Manage Device TrustScoring

How to configure for your organization and enable Policies that use Device TrustScores

This article describes features that are only available in the Banyan Business edition and Banyan Enterprise edition.

With the release of Banyan v2.51 (Nov-4-2020), we updated Trust Level logic so that the range for High Trust Level changed from 81-99 to 81-100 and AlwaysAllow changed from 100 to 101.

Overview

This topic outlines the different ways you can leverage Banyan’s Device TrustScore factors and external factors (such as third-party alerts or other mechanisms) to grant or block access to Banyan-secured resources.

Supported TrustScore Factors by Operating System

The table below lists all TrustScore Factors supported by specific operating systems.

TrustScore Factor macOS Windows Linux (Ubuntu) iOS Android
Auto Updates Enabled
Disk Encryption Enabled
Firewall Enabled *    
Not Jailbroken      
Preferred Applications    
Screen Lock Enabled  
Recent OS is Running
Threshold for Stale TrustScore

NOTE: The Linux version of the Desktop App firewall detection involves checking whether the firewall service is enabled (systemctl status ufw) and whether ufw is active (sudo ufw status). For users to get credit for the Firewall Trustfactor, both of these conditions need to be true. Since checking the status of ufw requires using sudo, an entry (<user_name> ALL=(ALL) NOPASSWD:ALL) must be added to /etc/sudoers so the user can execute the sudo command without having to provide their password (otherwise the Banyan Desktop App will be unable to collect the firewall data). If the Banyan Desktop App is unable to collect the firewall data, for example, if the ability to sudo without a password is not configured, then the Banyan Desktop App will not report the status of this factor and it will not be considered when calculating the device’s TrustScore (thus, the user’s device will not be penalized).

Steps

1. Configure TrustScore Factors

TrustScore Factors serve as a required checklist for devices in your organization, effectively setting the bar for access to Banyan-secured services.

When configured alongside policies, TrustScore Factors allow granular access to individual services that require heightened security.

To configure the Device TrustScoring for your organization, navigate to Settings > TrustScore Settings > Device Scoring.

This page lists the available TrustScore Factors, including:

  • Auto Updates Enabled - The device automatically installs new versions of its Operating System. The device only gets credit if updates are automatically installed, but does not get credit simply for auto-checking for updates.
  • Disk Encryption Enabled - The device’s disk encryption is enabled.
  • Firewall Enabled (Desktop-only) - The device’s firewall is enabled.

Enabling firewall detection for the Linux versions of the Banyan Desktop App requires a few additional configurations. Please see the above NOTE for more information.

  • Not Jailbroken (Mobile-only) - The device is not rooted or jailbroken.
  • Screen Lock Enabled - The device’s ability to screen lock is enabled. (Also includes Passcode, TouchID, FaceID, and BiometricLock)

This page also allows you to set a Threshold for Stale Trustscores. If a device does not submit it TrustScore Factors for the specified numbers of hours, Banyan cannot compute an up-to-date TrustScore and so automatically set the device’s TrustScore to 0.

Preferred Applications Running (desktop-only) establishes a list of apps required on devices in your organization. Devices must have all apps running on their device and do not receive partial credit for having a subset of preferred apps running on their device.

For more information, please see Add a Preferred App.

Recent Operating System is running sets the oldest allowed version of an OS.

2. Configure External Factors

Banyan always enforces the strictest allowed Trust Level. For example, if the external factor is AlwaysDeny but the Banyan Trust Level is Low, the AlwaysDeny will be enforced.

Using the Set Max Trust Level endpoint, you can seamlessly incorporate external factors (such as third-party SEIM or other security monitoring tools) to influence a device’s Trust Level in real time.

Simply configure your third-party tool to POST /set_max_trust_level, including the query parameter (Email or SerialNumber) that needs to be updated. For the request headers, include the Authorization: Bearer $AUTHTOKEN and ContentType: application/json. This json payload includes the Level (AlwaysDeny, Low, Medium, High, AlwaysAllow), Reason (explanation displayed to the admin in the Command Center and to the end user in the Banyan App), and ExtSource (name of the external source, such as CarbonBlack, CrowdStrike, etc.)

The example json below shows a payload sent from CarbonBlack to Banyan after discovering malware associated with a user and/or device.

{
    "Level": "AlwaysDeny",
    "Reason": "Known malware MWS-2019-9842 detected on device - quarantine action taken.",
    "ExtSource": "CarbonBlack"
}

In this example, the Banyan TrustScore automatically drops to 0 and the device cannot access Banyan-protected resources.

3. Apply Trust Level Settings to Policies

When configuring a policy, set it to only allow devices that meet the minimum required Trust Level:

  • No Trust Level - ignore TrustScore - Allows devices having any TrustScore.
  • High Trust Levels only - Allows devices having TrustScore of 81 or greater.
  • Medium or High Trust Levels Only - Allows devices having TrustScore 61 or greater.
  • Any Trust Level except “Always Deny” - Allows devices having TrustScore of 1-100.


Last modified: May 11, 2021