Third-party integration with device posture
In addition to the native scans offered by the Device Posture service, the Device Posture service can also be integrated with the following third-party solutions on Windows and macOS.
Microsoft Intune integration with Device Posture
Microsoft Intune classifies a user’s device as compliant or registered based on its policy configuration. During user login into Citrix Workspace, device posture can check with Microsoft Intune about the user’s device status and use this information to classify the devices within Citrix Cloud as compliant, non-compliant (partial access), or even deny access to the user login page. Services like Citrix DaaS and Citrix Secure Private Access in turn use device posture’s classification of devices to provide contextual access (Smart Access) to virtual apps and desktops, and SaaS and Web apps respectively.
Important:
The Device Posture administrator must use an Intune account with the “Global Administrator” role to configure the Intune integration.
Configure Microsoft Intune integration
Intune integration configuration is a two-step process.
Step1: Integrate device posture with Microsoft Intune service. This is a one-time activity that you do to establish trust between Device Posture and Microsoft Intune.
Step 2: Configure policies to use Microsoft Intune information.
Step 1 - Integrate device posture with Microsoft Intune:
- To access the Integrations tab, use one of the following methods:
- Access the URL https://device-posture-config.cloud.com on your browser, and then click the Integrations tab.
- Secure Private Access customers - On the Secure Private Access GUI, on the left side navigation pane, click Device Posture, and then click the Integrations tab.
-
Click the ellipsis button, and then click Connect. The admin is redirected to Azure AD to authenticate.
The following table lists the Microsoft Intune API permissions for integration with the Device Posture service.
API name | Claim value | Permission name | Type |
---|---|---|---|
Microsoft Graph | DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices | Application |
Microsoft Graph | DeviceManagementServiceConfig.Read.All | Read Microsoft Intune devices | Application |
After the integration status changes from Not Configured to Configured, admins can create a device posture policy.
If the integration is not successful, the status appears as Pending. You must click the ellipsis, button and then click Reconnect.
Step 2 - Configure device posture policies:
-
Click the Device Scans tab and then click Create device policy.
- Enter the name for the policy and set the priority.
- Select the platform for which this policy is created.
- In Select Rule, select Microsoft Endpoint Manager.
- Select a condition, and then select the MEM tags to be matched.
- For Matches any of, an OR condition is applied.
- For Matches all of, an AND condition is applied.
Note:
You can use this rule with other rules that you configure for device posture.
-
In Then the device is: based on the conditions that you have configured, select one of the following.
- Compliant (full access is granted)
- Non-compliant (Restricted access is granted)
- Denied login
For more details about creating a policy, see Configure device posture policy.
CrowdStrike integration with Device Posture
CrowdStrike Zero Trust Assessment (ZTA) delivers security posture assessments by calculating a ZTA security score from 1 to 100 for each end device. A higher ZTA score means that the posture of the end device is better.
Citrix Device Posture Service can enable contextual access (Smart Access) to Citrix Desktop as a Service (DaaS) and Citrix Secure Private Access (SPA) resources by using the ZTA score of an end device.
Device Posture administrators can use ZTA score as part of policies and classify the end devices as compliant, non-compliant (partial access), or even deny access. This classification can in turn be used by organizations to provide contextual access (Smart Access) to virtual apps and desktops, and SaaS and Web Apps. ZTA score policies are supported for Windows and macOS platforms.
Configure CrowdStrike integration
CrowdStrike integration configuration is a two-step process.
Step1: Establish trust between Citrix Device Posture service and CrowdStrike ZTA service. This is a one-time activity.
Step 2: Configure policies to use the CrowdStrike ZTA score as a rule to provide smart access to Citrix DaaS and Citrix Secure Private Access resources.
Step 1 - Establish trust between Citrix Device Posture service and CrowdStrike ZTA service:
Perform the following to establish trust between Citrix Device Posture service and CrowdStrike ZTA service.
- Sign into Citrix Cloud, and then select Identity and Access Management from the hamburger menu.
- Click the Device Posture tab, and then click Manage.
-
Click the Integrations tab.
Note:
Alternatively, customers can navigate to the Device Posture option on the left navigation pane of the Secure Private Access service GUI, and then click the Integrations tab.
- Click the ellipsis button in the CrowdStrike box, and then click Connect. The CrowdStrike Falcon Insight XDR integration pane appears.
-
Enter the client ID and client secret and then click Save.
Note:
- You can obtain the ZTA API client ID and client secret from the CrowdStrike portal (Support and resources > API clients and keys).
- Ensure that you select the Zero Trust Assessment and Host scopes with read permissions for establishing the trust.
The integration is considered successful after the status changes from Not Configured to Configured.
If the integration is not successful, the status appears as Pending. You must click the ellipsis button, and then click Reconnect.
Step 2 - Configure device posture policies:
Perform the following to configure policies to use the CrowdStrike ZTA score as a rule to provide smart access to Citrix DaaS and Citrix Secure Private Access resources.
-
Click the Device Scans tab and then click Create device policy.
- Select the platform for which this policy is created.
- In Policy Rule, select CrowdStrike.
- For the Risk Score qualifier, select the condition, and then enter the risk score.
-
Click + to add a qualifier that checks if the CrowdStrike Falcon sensor is running.
Note:
You can use this rule with other rules that you configure for device posture.
-
In Policy result based on the conditions that you have configured, select one of the following.
- Compliant
- Non-compliant
- Denied login
- Enter the name for the policy and set the priority.
- Click Create.