Device trust settings enable you to provide more precise identification of devices as managed or unmanaged, and more effectively restrict access to data on unmanaged devices through policy settings. When device trust is enabled, you can validate the certificate for a device. If no certificate is present, the device will be considered unmanaged. You can specify a certificate for a device and validate the device ID using Regex patterns. In addition, you can configure these types of device checking:

• Certificate Revocation List (CRL) checking - Enables device certificate validation against a list of revoked certificates. For example, an active certificate might have been revoked because its private key was lost or compromised, or the previous owner of a domain no longer owns the domain.

• Mobile Device Management (MDM) checking - Provides additional device validity checking using security software. In Secure Cloud Access , you can apply VMware Workspace ONE (AirWatch) Enterprise Mobility Management (EMM) technology to provide greater control over data on employee mobile devices. For information about configuring EMM for use with Secure Cloud Access , see Enterprise Mobility.

  To configure device trust settings, click the Device Trust Enabled toggle to enable it. Then, enter or select options as follows.

• Device Trust CA Certificate - Select a certificate from the list.

Notes about key usage

The following information must be included for trusted CA certificates imported and selected for device trust CA cert or for device trust cert deployed on a user's device.

• for Trusted CA certificate imported to SASE console and selected for device Trust CA cert:
  • Key usage -- Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
  • For device trust cert that is deployed on a user's device:
    • Key usage -- Digital Signature, Key Encipherment (a0)
    • Enhanced Key Usage -- Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1)
  • Device ID Pattern (optional) - Enter any regex patterns that will help to classify the device, for example, iOS, iPad, Windows, or Android.
  • Enable CRL Check - Click the toggle to enable certificate revocation checking. When this option is enabled, the certificate can be checked against a list of active certificates that have been revoked before their expiration date.
  • CRL Check URL - If CRL Check is enabled, enter the URL of the Certificate Revocation List source.
  • Enable MDM Check for Device Profile Posture - Enabled by default. This option provides additional checking using Mobile Device Management (MDM) to classify a device and apply policies related to device classification.

  • When this option is enabled, the device ID — which is extracted from the device cert Common Name (CN) using the regex — is looked up against the list of known managed

    devices synced from Workspace ONE. If a match is found, the device status is resolved based on what is reported by Workspace ONE (managed, compromised, or non-compliant). If a match is not found, the device is considered unmanaged.

  • When this option is disabled, the device is considered managed as long as the device’s client auth certificate is validated against the Device Trust CA certificate.