Manage DPC
  • 29 Apr 2024
  • 4 Minutes to read
  • Contributors

    Manage DPC


      Article summary

      Understanding DPC

      Device Posture Checks help you ensure that only devices meeting specific security conditions can access your network.

      This adds an additional layer of security by verifying the "posture" or security status of a device before it can access applications or data.

      For example, administrators can allow access to Networks only from devices that are complying with one or more of the following policies:

      • The presence of specific antivirus software on the device
      • Whether a specific (authorization) file can be found on the device.
      • Whether the device’s storage is encrypted.
      • Whether a device holds the appropriate certificate (as defined by the administrator).

      How to Set Up DPC


      You can set device profiles per operating system. Each profile can apply to a specific Group, operating system, or both.


      The Device Posture Check profiles will be applied to all Networks in your Harmony SASE tenant.

      In order to add a Device Posture Check profile:

      1. Navigate to Devices -> Posture Check.
      2. Click on (+) Add Profile.
      3. Enter a Posture Check Profile Name.
      4. Select the Group(s) that should comply with the profile.

      Check the All Users Group to apply the profile to all your Harmony SASE users.

      1. Select the suitable Runtime Schedule

      The Device Posture Check can be verified periodically while a Member is connected to a Network or with every connection to a Network.

      Screen Shot 2021-03-08 at 18.27.21.png

      Define Posture Check per OS

      Administrators can define different profiles or requirements for different operating systems within the same profile, or create separate profiles for each operating system.

      Each OS Profile can have one or more rules which must be met in order to gain access to Networks.

      Windows:

      1. Click Add OS to Profile
      2. Select and Define Rules

      You can pick one of the following options:
      Antivirus - the Harmony SASE agent will verify the presence of the selected Antivirus application.
      File-Exists - the Harmony SASE agent will verify the presence of a specific file in a specific path.
      Disk Encryption - the Harmony SASE agent will verify that the OS hard drive is encrypted.
      Certificate - the Harmony SASE agent will verify that a specific certificate's subject is installed on the device (in the local Windows CA store or macOS Keychain)
      Process Running - the Harmony SASE agent will verify that a specified process is running in the background. This can also be used to check Antiviruses that are not pre-defined under the Antivirus category.
      Registry - the Harmony SASE agent will verify a specific registry key.
      (Example: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\New Key)
      Windows Security Center - the Harmony SASE agent will verify the status of the selected Firewall, Antivirus, or Windows Security Center is showing as "Good".
      Active Directory Association - the Harmony SASE agent will verify the user's "logon_domain" matches what is specified in the rule (case-insensitive). Two domains are supported with an "OR" statement.
      Operating System version - the Harmony SASE agent will verify that the device is using an accepted version (equal to and/or higher than).

      1. Click on Add Rule to OS (if needed)
        Screen Shot 2021-03-09 at 9.05.36.png

      MacOS:

      1. Click Add OS to Profile
      2. Select and Define Rules

      You can pick one of the following options:
      Antivirus - the Harmony SASE agent will verify the presence of the selected Antivirus application.
      File-Exists - the Harmony SASE agent will verify the presence of a specific file in a specific path.
      Disk Encryption - the Harmony SASE agent will verify that the OS hard-drive is encrypted.
      Process Running - the Harmony SASE agent will verify that a specified process is running in the background. This can also be used to check Antiviruses which are not pre-defined under the Antivirus category.
      Certificate - the Harmony SASE agent will verify that a specific certificate is installed on the device (Mac Keychain).
      Operating System version - the Harmony SASE agent will verify that the device is using an accepted version (equal to and/or higher than).

      1. Click on Add Rule to OS (if needed)

      Screen Shot 2021-03-08 at 18.42.45.png

      Linux:

      1. Click Add OS to Profile
      2. Select and Define Rules

      You can pick one of the following options:
      Antivirus - the Harmony SASE agent will verify the presence of the selected Antivirus application.
      File-Exists - the Harmony SASE agent will verify the presence of a specific file in a specific path.
      Process Running - the Harmony SASE agent will verify that a specified process is running in the background. This can also be used to check Antiviruses which are not pre-defined under the Antivirus category.

      1. Click on Add Rule to OS (if needed)

      iOS:

      1. Click Add OS to Profile
      2. Select and Define Rules

      You can pick one of the following options:
      Allow - Mobile devices using the Harmony SASE application will be allowed into Networks.
      Deny - Mobile devices using the Harmony SASE application will be denied access into Networks.

      1. Click on Add Rule to OS (if needed)
        Screen Shot 2021-03-09 at 9.06.25.png

      Android / Chromebook:

      1. Click Add OS to Profile
      2. Select and Define Rules

      You can pick one of the following options:
      Allow - Mobile devices using the Harmony SASE application will be allowed into Networks.
      Allow Chromebook Only -Chromebooks using the Harmony SASE application will be allowed into Networks, while devices running Android will be denied.
      Deny - Mobile devices using the Harmony SASE application will be denied access into Networks.

      1. Click on Add Rule to OS (if needed)

      Recommendations

      1. Conduct a risk assessment to determine which posture checks are most critical for your organization.
      2. Regularly update your posture check settings to align with evolving security policies.

      Troubleshooting

      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success


      Was this article helpful?