Device Posture

Device Posture allows you to specify the posture and authentication requirements for the device. If the requirements fail, then the Harmony Connect Agenton the device gets disconnected and blocks the access to internet and your corporate network.

Desktop Device Posture

Desktop Device Posture allows you to specify a set of posture policies for the device (Windows and macOS). If any one of the policy requirements fail, then the Harmony Connect Agent on the device gets disconnected with the security state Your Device Has Compliance Issues and blocks the access to internet and your corporate network.

The system validates the specified posture policy requirements each time a user logs in to the Harmony Connect Agent and then at one hour intervals. To view the compliance status of devices, see Compliance Logs.

Notes:

  • The Desktop Device Posture settings applies only to Harmony Connect Agent v1.4.0 and higher. For older versions, the system applies the last configured setting in the previously available Access Conditions (Antivirus is active and up-to-date and Domain List).

  • All the requirements are enforced immediately except the Internet Access requirement that is enforced within four hours or the next time when the user logs in to the Harmony Connect Agent.

Supported Posture Policy Checks

Posture Requirement

Windows

macOS

Specific or any Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. software is active and up to date on the device.*

Yes

Yes

Minimum OS version in running on the device.

Yes

Yes

The device is compliant according to Check Point Harmony Endpoint Security client.

Yes

Yes

Specific or any firewall is active and up to date on the device.*

Yes

No

The device has the specific Windows OS patches installed.

Yes

N/A

Check for required or banned specific files on the device.

Yes

Yes

Check for required or banned registry keys and values on the device.

Yes

Yes

Check for required or banned processes on the device.

Yes

Yes

Hard drive on the device is encrypted.

Yes

Yes

Valid device certificate is installed trusted by a CA.

Yes

Yes

* The supported third-party Firewall and Anti-Virus software are:

Windows

macOS

Avast Avast
Bitdefender AVG
Broadcom (Symantec) Avira
Check Point Harmony Endpoint Bitdefender
Cisco Symantec Endpoint Protection
CrowdStrike CrowdStrike
Cybereason Dr.Web
Kaspersky Check Point Harmony Endpoint

McAfee

Kaspersky

Microsoft

McAfee

Norton 360

ESET

SentinelOne

Norton 360

Sophos

PcProtect

Trellix

ScanGuard

TrendMicro

 

Vmware Carbon Black

 

Simulation Mode

The Simulation mode allows you to simulate (test) your posture policy configuration before you enforce it. The simulation result illustrates the compliance status of the connected devices and allows you can decide whether to enforce the posture policy or modify it accordingly.

To simulate the device posture policy requirements:

  1. Click Policy > Access Control > Device Posture > Desktop Device Posture.

  2. Turn on the Simulation mode toggle button.

    Notes

    • In the simulation mode, the system changes the settings to the default simulation settings.

    • Internet Access and Device Authentication are disabled for the simulation.

  3. Specify the posture requirements. Refer to Specifying the Posture Policy.

  4. Click Save & Simulate.

    The systems takes few minutes to complete the simulation. When the simulation is complete, it sends an email with the compliance status and attaches the report in .csv format.

  5. Turn off the Simulation mode toggle button.

    The system reverts to the pre-simulation-mode posture settings.

Specifying the Posture Policy

Note - The characters / \ : ; & % * ? < > { } [ ] are not supported for all fields except Domain List > Domain Name and Required keys > Value.

  1. Click Policy > Access Control > Device Posture > Desktop Device Posture.

  2. Toggle Enforce desktop device posture for users with Harmony Connect Agent to On.

  3. If the device is non-compliant, then specify whether you want to allow or block the internet access to the device:

    • Allow secured internet access if the device is not compliant

    • Block internet access if the device is not complaint

  4. To specify the domain requirements, under Domain List:

    1. Select The device belongs to the following domains(s).

    2. In the Domain List table, enter the domain address and click +. To add multiple domains, repeat the step.

      Notes:

      • ! @ # $ % ^ & * ( ) + = [space] characters are not supported.

      • Maximum character limit is 64.

      • Must be separated by '.'.

    3. Click Apply Changes.

  5. To specify the posture requirements for Windows-based endpoints, expand Windows Posture Policy:

    Note - The characters / \ : ; & % * ? < > { } [ ] are not supported for all fields except Required keys > Value.

    1. Toggle Enforce device posture for Windows OS to On.

    2. To verify that the specified Anti-Virus software is installed, up-to-date and running on the endpoint. select the Antivirus is active and up-to-date checkbox and from the list below, select the Anti-Virus software products.

      Note - If you select Any, then the system verifies that any Anti-Virus software, regardless of the ones specified in the list, is installed, up-to-date and running on the endpoint.

    3. To verify that the specified Windows OS version or higher is running on the endpoint, select the Windows OS minimum version, and from the list, and from the list, select the OS version.

    4. To verify that the endpoint is compliant according to the Harmony Endpoint Security Client, then select the Device is compliant according to Check Point Harmony Endpoint checkbox.

      Note - This applies only to endpoints with the Harmony Endpoint Security Client installed.

