Device Trust Verification for Sandboxed Apps

Leverage the Banyan App to establish Device Trust to access apps whose authentication WebViews are unable to use the Banyan Device Certificate

This article describes features that are only available in the Banyan Enterprise edition.
This article describes features - Device Trust verification - that are currently in early preview. Contact your account team to enable these features for your organization and for further assistance.
This article describes features that require Banyan Desktop App v1.8+ and Banyan Mobile App v1.8+

Overview

Banyan’s Zero Trust security policies rely on a Device Certificate stored securely on the device (in the Device Keychain on MacOS/iOS/Android and Certificate Store on Windows/Linux) to authenticate the device from which an end user is accessing a Service. Banyan’s TrustProvider component performs the Mutual Auth TLS handshake to receive the Device Cert from the device, extracts the device Serial Number from the Device Cert, and uses the Serial Number to associate the request with Roles and TrustScore, and then enforce Policy.

What are Sandboxed Apps?

Banyan’s policies work seamlessly for browser-based access because web browsers can utilize the Device Certificate stored the Device Keychain consistently. However, many native applications on iOS/Android and even MacOS/Windows use embedded web browsers called WebViews for authentication. The WebViews often do not have access to the Device Certificate on the device and cannot perform the Mutual Auth TLS handshake with Banyan’s TrustProvider component. We refer to these types of apps as native “Sandboxed Apps” because their authentication WebView it not permitted by the OS to leave its “sandbox” to use the Device Certificate from the keychain.

Since Banyan does not receive a Device Cert from Sandboxed Apps, it is unable to associate the request with a specific device, even if the Banyan App (desktop or mobile) is installed on that device and a Device Cert is present in the Keychain. Therefore, Banyan typically cannot enforce Device Roles and TrustScoring based policies for such apps.

How It Works

When Device Trust Verification is enabled at the Org-level and at the Service-level, Banyan’s TrustProvider uses a modified (asynchronous) authentication flow.

In this modified authentication flow, the end user is presented with a challenge code when attempting to access a Banyan-protected service from a Sandboxed App.

The end user must copy the challenge code, and submit it via the Device Trust Verification tab in their Banyan App (desktop or mobile) to verify the device.

After submitting the challenge code and verifying their device, the end user returns to the Sandboxed App to authenticate with the IDP and access the Banyan-protected service. Banyan’s Device Trust Verification capability allows Device Roles and TrustScoring based policies for Sandboxed Apps.

Device Trust Verification and Unregistered Devices

As depicted in the diagram below, Device Trust Verification for Sandboxed Apps is closely related to Banyan’s handling of Unregistered Devices.

You can enable Device Trust Verification for your org in the Banyan Command Center. You can also adjust Device Trust Verification settings at the service level. The Service-level setting is useful for scenarios where you need to grant access from Unregistered Devices (say, from third-party contractors who cannot register their machines) to specific services.

Once you enable Device Trust Verification for Sandboxed Apps, the settings entered under Allow Unregistered Devices to Receive an HTTP Response which allows you to provide a customized error message to Unregistered Devices will no longer work. Instead, all requests from Unregistered Devices will receive the Device Trust Verification challenge.

Sharing the Challenge Code Across Devices

There is a known limitation in our current implementation of Device Trust Verification - users can take a challenge code provided to one device and enter it into another device they have registered with Banyan.

Currently, when an application presents you with the challenge code, it can be submitted into the Banyan App on any device that is registered with the user and authorized to access the application. This is because Banyan is unable to get the device certificate from Sandboxed Apps so we therefore can only ensure a user has a registered device and should be able access the application.

However, Banyan still requires end users to authenticate with the configured IdP in order to access a protected service. Therefore, entering the challenge code on a separate device is not a security concern.


Setup at Organization-level

During the early preview phase, the Device Trust Verification feature needs to be explicitly enabled for your organization. Please contact us for assistance.


Setup at Service-level

This step will be updated soon; we will provide a checkbox in the UI to disable Device Trust Verification during service definition.

By default, if the Device Trust Verification is enabled for an organization, then it is also enabled on all services in the organization.

However, some organizations may disable Device Trust Verification to grant access for Unregistered Devices to specific services. This is especially useful for scenarios where you need to grant access from third-party contractors who cannot register their machines to specific services.

Service-level setup depends on the service type, either Hosted or SaaS.

Disable Device Trust Verification for Hosted Services

To disable Device Trust Verification for Hosted Services, you will modify the service JSON of an existing hosted service and create a custom service definition.

Review our article on how to modify the service JSON by converting to a Custom Service.

Set the suppress_device_trust_verification flag to true the Service Spec http_settings.oidc_settings. For example:

"oidc_settings": {
    "enabled": true,
    "service_domain_name": "https://hosted-service.example.com", "post_auth_redirect_path": "",
    "api_path": "",
    "suppress_device_trust_verification": true
}

Disable Device Trust Verification for SaaS Apps

To disable Device Trust Verification for SaaS Apps, you will need to modify the attributes to set the suppress_device_trust_verification flag to true, and then push the updated spec.

Review our article on how to modify the service JSON for a SaaS App.

Last modified: Jun 17, 2021