We have a tight global policy where we block browsers that are more than two weeks out of date. We also use OneLogin as our SAML provider and have it configured to use Duo for 2FA.
The Slack application for both Mac and Windows uses an embedded version of Chrome. When our users open Slack, they log in using their OneLogin account. They are then taken to the Duo approval part and are blocked because the version of Chrome used in Slack is more than four months out of date.
Contacting the Slack support team, they responded with:
Unfortunately, while Slack does its best to keep up with Chrome, we're usually a release or two behind. You'll need to either whitelist Duo or disable / warn-only browser checks. We consider this an acceptable trade-off because Slack is not a general purpose browser (i.e. it's not navigating to my-cool-news.ru, only Slack.com). We can mitigate security issues with our app on the server side by detecting and censoring malicious content (i.e. content attempting to exploit the desktop app) far faster than we can by shipping new releases of the Desktop app, unlike the General Purpose Web.
Slack is guaranteed to have the User Agent string "Slack/", if you want to set up Duo's whitelist to ignore this entirely. The right-hand side is also guaranteed to be a semver-compatible string if you want to require people to run the latest version of the Slack Desktop app in order to connect.
So what are my options here?