Configure access based on a third-party UEM trust

This topic describes how to create multi-factor authentication (MFA) rules to apply to a third-party Unified Endpoint Management (UEM) trust.

You can configure authentication rules for application access based on device enrollment or compliance with UEM policy.

Before you begin

Before you can configure MFA rules around trusting managed devices, make sure the devices in your organization meet the following requirements.

You can configure CyberArk Identity for single sign-on when you do not need device management when using Mac Cloud Agent (MCA). For information on SSO-only mode, see Use CyberArk Identity for single sign-on only.

Mac
Windows

Enroll in MCA. See Enroll devices for more information.

Enroll with the Jamf Pro UEM:

For more information on Identity Administration portal setup, see Configure Jamf to deploy Mac Device Trust

Enroll in Windows Cloud Agent (WCA). For more information on WCA, see Enroll Windows machines with the Windows Cloud Agent

Enroll with one of the following UEMs:

VMware Workspace ONE

To create a new Admin user with minimal rights:
- To create an Admin user, see Admin Accounts for more information.
- To create a role with minimum rights, see Role-based Access for more information.
  
  You will need to enable read-only rights for API devices for role-based access in VMware Workspace ONE. See Using UEM Functionality with a REST API for more information.

To enroll with VMware Workspace ONE, see Device Enrollment for more information.

Microsoft Intune

To enroll in Microsoft Intune, see Set up enrollment for Windows devices for more information.

To configure a new app, see Configure an application to expose a web API for more information.

You will need to enable DeviceManagementManagedDevices.Read.All for the API in Microsoft Intune. See Get managedDevice for more information.

Configure the device trust integration with supported UEMs

This section describes how to integrate your CyberArk Identity tenant with your Jamf Pro tenant so that Jamf Pro deploys Mac Device Trust on managed Mac devices. See Configure Jamf to deploy Mac Device Trust for more information.

This section describes how to integrate your CyberArk Identity tenant with your VMware Workspace ONE tenant so that VMWare Worskpace ONE deploys Windows Device Trust on managed Windows devices.

Configure VMware Workspace ONE to deploy Windows Device Trust

To create a tenant code (API key). See Rest API for Workspace ONE UEM for more information.
Go to Settings > Endpoints > Device Trust > VMware Workspace ONE, then click Enable Device Trust with VMware Workspace ONE.

Complete the following fields:

Selections for VMware Workspace ONE
Field	Description
Integration User Name	The user name you use to sign in to your VMware Workspace ONE tenant
Integration Password	The password you use to sign in to your VMware Workspace ONE tenant
Tenant Code	The code for your VMware Workspace ONE tenant

Click Test connection and click Save after a successful test.

This section describes how to integrate your CyberArk Identity tenant with your Windows Intune tenant so that Windows Intune deploys Windows Device Trust on managed Windows devices.

Configure Windows Intune to deploy Windows Device Trust

Go to Settings > Endpoints > Device Trust > Microsoft Intune, then click Enable Device Trust with Microsoft Intune.

Complete the following fields:

Selections for Microsoft Intune
Field	Description
Client ID	The identifier to the client application
Client Secret	The random code for the client application
Tenant ID	The ID for your Windows Intune tenant

Click Test connection and click Save after a successful test.

Create authentication rules based on managed device UEMs

Once you have established the device trust, you will need to configure the policy for the web app.

Go to Apps & Widgets, select the web app, and click Policy.
Click Add Rule > Add Filter and select Managed Device from the drop-down menu.

Select the Condition and Value and click Add.

You can choose from the following:

Selections for UEM conditions and values
Condition	Available values	Description
compliant with	Workspace ONE Intune	Compliance means that a UEM is enrolled and conforms to compliance rules defined by a third-party UEM
not compliant with	Workspace ONE Intune	Not compliant means a UEM does not conform to rules defined by a third-part UEM
enrolled to	CyberArk Identity Workspace ONE Intune Jamf	Enrolled means enrollment to a supported platform
not enrolled to	CyberArk Identity Workspace ONE Intune Jamf	Not enrolled means it is not enrolled to a supported platform

Select the profile that you want applied if all filters/conditions are met in the Authentication Profile drop-down menu, click OK, and click Save.

The authentication profile is where you define the authentication mechanisms. If you have not created the necessary authentication profile, select the Add New Profile option. See Create authentication profiles.