CyberArk Identity Windows Device Trust

This topic describes the use case and enrollment procedure for CyberArk Identity Windows Device Trust, which is a light-weight version of the Windows Cloud Agent.

Windows Device Trust prevents untrusted Windows computers from accessing CyberArk Identity or launching sensitive web apps by enabling conditional access based on the presence of an authentication certificate, which is installed during enrollment. This improves security and decreases friction for users by allowing passwordless authentication.

The primary difference between Windows Device Trust and the Windows Cloud Agent is the Windows Cloud Agent supports endpoint authentication and Windows Device Trust is only for CyberArk Identity and application launches.

Use Windows Device Trust if your users are domain-joined and your primary concern is securing the CyberArk Identity User Portal and sensitive applications, but you don't want to enforce adaptive MFA for users authenticating to their endpoints.

The following table provides an overview of the feature differences.

Feature Windows Device Trust Windows Cloud Agent

Certificate-based authentication (CBA)

Yes

Yes

Passwordless authentication

Yes - for CyberArk Identity

Yes - for CyberArk Identity and the Windows endpoint

Endpoint authentication No Yes
Support for AD users on domain-joined devices Yes Yes
Support for AD users on devices that are not domain-joined No Yes
Support for CyberArk Cloud Directory users No Yes

The following workflow diagram illustrates an overview of the deployment and management of Windows Device Trust.

Requirements

The Windows Device Trust requires the following:

  • Windows 10

    Desktop Experience is required for Windows servers.
  • A CyberArk Identity tenant with IWA configured

    Refer to Configure Integrated Windows Authentication (IWA) for more information

  • A domain-joined Windows computer

  • A connection to the domain controller (for example, inside the corporate network or connected through a VPN)

Enroll Windows machines with Windows Device Trust

You can either enroll a machine individually, or for AD-joined machines you can enroll in bulk.

Step 1: Generate an enrollment code

You need a randomly generated enrollment code to enroll machine. You must be a member of the System Administrator role to generate enrollment codes.

  1. Log in to the Admin Portal.

  2. Click Settings > Endpoints > Enrollment Codes.

  3. Click the Add button.

    The Generate Bulk Enrollment Codes window appears.

  4. (Optional) Select the details to be used to generate the enrollment code.

    • Set an expiration date if the code should expire.

    • Specify the maximum number of devices that can be enrolled or leave Unlimited selected.

    • Enter a description.

  5. Click Save to generate the enrollment code.

  6. Click Copy to copy it to the clipboard.

Step 2: Download and install Windows Device Trust on Windows machines in your organization.

The procedure for installing on an individual machine is appropriate if you are enrolling a server. Use one of the bulk install procedures to deploy the Windows Device Trust on workstations throughout your organization.

  1. Log-in to the Admin Portal.

  2. Click Downloads and select Agents from the software list.

    All the agents available for download are displayed.

  3. Click download for the Windows Device Trust installer.

  4. When the download completes, use the Windows native package manager to install.

  5. Enter values for the following parameters.

    • Tenant URL - Your tenant URL. You can find it in the Admin Portal, Settings > Customization > Tenant URLs.
    • Enrollment Code - Paste the value of the enrollment code generated previously (In the Admin Portal, Settings > Endpoints > Enrollment Codes.
  6. Click Finish to enroll the machine.

  1. Generate the MST file.

    1. Log in the Admin Portal.

    2. Click Downloads and select Agents from the software list.

      All the agents available for download are displayed.

    3. Click download for the Windows Device Trust.

    4. Create a backup copy of the installer file.

    5. Right-click the installer file and select Edit with Orca.

    6. Select Transform > New Transform.

    7. Select the Property table in the left hand pane.

    8. Right-click in the main pane and select Add Row to specify the relevant properties and values.

    9. Specify the following properties and corresponding values one at a time into the pop-up window:

      Property Value

      Notes

      TENANTURL <tenant url>

      Your tenant URL. You can find it in the Admin Portal, Settings > Customization > Tenant URLs. See Configure UI fields for more information on tenant URLs.

      ENROLLCODE <enrollment code>

      The enrollment code you generated. See CyberArk Identity Windows Device Trust.

    10. Repeat the previous steps to create the required properties.

      The following image shows a created tenant URL property/value and the window available for the next property.

    11. Select Transform > Generate Transform to save your modifications to the MST file.

    12. Select Transform > Close Transform.

      Be sure to save the MST file in the same folder as the MSI file. If the MST and MSI files are in different folders, the MST file will not execute when you execute the MSI file.
  2. Deploy the MSI file to your organization.

    Deployment methods include:

    The rest of the steps are an example of how to deploy the MSI file using the domain controller.

  3. Apply the MSI file to the following path in your Group Management Policy Editor: Computer Configuration > Policies > Software Settings.

  4. Add the MST file to the MSI file.

    1. Navigate to the following path in your Group Management Policy Editor: Computer Configuration > Policies > Software Settings.

    2. Right click Software Installation.

    3. Click New > Package.

    4. Select the MSI file.

    5. Click Open.

    6. Select Advanced and click OK.

    7. Select the Modifications tab.

    8. Click Add, then select the MST file and click OK.

      The software is installed at the next group policy update.

    For more complete information about creating and using group policies and Group Policy Objects, see your Windows or Active Directory documentation.

