× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

Re: Restrict web application access only to managed devices

Restrict web application access only to managed devices

By Centrify Advisor II ‎02-08-2017 12:02 PM

This article will show you how to only allow access to a web application from a device that has been enrolled into Centrify's MDM. Please note these instructions may change in the future.


Enroll your device into Centrify MDM


Configure your web application

1. Log into the Centrify Admin Portal.

2. Edit your web application and select Policy from the left column.


Restrict to managed devices.png


3. In the right pane, select the checkbox to "Use script to specify login authentication rules (configured rules are ignored)"then click on the Load Sample button. A new window will appear.


use script policy.png


4. Select the option "require strong auth for unmanaged devices.js"then click on the Load button.


script sample.png


5. In the policy script, change the value for policy.RequiredLevel  to 0. This will deny access from devices that are not managed by Centrify.


 edit policy script.png


6. Select a Default Profile to Always Allow or a predefined authentication profile to perform multi-factor authentication to access the web application. This determins if the user is logging in from a managed device. Press Save when your configuration is complete.


default profile.png


To restrict web application access based on time, location, or other device conditions:

See instructions.

By wlgdevos
on ‎02-22-2017 01:36 PM

How can you make an exception for domain joined Windows 10 laptops granting those "unmanaged" devices access and denying all other unmanaged devices?

By Centrify Advisor II
on ‎02-22-2017 01:58 PM

We are in the works for adding the ability to "enroll" Windows 10 devices. Just no promises on when. 


In the meantime, maybe you can select: browser equals to MicrsoftEdge. But this doesn't detect if the OS is domain joined or not, or what if they want to use a different browser. Unless someone in the community has some javascript skills that can edit the script to detect if the machine is domain joined. 

Showing results for 
Search instead for 
Do you mean 

Community Control Panel