Managed, Registered, and Unregistered Devices

Configure access for Managed, Registered, and Unregistered Devices within the Banyan Command Center

Motivation

Google’s BeyondCorp security model promotes the concept of a “Managed Device,” which is a device that is procured and actively managed by the enterprise. In Google’s BeyondCorp, only managed devices can access corporate applications. A device tracking and procurement process revolving around a device inventory database is one cornerstone of this model.

Similarly, Banyan espouses a security model where corporate applications should only be accessed by Registered Devices.

Registered and Unregistered Devices

Registered Devices are desktops (MacOS, Windows, Linux) and mobile devices (iOS, Android) that have a Trusted Device Certificate in their keychain.

Unregistered Devices are desktops and mobile devices that do not have a Trusted Device certificate in their keychain.

A device can obtain a Trusted Device Certificate by:

  • Installing the Banyan App to register the device
  • Installing a Trust Device Certificate via a Device Manager

Manage Registered and Unregistered Devices

By default, Banyan’s TrustProvider component only responds to Registered devices. If a device is unregistered and attempts to make a TLS connection, Banyan drops the connection and the device cannot access Banyan-secured applications and services.

However, in some scenarios (such as incremental rollout of the Banyan App or exposing certain services to Unregistered devices), you need to relax the Device Certificate requirement to allow access to Unregistered devices.

Registered and Unregistered device access is managed in the Banyan Command Center, both at the organization level and at the service level.

Additionally, the Banyan Command Center lists your organization’s unregistered devices on the Directory & Infrastructure page and displays a count of them on the Banyan Reporting page.

Organization-level settings

At the most general level, you can create a policy for your entire organization.

An organization-level policy is applied to all apps and services configured for your organization, and may be superseded by policies set at the service level.

To configure organization-level settings:

  1. Log in to your instance of the Banyan Command Center.

  2. Navigate to Settings > TrustProvider Settings > Unregistered Devices.

The Allow Unregistered Devices to Access Services section lets Unregistered Devices access Banyan-secured service, as long it has an IP address in the inputted CIDR range. Connections from these CIDR ranges will be accepted and forwarded to the Identity Provider for user authentication. The generated Trust Token will not have any device claims, meaning it cannot be associated with a specific device.

The Allow Unregistered Devices to Receive an HTTP Response section allows you to customize either a:

  • 401 Unauthorized error message.
  • 302 Redirect URL to a custom URL.

As long the Unregistered device has an IP address in the inputted CIDR range, it will receive an HTTP status code and a custom message presented to the device user (such as “Please install the Banyan App and register your device” or redirect them to the configured redirect URL.

Service-level settings

If you have configured Allow Unregistered Devices to Access Services for your organization, you can configure service-level settings to grant only Registered devices access to individual apps and services. You simply create a role that only applies to Registered devices. Then, you apply that role to specific apps and services so that only Registered devices are granted access.

Create role

To create a role that only applies to Registered devices:

  1. Log in to your instance of the Banyan Command Center.

  2. Navigate to Secure Access > Roles and then click + Add Role.

  1. Select User Role.
  1. Enter a Role Name and Description.
  1. Click + Add Role Attribute and then select By Device Registration.
  1. Click Add Role.
Create policy

To create a policy that allows access only to Registered devices:

  1. Navigate to Secure Access > Policies and then click + Create Policy.
  1. Select the Basic Authorization Policy for Users template.
  1. Configure the applicable fields and then select the Registered Devices role created in step 6 above.

If a Policy is configured with a Trust Level (e.g., High, Medium, AlwaysDeny), it will automatically block all Unregistered Devices (because Banyan cannot compute a TrustScore for those devices) regardless of the Org-level or Service-level Settings.

  1. Click Create Policy.

That’s it! Now, only devices having a Trusted Device Certificate will be able to access the service.

View Total Unregistered Devices

The Banyan Reporting page shows a high-level breakdown of unregistered devices. Under the Devices tile, click Unregistered to dig deeper into unregistered devices in your directory.

This only appears if the organization has an Unregistered Devices allowed at the Organization level.

Registered and Unregistered Device Directory

View a complete list of unregistered devices and their associated users in the Banyan Command Center by navigating to Directory & Infrastructure > Devices > Unregistered Devices.



Last modified: Mar 25, 2021