Device Posture
Last modified on August 2, 2023
Overview
Device Posture is a security mode that enables your organization to configure StrongDM to work with endpoint management software, such as CrowdStrike and SentinelOne.
When running in Device Posture mode, the StrongDM client ensures, both upon logging in and on a continuous basis, that the machine hosting the client has an endpoint agent running and that it has not flagged any vulnerabilities. If any of these conditions are violated, the client is logged out and any active resource connections are severed.
StrongDM admins can enable Device Posture for all users, including service accounts. Moreover, admins can specify users and roles to be excluded from device posture enforcement. This page describes how to set up Device Posture in the Admin UI.
Prerequisites
Device posture enablement requires that your organization have active CrowdStrike or SentinelOne software running on user workstations. In addition, you must have administrative access to your organization’s CrowdStrike or SentinelOne accounts.
Admin UI Configuration
In the Admin UI, go to Settings > Security.
Under Device Posture, click the lock to change the settings.
Admin UI > Device Posture Settings For Enforce Device Posture Authentication?, select Yes to enable it. Then click Save.
Consider which user(s) and/or role(s), if any, that you want to be excluded from Device Posture enforcement. Before fully activating Device Posture, you can make exceptions for specific users and roles so that Device Posture is enforced for all users and roles except the ones you exclude.
To make an exception for a user, go to the user’s Settings tab and check the box for Disable Device Posture Enforcement.
Admin UI User Settings To make an exception for a role, go to the role’s Settings tab and check the box for Disable Device Posture Enforcement.
Admin UI Role Settings Go back to Settings > Security > Device Posture to configure the remaining settings.
For Provider, choose your endpoint management software provider (for example, CrowdStrike or SentinelOne).
Complete the remaining settings for your selected provider.
Save when you’re done.
Device Posture settings
Device Posture settings for each provider are described in the tables shown.
In these settings, “agent” refers to the endpoint agent (SentinelOne or CrowdStrike) that is installed on the user’s workstation. The agent monitors the user workstation’s posture and assesses whether the given workstation is in a positive or negative integrity state.
CrowdStrike settings
| Setting | Requirement | Description |
|---|---|---|
| Allow service accounts to run without the agent | Optional | Selecting Yes means you may decide not to enforce device posture if the machine is not enrolled with the provider |
| Allow users without the agent | Optional | Selecting Yes means you may decide not to enforce device posture if you don’t recognize the user’s computer |
| Base URL | Required | CrowdStrike base address (for example, https://your-cloud-region.crowdstrike.com) |
| Client ID | Required | CrowdStrike client ID |
| Client Secret | Required | CrowdStrike client secret |
| Member CID | Optional | CrowdStrike customer identification (CID), which is found on the sensor download page of the CrowdStrike Console |
| Provider | Required | Select CrowdStrike |
| Score | Required | Numeric value, from 1 to 100, that indicates the security posture for the host |
SentinelOne settings
| Setting | Requirement | Description |
|---|---|---|
| Allow service accounts to run without the agent | Optional | Selecting Yes means you may decide not to enforce device posture if the machine is not enrolled with the provider |
| Allow users without the agent | Optional | Selecting Yes means you may decide not to enforce device posture if you don’t recognize the user’s computer |
| API Token | Required | SentinelOne API token, which can be generated in the SentinelOne management console in the user settings |
| Management URL | Required | SentinelOne Management URL (for example, https://example-management-url.sentinelone.net/) |
| Provider | Required | Select SentinelOne |
Additional Information for SentinelOne
SentinelOne API calls require authentication, and SentinelOne’s recommended authentication is API token (that is, ApiToken). API tokens are generated in the SentinelOne Management Console or your API request, and each token is valid for six months. Because of this expiration, you must rotate/regenerate your API token every six months, if SentinelOne is your Device Posture provider type. You can see your token’s expiration date when viewing your user account in the SentinelOne Management Console.
For information, please refer to SentinelOne API documentation.
User Experience
When device posture is enabled, users who do something that triggers the agent (SentinelOne or CrowdStrike) to report poor device posture are logged out from the desktop app and/or CLI within five minutes. Any active connections to resources are severed, and the user cannot use StrongDM.
If the user is using the CLI, the user is logged out and all connections are severed. In the logs, the client reports “Logged out–reconnecting error….”
The desktop app shows the login screen and the message “Security issue found.”
