̽»¨´óÉñ

Contact Us
Help Center Home > Device Trust > Get Started: Mobile Device Trust

Get Started: Mobile Device Trust

Overview

̽»¨´óÉñ Mobile Device Trust brings ̽»¨´óÉñ Goâ„¢ to mobile devices and enables seamless, secure access to ̽»¨´óÉñ-protected resources on the go. Using the ̽»¨´óÉñ Protect® mobile app, users register their device with ̽»¨´óÉñ Go, enabling biometric, passwordless verification when accessing protected resources. 

When you create Conditional Access Policies in combination with ̽»¨´óÉñ Go for Mobile, you enforce Device Trust. This protects your company’s resources by ensuring users can access them only on trusted devices. Using a combination of ̽»¨´óÉñ Device Management, ̽»¨´óÉñ Go, ̽»¨´óÉñ Protect, and Conditional Access Policies (CAPs), you can safeguard access to both the ̽»¨´óÉñ User Portal and individual SSO apps. 

Mobile devices can be trusted when they are enrolled in ̽»¨´óÉñ Device Management, have the ̽»¨´óÉñ Protect app deployed using Software Management, and are registered with ̽»¨´óÉñ Go. After registration, users verify their identity using ̽»¨´óÉñ Go for Mobile and biometrics on their device.

Note:
  • You can take advantage of ̽»¨´óÉñ Go for Mobile without enforcing device trust. By configuring the necessary prerequisites without creating CAPs, users can register their devices with ̽»¨´óÉñ Protect and use ̽»¨´óÉñ Go for seamless access to the User Portal and SSO apps. 
  • When you enforce CAPs, users on devices that don’t meet the minimum criteria will not be able to access the protected resources.

Important:

Prerequisites

̽»¨´óÉñ Go for Mobile

  • ̽»¨´óÉñ Go is enabled for your org. See Get Started: ̽»¨´óÉñ Go to learn more.
  • Device Management is enabled for your org:
  • Mobile devices are enrolled in ̽»¨´óÉñ Device Management:
    • Apple devices are enrolled in Apple MDM with the following supported enrollment types:
      • Automated Device Enrollment (ADE).
      • Profile-driven Device Enrollment.
      • Profile-driven User Enrollment.
    • Android devices are enrolled in Android EMM with the following supported enrollment types:
      • Work Profile (Personal device).
      • Work Profile (Company-owned device).
      • Fully managed device.
      • Dedicated device.
  • Users are bound to their devices in ̽»¨´óÉñ, otherwise the ̽»¨´óÉñ Go for Mobile registration process will fail.
    • Company-owned devices using Android Zero Touch, Apple Automated Device Enrollment (ADE), or Admin Portal enrollments require you to bind the user to the mobile device record in ̽»¨´óÉñ. See Bind Users to Devices to learn more. 
    • BYOD devices using User Enrollment for iOS or Work Profile for Android automatically bind the user to the device during enrollment if initiated via the User Portal.
      • BYOD/User Enrolled Apple devices require Managed Apple IDs (MAIDs) to enroll in MDM. 
  • Apple VPP and/or Software Management for Android are enabled for your org to deploy the managed ̽»¨´óÉñ Protect app (v2.2.2+) to user devices:

Note:
  • Devices without the ̽»¨´óÉñ Protect app will not be able to use ̽»¨´óÉñ Go for Mobile or access resources protected by Device Trust.

Device Trust

  • Conditional Access Policies (CAPs) are configured for each resource that you want to protect using the Device Management condition.

Note:
  • On mobile devices (iOS/Android), Device Trust is established using ̽»¨´óÉñ Go via the ̽»¨´óÉñ Protect app.
  • On desktop devices (macOS, Windows, Linux) Device Trust can be established using either ̽»¨´óÉñ Go or Device Trust Certificates for Desktop. See Manage Device Trust Certificates for Desktop to learn more.
    • CAPs using the Device Management condition are evaluated based on the platform of the device requesting access. 

