Deployment
Once your Workspace ONE managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.
When your trusted endpoints policy is applied to your Duo applications, return to the Workspace ONE trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group, or activate for all users. If you created more than one Workspace ONE integration, you must activate each one individually.
Duo Premier and Duo Advantage plans: The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.
Verify Your Setup
iOS App Config and Android
Users with Duo Mobile installed and activated for Duo Push on Android and iOS devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.
Duo uses the API access you granted in Workspace ONE to perform a permissions check to verify device information.
If Duo successfully verifies the device information using the Workspace ONE API access, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone.
On Android devices, approving the request grants access and returns the user to the protected application. On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.
If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.
Windows and macOS with Duo Desktop
When Windows or macOS users access Duo-protected resources, Duo Desktop provides device information to Duo. If the information from the device matches the information in Workspace ONE, Duo grants access to the trusted device.
Search for Device Identifiers
If you configured Duo Desktop for Windows or macOS or Duo Mobile for iOS with App Config or Android to determine device trust, you may want to search for specific device identifiers to verify that the identifier information for a given trusted device exists in Duo. This can be useful to verify a device you expect to be trusted was imported from Workspace ONE into Duo.
To search for a device identifier in Duo:
-
Log in to the Duo Admin Panel and navigate to Trusted Endpoints.
-
Locate the Workspace ONE, Workspace ONE with Duo Desktop, or Workspace ONE with App Config device management integration you want to search for a device identifier in the list and click on it to view its details.
-
In the Check if devices have synced section, enter the identifier for the device you want to check and click Search.
-
A message appears indicating if the device identifier was either found or not found. If the device identifier is not found, check your Workspace ONE API configuration and wait 24 hours.
Use these instructions to find the device identifier to search in Workspace ONE.
- Log in to the Workspace ONE administration panel, navigate to Devices → List View, and select a device to view.
- Under "List view", locate the "Device Info".
- The "UDID" is the device identifier. Copy this value and use it to perform the search in Duo.
Removing the Workspace ONE Management Integration
Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Workspace ONE integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Workspace ONE.
Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.
Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates.
Troubleshooting
Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.