Subscribe to receive notifications of new posts:

Build Zero Trust rules with managed devices

2021-03-30

3 min read
This post is also available in Indonesia and ไทย.
Build Zero Trust rules with managed devices

Starting today, your team can use Cloudflare Access to build rules that only allow users to connect to applications from a device that your enterprise manages. You can combine this requirement with any other rule in Cloudflare’s Zero Trust platform, including identity, multifactor method, and geography.

As more organizations adopt a Zero Trust security model with Cloudflare Access, we hear from customers who want to prevent connections from devices they do not own or manage. For some businesses, a fully remote workforce increases the risk of data loss when any user can log in to sensitive applications from an unmanaged tablet. Other enterprises need to meet new compliance requirements that restrict work to corporate devices.

We’re excited to help teams of any size apply this security model, even if your organization does not have a device management platform or mobile device manager (MDM) today. Keep reading to learn how Cloudflare Access solves this problem and how you can get started.

We’re excited to help teams of any size apply this security model, even if your organization does not have a device management platform or mobile device manager (MDM) today.

The challenge of unmanaged devices

An enterprise that owns corporate devices has some level of control over them. Administrators can assign, revoke, inspect and manage devices in their inventory. Whether teams rely on management platforms or a simple spreadsheet, businesses can treat corporate devices as their own.

That visibility and management does not apply to a personal device — and we are all glad that is true. However, that same value causes problems when enterprises need to restrict data or access to applications to only a corporate device. If I’m able to login to a system and download data on a personal device, I have created a new headache for IT and security.

Single sign-on (SSO) providers and SaaS applications make it easier to make that mistake, intentionally or not. Users can login to a corporate application by simply reusing their passwords. Even if the organization enforces multifactor methods like hard key authentication, a user can just plug their key into a personal device.

Cloudflare’s Solution

We’re excited to give any team the ability to maintain control over data by ensuring it stays on corporate devices. Cloudflare Access is a comprehensive Zero Trust platform that administrators can use to build rules by identity and other signals. Teams can build rules for self-managed and SaaS applications. Every request and login is captured and all of it is made faster for end users on Cloudflare’s global network.

You can now use Cloudflare’s Zero Trust platform to build a new type of rule: only allow connections or logins from a corporate-owned device. You can use your own inventory system, whether it is a simple spreadsheet or API from an MDM platform. Our Cloudflare for Teams agent runs on the device and gathers details about the hardware, checks it against your inventory, and Cloudflare’s edge makes a decision instantly.

How it works

Enforcing corporate devices in Access takes about 20 minutes to set up and only requires that you have a list of corporate devices’ serial numbers.

The first step is to establish and import your list of managed device serial numbers. Serial number lists can be uploaded in bulk or created manually directly in the Teams Dashboard. Many inventory and asset management tools provide a straightforward way to export device serial numbers.

It is also possible to to upload new serial numbers over the API allowing for automation when new devices are purchased.

The next step is to deploy the WARP client across your corporate machines. Users can download and install the client themselves or it can be installed via an MDM solution.

That’s all that is required to begin enforcing Zero Trust access for only corporate devices! You will now be able to build Access rules that check if a device’s serial number is in the managed devices list.

You will now be able to build Access rules that check if a device’s serial number is in the managed devices list.

Now even if a user moved their hard-key over and installed WARP on their personal device, they would still be blocked because they’re not in the corporate serial number list.

Getting Started

If you would like to start locking down applications to only corporate devices, sign up for a free Teams account up to 50 users. If you are an existing customer, this is available in your Teams Dashboard today and can be set up with the following guide.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Security WeekCloudflare AccessZero TrustTeams DashboardCloudflare Zero TrustSecurity

Follow on X

Kenny Johnson|@KennyJohnsonATX
Cloudflare|@cloudflare

Related posts

October 23, 2024 1:00 PM

Fearless SSH: short-lived certificates bring Zero Trust to infrastructure

Access for Infrastructure, BastionZero’s integration into Cloudflare One, will enable organizations to apply Zero Trust controls to their servers, databases, Kubernetes clusters, and more. Today we’re announcing short-lived SSH access as the first available feature of this integration. ...

October 15, 2024 1:00 PM

Protect against identity-based attacks by sharing Cloudflare user risk scores with Okta

Uphold Zero Trust principles and protect against identity-based attacks by sharing Cloudflare user risk scores with Okta. Learn how this new integration allows your organization to mitigate risk in real time, make informed access decisions, and free up security resources with automation....

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...