Configure Device Profiles

Cloud Firewall continuously assess the security posture of the connecting device, when device profile is configured as a criteria in the Cloud Firewall Policy. The connecting device can be an enterprise-owned device, a personal computer, a mobile device, or a BYOD device. You can specify the device's attributes such as operating system, operating system version, firewall policy, antivirus software status, file path, and registry information (Windows devices). The device must meet the specified criteria to consider it to be compliant in order to establish trust and gain access to the requested application.

Install the Client Proxy for Windows systems. For information, see Install Skyhigh Client Proxy

1. Go to Settings > Infrastructure > Web Gateway Setup.
2. In the Configure Device Profile section, click New Device Profile.
3. In the Name box, enter the name of the device profile.
4. Complete the following fields:
5. OS name — Select the operating system of the device. Cloud Firewall supports Windows only.
6. OS version — Select an operator and specify the operating system version. The possible operators are == (equals), >= (greater than or equal to), > (greater than), <= (less than or equal to), < (less than), and Range. In the Value field, specify the OS version number.
   For example, if you set the operator to ==, the devices with operating system version matching the specified version succeeds the posture check. If you set the operator to >=, then the devices with versions equal to or higher than the specified version succeed the posture check.  If you set the operator to Range, specify the OS version 7.0.1 - 7.1.0 range. All devices with versions from 7.0.1 to 7.1.0 succeed the posture check.
7. Antivirus — Specify whether the antivirus software is enabled or disabled on the device. It will not check for the status of the antivirus software when you select Ignore.
8. Firewall — Specify whether the firewall is enabled or disabled on the device. It will not check for the firewall status when you select Ignore.
   
9. Encrypted Fixed Disk — Specify if there is any encrypted fixed disk on the device. It will not check for encryption status of the fixed disk when you select Ignore.
10. File Path — Specify the file path found on the users' device. Checks for the presence of a specific file in the specified path. The device must have this file in the specified path to pass the validation.
    For example, you can specify C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
11. Active Directory domain name —  Specify the Active Directory (AD) domain associated with the device. The device must be part of the matching AD domain to pass the validation.
    For example, you can specify corp.dept.com.
12. Process Validation  
    • Application Path —  Specify the process that runs on the device. You can enter the process name and absolute path of the process.
      For example, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe  or enter msedge.exe
    • Additional checks — You can provide additional information such as certificate Distinguished name (DN) or signer Thumbprint, or SHA256 checksum values. Will not check for additional information when you select None.
13. Presence of Registry Key — Applies only to Windows devices. You can specify the presence of the registry key, registry value name, and registry value data.
    For example, you can specify Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender 

14. Registry Value Name — Specify the registry key value. Valid values include positive integers representing Windows Registry keys.
    For example, RemediationExe 
15. Registry Value Data — Specify the registry data. This field supports data types like REZ_SZ (ASCII characters), REG_DWORD, REG_QWORD. 
    For REG_DWORD type, enter the value that is displayed within the brackets and not the entire hexadecimal value. Example, cFormatTags is 2
    
     
16. Enable Company CA certificate present in the Trust Store section to add the company CA certificate information.
    • Certificate Location — Enter the location (path) of the company CA certificate stored in the Trust store. For example, the certificate can be under the \LocalMachine\<Path of the certificate> or \CurrentUser\<Path of the certificate> folder for Windows devices.
    • Certificate Thumbprint — Enter the thumbprint of the CA certificate. The thumbprint of a certificate is not case sensitive, and you can enter without separators. For example, you can enter 26 10 22 C2 97 D4 BD AD 02 E6 26 1E 2A 85 48 0B F0 44 95 82.
    • Certificate — Select Valid if the device has a valid certificate, select Invalid if the device has an invalid or expired certificate, and select Ignore to ignore the validation of the device certificate. When you select Valid, the McAfee Client Proxy software checks if the CA certificate is available in the specified location, certificate thumbprint, valid signature, expiration date, and status. When you select Invalid, the device posture validation passes for the invalid inputs.
17. Click to enable Client certificate signed by company's CA section to add the client certificate information.
    • Certificate Location — Enter the location (path) of the client certificate signed by a Certificate Authority. For example, the certificate can be under the \LocalMachine\<Path of the certificate> or \CurrentUser\<Path of the certificate> folder for Windows devices.
    • Certificate Thumbprint — Enter the thumbprint of the CA certificate used to sign the client certificate. The thumbprint of a certificate is not case sensitive, and you can enter without separators. For example, 29 10 22 C2 97 D4 BD AD 02 E6 26 1E 2A 85 48 0B F0 44 95 82.
    • Certificate — Select Valid if the device has a valid certificate, select Invalid if the device has an invalid or expired certificate, and select Ignore to ignore the validation of the device certificate.
18. Click Save.