Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
0
Helpful
1
Replies

Corporate Laptop on Home Network

wnofi
Level 1
Level 1

‎12-07-2022 06:22 AM

I’m trying to configure my policies to make it as easy as possible for my users. I know, security shouldn’t be easy and may defeat the purpose of MFA.
My set up: Cisco Duo, Directory Sync to AD, protecting Google Workspace. We’re a school district.

A user has a district issued laptop. Uses it primarily on the district network, which I have marked as “Trusted Network” in my policy. When they bring the laptop home, I do not want them to have to get the Duo authentication prompt.

Basically I want to be able to “trust” these laptops. Is there a way to do that? Would the Duo Device Health app allow that to happen?

I do not want to enable “remember device”, because I don’t want them to trust their home machines, should they log in to Google on that and get prompted for Duo authentication.

0 Helpful
1 Reply 1

raphka
Cisco Employee
Cisco Employee

‎12-10-2022 04:09 PM

Hi William_Nofi,
Welcome to the Duo community.

Trusted Networks would only work if you were to add the users external home IP to Authorised Networks and ensure it remains static.

Trusted Endpoints with the Device Health App can be used to add an additional layer of security for authentication, but it cannot be used to bypass 2FA based on a Trusted Device. If a malicious actor were to gain access to or control of a Trusted Device, you would not want them to be able to authenticate without 2FA.

Unfortunately with the current implementation of Duo policies it is not possible to create policy dependancies such as enabling Remembered Devices only for an Authorised Network or a Trusted Endpoint. However this is a great idea and I have created a feature request for this functionality to be explored by our teams in the future.

Thanks for helping make Duo better!

In your instance, you can use Remembered Devices and lower the duration to an hour for example to minimise the risk if users were to use this to bypass sequential authentications from a home computer. Or alternatively go with the most secure route of forcing the user to have to authenticate with 2FA repeatedly from both their work and home machines.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents