Is EMS still the only way to go for ensuring an SSL VPN authorized user doesn’t download and install the VPN client on a non-approved computer? We have other tools for EDR and RMM that I’d rather not swap out, so EMS’s pricing is a bit heavy just to ensure Bobby Tables doesn’t go install the FortiClient on his PornMachine2000 and tunnel into the corporate network.
I know this is something of an oldie, but all my google-fu results are a bit aged, so I just wanted to confirm this is still the case.
Issue a certificate so only those machines with a valid certificate can connect.
You could tie the VPN to EntraID using an external browser for SAML auth in the client.
Then, you could build your conditional access policies in Entra ID to only allow authentication from approved devices.
It also covers your MFA requirements because Entra ID can do that as well.
It’s been said already but a very easy way is to use SAML to Azure and then Conditional Access to corporate owned devices. As long as you have the correct license for Azure.
Certificate is one way, the other is a host check. It doesn’t exactly verify a machine, more the state it’s in and there’s no EMS needed.
Awesome. Thanks! I think custom host check might do exactly what I want. Super appreciative, thanks!!
And what if I don’t want to allow ONLY cellphones (IOS and Android)?
It’s not fool proof, but I’ve used registry checks to confirm a computer is domain joined. I also like to have a file that is dropped on computer computers, somewhere in \windows, \programdata, \program files, with an obtuse name, and also check for that file. The filename is same on all computers.
I like to add the file check because there’s enough info on the internet that a random user can probably string together enough info on creating the registry keys that you can check to see if a computer is domain joined, but they won’t really have a way to figure out the random file you are also checking to see if it exists.
Again, not fool proof by any means, certificate auth or something tied back to condition access/managed devices is the best option, but this easily stops practically all of your users (except IT who may know all the checks to re-produce) from connecting random machines over VPN.
You can do this with a host check for OS, just load all the versions to allow, so a reverse of
As was said, this is not foolproof, it just fingerprints the device. But it’s the best you can do without EMS and agents.
Thanks. I will test it. We also have EMS clients and server. I have tried EMS tags, but user’s with smartphones can connect anyway (and then traffic is disabled).