Android MDT Requirements

Before you enroll in Android Mobile Device Trust (MDT), ensure your device meets the minimum version requirements for both the Android OS and ̽»¨´óÉñ Protect application to effectively enhance your security posture with MDT.

Important:
  • Android devices enrolled in MDT will have a persistent, system-mandated background notification enabled for ̽»¨´óÉñ Go.

Minimum Version Requirements

  • Android OS: version 12 or higher
  • ̽»¨´óÉñ Protect application:  version 2.2.10 or higher

Note:
  • Android MDT enrollment requires Android OS versions 12 or higher to maintain strong security standards.

Considerations

  • Persistent background notifications
    • In the work profile on the managed Android device, there will be a persistent background notification running for ̽»¨´óÉñ Go in the Android message drawer.
    • These background notifications are required to enable the continuous operation and total transparency of ̽»¨´óÉñ’s background activities on your device.
  • Android MDT vs. Android EMM
    • Android Mobile Device Trust (MDT) focuses on establishing your device's security posture and granting access. To maintain security standards, enrolling in Android MDT requires Android OS versions 12 or higher. 
    • Android Enterprise Mobility Management (EMM) focuses on mobility management, including mobile device management (MDM). Android EMM can be used with Android OS versions 5.1 and higher.

Enforcing Device Trust  

When you configure CAPs to enforce Mobile Device Trust, users can’t access protected resources on untrusted devices. When users first access a protected resource on a trusted device, they’re redirected to the ̽»¨´óÉñ Protect app to register their device with ̽»¨´óÉñ Go. After entering their credentials (and MFA challenge if enabled by the admin), their device is registered with ̽»¨´óÉñ Go, establishing their device as trusted.

When users access protected resources, they verify their identity using ̽»¨´óÉñ Go via the ̽»¨´óÉñ Protect app with device biometrics, granting access. The hardware-backed ̽»¨´óÉñ Go token is valid for 1 year. 

For a mobile device to be considered trusted:

  • The device is enrolled in Device Management: Apple MDM and/or Android EMM.
  • ̽»¨´óÉñ Protect is deployed to the device using Apple VPP and/or Software Management.
  • The device passes integrity and jailbreak detection checks.

Accessing the ̽»¨´óÉñ User Portal 

If your users access their company resources from the ̽»¨´óÉñ User Portal, you can create a CAP that restricts access on unmanaged devices. Because users require access to the User Portal to register their devices with ̽»¨´óÉñ Go, rather than explicitly block access, the highest level of MFA is used for authentication.

Protecting Individual SSO Apps 

You can create CAPs for specific SSO apps available to your users. For example, Slack may contain privileged information that you want users to only access from trusted devices. To do so, create a CAP for the Slack SSO app and restrict access on untrusted devices using the Managed Device condition. 

Admin Configuration Workflow

After enabling the prerequisite features, configure your mobile devices to start using ̽»¨´óÉñ Go for Mobile and Device Trust:

Important:

Additional configuration is required to use the ̽»¨´óÉñ Protect Android app. See Ì½»¨´óÉñ Protect Android App.

  • Create CAPs in ̽»¨´óÉñ that limit access to the User Portal, SSO apps, or both using the Managed Device condition. Optionally, use the Operating System condition to target specific device types. See Configure a Conditional Access Policy to learn more. 

FAQ

General Questions

Can I use ̽»¨´óÉñ Go for Mobile without configuring access policies?

Yes, if you don’t enforce CAPs. You can use ̽»¨´óÉñ Go to enable secure and seamless authentication on mobile devices. 

What is the difference between a managed and trusted device?
  • Managed device: A device that is enrolled in Device Management (MDM for Apple devices or Google EMM for Android devices). Device management is only one requirement to establish a device as trusted. 
  • Trusted device: A device that meets all of the requirements to be trusted by ̽»¨´óÉñ. This includes enrollment in Device Management as well as ̽»¨´óÉñ Protect and ̽»¨´óÉñ Go registration.