Windows Device Trust enrollment changes

Enrolling an endpoint for a user issues an authentication certificate to that user. In addition, the installer adds a light-weight task to Task Scheduler (IdentityCertificateAgentUserTask). This task fetches the authentication certificate if any of the following triggers happen:

  • The task is created or modified (for example, Windows Device Trust installation or update)

  • The user logs on to the endpoint

  • There is a network change

  • 12:00 local time each day

You can find the certificate in the current user's personal certificate store.

In addition, a trusted root certificate is installed in the trusted root CA store. The expiration date will be 10 years from issue date.

Configure Certificate-Based Authentication (CBA)

You can create authentication rules that allow access to CyberArk Identity or sensitive applications, conditional on the presence of an authentication certificate. The authentication certificate is distributed on Windows and Mac machines by a Cloud Agent or Device Trust installer, or on mobile devices through enrollment (mobile devices must be enrolled in the CyberArk Identity MDM solution for CBA). You can also use 3rd-party certificates, such as certificates deployed by MDMs like Airwatch or InTune, for CBA on Windows, Mac, and mobile devices; however, CBA does not work with native apps.

CBA does not work with native apps, on any platform, or any type of certificate.
  1. Go to Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.

  2. Click Authentication Policies > CyberArk Identity.

  3. Select Yes in the Enable authentication policy controls drop-down.

  4. Click Add Rule.

    The Authentication Rule window appears.

  5. Click Add Filter on the Authentication Rule window.

  6. Select Certificate Authentication from the Filter drop-down menu and set the Condition to Is Used, then click Add.

  7. Select the authentication profile that you want applied if Certificate Authentication is true.

    In this example, certificate authentication will bypass other authentication rules and the default profile, so the selected profile is not important.

  8. In the Default Profile (used if no conditions matched) drop-down, select a default profile to apply if certificate authentication is not available.

    The authentication profile is where you define the authentication methods. If you don't have an appropriate authentication profile yet, select Add New Profile to create one. See Create authentication profiles for more information.

  9. Under Other Settings, select Use certificates for authentication and Certificate authentication bypasses authentication rules and default profile.

  10. Click Save.

Users can now access CyberArk Identity using the authentication certificate instead of entering a password.

  1. Click Policy in the Admin Portal.

  2. (Optional) Click Add Rule to specify conditional access.

    The Authentication Rule window appears.

  3. Click Add Filter on the Authentication Rule window.

  4. Select Certificate Authentication from the Filter drop-down menu and set the Condition to Is Used, then click Add.

  5. Select the authentication profile that you want applied if Certificate Authentication is true.

  6. In the Default Profile (used if no conditions matched) drop-down, select a default profile to apply if certificate authentication is not available.

    The authentication profile is where you define the authentication methods. If you don't have an appropriate authentication profile yet, select Add New Profile to create one. See Create authentication profiles for more information.

  7. Click Save.

Manage authentication certificates deployed by Windows Device Trust

Enrolled endpoints appear in the Admin Portal Endpoints tab. Click a device for the following information:

Tab Description
Details Shows the device ID, the agent or app version, and enrollment method.
Activity Shows the previous 30 days of certificate-related activity.
Certificates Shows details of the certificate distributed to the device user. You can manage certificates from this tab.

To manage authentication certificates issued through enrollment

  1. Go to Endpoints, then click an enrolled endpoint.

  2. Go to the Certificates tab, then select a certificate.

  3. Click Actions to see available actions, then take an action.

    Available actions depend on the current status of the certificate, as described in the following table.

    Status Status description Available actions for this status Effect of the action
    Active The certificate is active and can be used for certificate-based authentication Revoke Deletes the certificate from CyberArk Identity; CBA no longer works for that user. You need to delete the certificate on the client manually. A new certificate can be issued.
    Revoked The certificate has been revoked (deleted from the cloud). It needs to be issued and then installed again. Issue Issues the certificate, changing the status to Issued. The certificate is issued in the cloud, but not yet installed in the workstation. The user needs to sign in again for the certificate to get installed.
    Expired The certificate has expired. It needs to be issued and then installed again. Revoke Deletes the certificate from CyberArk Identity. The certificate on the client will need to be deleted manually. Once the certificate is revoked auto-renewal doesn’t work.
    Issued The certificate is issued but not yet installed by the agent. The user needs to sign in again for the certificate to get installed. Revoke The certificate gets deleted from the cloud. You need to delete the certificate on the client manually.

Set the lifetime and renewal window for CyberArk Identity authentication certificates deployed by Windows Device Trust

You can set the lifetime and renewal window of certificates issued by through device enrollment or installation of Device Trust.

To set the lifetime and renewal window of CyberArk Identity issued authentication certificates

  1. Go to Settings > Endpoints > Device Trust > Certificate Authentication.

  2. Set the certificate lifetime and renewal window for authentication certificates issued by CyberArk Identity.

    The value for the renewal window should always be less than the certificate lifetime.

    If the endpoint is offline CyberArk Identity renews the certificate when the endpoint is back online.
    If you don't want to renew the certificate, you can revoke the expired certificate by selecting the endpoint from Endpoints and sending the Revoke action.

Update Windows Device Trust

Download the new Windows Device Trust from the Admin Portal and re-deploy the agent as described in Enroll Windows machines with Windows Device Trust.

Users do not need to re-enroll.

Remove Windows Device Trust

You can remove Windows Device Trust from the control panel or use Windows Device Trust installer. Bulk removal is available using tools like Intune, SCCM, and DC. You can also delete the endpoint from the Endpoints page to unenroll the endpoint and remove CBA functionality.

After removing Windows Device Trust, the certificate is removed for the user from the personal store. The trusted root certificate is also removed. CBA will no longer work.