Build Zero Trust rules with managed devices

Starting today, your team can use Cloudflare Access to build rules that only allow users to connect to applications from a device that your enterprise manages. You can combine this requirement with any other rule in Cloudflare’s Zero Trust platform, including identity, multifactor method, and geography.

As more organizations adopt a Zero Trust security model with Cloudflare Access, we hear from customers who want to prevent connections from devices they do not own or manage. For some businesses, a fully remote workforce increases the risk of data loss when any user can login to sensitive applications from an unmanaged tablet. Other enterprises need to meet new compliance requirements that restrict work to corporate devices.

We’re excited to help teams of any size apply this security model, even if your organization does not have a device management platform or mobile device manager (MDM) today. Keep reading to learn how Cloudflare Access solves this problem and how you can get started.

We’re excited to help teams of any size apply this security model, even if your organization does not have a device management platform or mobile device manager (MDM) today.

The challenge of unmanaged devices

An enterprise that owns corporate devices has some level of control over them. Administrators can assign, revoke, inspect and manage devices in their inventory. Whether teams rely on management platforms or a simple spreadsheet, businesses can treat corporate devices as their own.

That visibility and management does not apply to a personal device — and we are all glad that is true. However, that same value causes problems when enterprises need to restrict data or access to applications to only a corporate device. If I’m able to login to a system and download data on a personal device, I have created a new headache for IT and security.

Single sign-on (SSO) providers and SaaS applications make it easier to make that mistake, intentionally or not. Users can login to a corporate application by simply reusing their passwords. Even if the organization enforces multifactor methods like hard key authentication, a user can just plug their key into a personal device.

Cloudflare’s Solution

We’re excited to give any team the ability to maintain control over data by ensuring it stays on corporate devices. Cloudflare Access is a comprehensive Zero Trust platform that administrators can use to build rules by identity and other signals. Teams can build rules for self-managed and SaaS applications. Every request and login is captured and all of it is made faster for end users on Cloudflare’s global network.

You can now use Cloudflare’s Zero Trust platform to build a new type of rule: only allow connections or logins from a corporate-owned device. You can use your own inventory system, whether it is a simple spreadsheet or API from an MDM platform. Our Cloudflare for Teams agent runs on the device and gathers details about the hardware, checks it against your inventory, and Cloudflare’s edge makes a decision instantly.

How it works

Enforcing corporate devices in Access takes about 20 minutes to set up and only requires that you have a list of corporate devices’ serial numbers.

The first step is to establish and import your list of managed device serial numbers. Serial number lists can be uploaded in bulk or created manually directly in the Teams Dashboard. Many inventory and asset management tools provide a straightforward way to export device serial numbers.

It is also possible to to upload new serial numbers over the API allowing for automation when new devices are purchased.

The next step is to deploy the WARP client across your corporate machines. Users can download and install the client themselves or it can be installed via an MDM solution.

That’s all that is required to begin enforcing Zero Trust access for only corporate devices! You will now be able to build Access rules that check if a device’s serial number is in the managed devices list.

You will now be able to build Access rules that check if a device’s serial number is in the managed devices list.

Now even if a user moved their hard-key over and installed WARP on their personal device, they would still be blocked because they’re not in the corporate serial number list.

Getting Started

If you would like to start locking down applications to only corporate devices, sign up for a free Teams account up to 50 users. If you are an existing customer, this is available in your Teams Dashboard today and can be set up with the following guide.