Support for automatic device quarantine with manual administrator approval Completed

Darren White

We would like Timus to support a new device quarantine. The exact mechanism could be changed, but one method could be an automatically applied device tag when a new device is connected.

The elements we are looking for:

  • A (valid) user can login from a new device.
  • While the device is not approved, the device should not be allowed to pass traffic. (Optionally, allow the device to connect but tag it so that a firewall rule can be added blocking some or all traffic to/from devices with the quarantine tag)
  • The device (if not already known/approved) would be visible for administrators to mark as approved.
  • Once a device is marked approved, it should be recognized without needing re-approval, even if the user logs out of Timus and another user logs in from the same device. (The device would be known by some unique fingerprint that does not change when different users connect, or possibly even when the OS is reinstalled)
  • Devices should be able to be removed or re-quarantined, such that a new connection from the device will again require administrator approval.

This is different from the Timus Agent Telemetry Checks or other endpoint health checks. A device could meet endpoint checks and manual approval would still be desirable, or there may not be an endpoint check that can determine exactly what we consider to be an approved device so we need to resort to a manual approval method.

Ideally, once a device is approved there would not need to be another login attempt or only minimal action would be required from the end user. (Just click connect, or the agent is already connected but it just bypassing all traffic and the routing changed automatically to allow traffic to pass through the tunnel)

Comments

4 comments

Date Votes
  • Comment author
    Eda Ercan
    • Official comment

    Thanks for the suggestion, we now support this workflow through Device Approval Requests.

    When enabled from Devices → Approval Requests → Settings, any new device that hasn’t been registered to your organization is held for administrator review before it can join. The device appears in Approval Requests with Pending status and remains there until you approve or reject it.

    For step-by-step setup and the full workflow, visit Device Approval Requests (Beta).

  • Comment author
    Kevin Fagan

    Thank you for bringing this up. 

    With the infrastructure that will be implemented with further ZTNA features, it is indeed feasible to support automatic device quarantine with manual administrator approval. However, we are currently in the evaluation phase and need to assess the technical requirements and potential challenges. Our goal is to complete these changes by the end of Q2, but this timeline may be subject to change as we progress through the evaluation and development stages.

    0
  • Comment author
    Dru DuBay

    This is something I would like to see as well. The core of my need is manual device approval, however that is done.  

    0
  • Comment author
    Kevin Fagan

    This is coming with Adaptive ZTNA.  Start of Q4.

    0

Please sign in to leave a comment.