Restrict web application access only to managed devices or trusted endpoints

Restrict web application access only to managed devices or trusted endpoints

By Centrify Advisor IV ‎02-08-2017 12:02 PM


This article will show you how to secure the access to a web application by only allowing access from a device that has been enrolled into Centrify's MDM or prompt for multi-factor authentication when accessing from a non-managed device. 


Enroll your device into Centrify MDM


Configure policies

1. Log into the Centrify Admin Portal.


2. On the left, navigate to Core Services > Policies, then edit an existing policy by clicking on the name of the policy or create a new one by clicking Add Policy Set.


Select policy set.png


3. In the policy, go to Login Policies > Centrify Portal. Scroll down to the section called Other Settings.


ZSO settings.png

   a) Uncheck "Allow IWA connections (bypasses authentication rules and default profile)"

   b) Place a check next to the following two check boxes:

     - Use certificates for authentication (bypasses authentication and default profile.)

     - Connections using certificate authentication satisfy all MFA mechanisms

   c) Press Save.


4. Edit your web application and select Policy from the left column, then click Add Rule.


Add policy.png 


5. When a new window appears, click Add Filter.


 add filter.png



6. Select Managed Device and desired condition, then click Add.


filter condition policy.png



7. Select a Authentication Profile such as - Not Allowed -  or a predefined authentication profile to perform multi-factor authentication to access the web application.


filter authentication profile.png 


8. Select a Default Profile to - Always Allow - or a predefined authentication profile to perform multi-factor authentication for Managed Device users.

9. Press Save when your configuration is complete.


Other settings to consider:

By wlgdevos
on ‎02-22-2017 01:36 PM

How can you make an exception for domain joined Windows 10 laptops granting those "unmanaged" devices access and denying all other unmanaged devices?

By Centrify Advisor IV
on ‎02-22-2017 01:58 PM

We are in the works for adding the ability to "enroll" Windows 10 devices. Just no promises on when. 


In the meantime, maybe you can select: browser equals to MicrsoftEdge. But this doesn't detect if the OS is domain joined or not, or what if they want to use a different browser. Unless someone in the community has some javascript skills that can edit the script to detect if the machine is domain joined. 

By Centrify Advisor IV
on ‎07-07-2017 12:43 PM

The article has now been updated with the link to instructions for enrolling Windows 10 devices. 

Showing results for 
Search instead for 
Do you mean 

Community Control Panel