    5. To verify that at least one of the specified firewall is installed and active on the endpoint, select the Firewall is active checkbox, and from the list below, select the firewall software products.

    6. To verify that the endpoint has the specified Windows patches installed, select the Installed Windows patches checkbox, and in the Windows patches list table, enter the Windows patch name and click +. To add multiple Windows patches, repeat the step.

    7. To verify that hard drives in the endpoint are encrypted, select the Check disk encryption checkbox, and select All disks should be encrypted or At least one disk should be encrypted.

    8. To verify that certain files exist or do not exist (banned) in the specified path on the endpoint, select the Check files checkbox and click Required files or Banned files:

      1. Click +.

      2. In the Name field, enter the file name.

      3. In the Path field, enter the path with forward slash. For example, C:/user/test.

      4. Click Add.

      5. Click OK to close the window.

    9. To verify that certain registry keys exist or do not exist (banned) on the endpoint, select the Check registry keys checkbox and click Required keys or Banned keys:

      1. Click +.

      2. In the Name field, enter the registry key name. It must start with HKEY and must not end with \. For example, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Antex\InstallDir.

      3. (Optional) In the Value field, enter the value of the registry key.

      4. Click Add.

      5. Click OK to close the window.

    10. To verify that certain processes are running or not running (banned) on the endpoint, select the Check running processes checkbox and click Required processes or Banned processes:

      1. Click +.

      2. In the Name field, enter the process name with the extension .exe. For example, notepad.exe.

        Note - To get the process name and path:

        1. Open Task Manager.

        2. Right-click the process.

        3. Click Properties.

      3. (Optional) In the Path field, enter the path with forward slash. For example, C:/Windows/System32.

      4. Click Add.

      5. Click OK to close the window.

    11. Click Apply Changes.

  6. To specify the posture requirements for macOS-based endpoints, expand Mac Posture Policy:

    Note - The characters / \ : ; & % * ? < > { } [ ] are not supported for all fields except Required keys > Value.

    1. Toggle Enforce device posture for Mac OS to On.

    2. To verify that the specified Anti-Virus software is installed and running on the endpoint. select the Any of the following endpoint's antivirus products is active checkbox and from the list below, select the Anti-Virus software products.

      Notes:

      • This is supported only with the Harmony Connect Agent version 1.5.0 or later.

      • If you select Any, then the system verifies that at least one of the specified Anti-Virus software in the list is installed and running on the endpoint.

    3. To verify that the specified Windows OS version or higher is running on the endpoint, select the Mac OS minimum version, and from the list, and from the list, select the OS version.

    4. To verify that the endpoint is compliant according to the Harmony Endpoint Security Client, then select the Device is compliant according to Check Point Harmony Endpoint checkbox.

      Note - This applies only to endpoints with the Harmony Endpoint Security Client installed.

    5. To verify that hard drives in the endpoint are encrypted, select the Check disk encryption checkbox, and select All disks should be encrypted or At least one disk should be encrypted.

    6. To verify that certain files exist or do not exist (banned) in the specified path on the endpoint, select the Check files checkbox and click Required files or Banned files:

      1. Click +.

      2. In the Name field, enter the file name.

      3. In the Path field, enter the path with forward slash. For example, C:/user/test.

      4. Click Add.

      5. Click OK to close the window.

    7. To verify that certain processes are running or not running on the endpoint, select the Check running processes checkbox and click Required processes or Banned processes:

      1. Click +.

      2. In the Name field, enter the process name.

      3. (Optional) In the Path field, enter the path with forward slash. For example, C:/Windows/System32.

      4. Click Add.

      5. Click OK to close the window.

    8. Click Apply Changes.

  7. To view a log of changes made to the Desktop Device Posture settings, go to Global Settings > Audit Logs.

  8. To view the compliance status of all devices in the organization, go to Assets > Users > View > Trusted Devices and view the Device Posture column:

    • Compliant

    • Not Compliant – Click to view the reasons and fix them.

    • Not Required - If the Desktop Device Posture feature is disabled.

Device Authentication

Device Authentication authenticates a device by verifying the valid certificate installed on it by a trusted Certificate Authority (CA) uploaded by you. The verification happens each time Harmony Connect Agent connects to the Harmony Connect cloudClosed An administrator approved Harmony Connect cloud location that processes the internet and corporate traffic. or when you upload or modify CA certificates. If the verification fails, then the agent disconnects and the security state warning appears: Your Device Has Compliance Issues.

Notes:

  • This feature is available only to customers in the Early Availability (EA) program.

  • This feature is supported on Windows and macOS devices.

Uploading the CA Certificate

  1. Go to Policy > Access Control > Access Conditions.

  2. Under Device Authentication:

    1. Select the A valid device certificate is installed on the device which is trusted by the following CA checkbox.

    2. Click to browse and upload the certificate.

      The system adds the certificate to the table. The table shows the issuer and the validity period of the certificate

    3. To download a certificate, select the certificate in the table, and click .

    4. To delete a certificate, select the certificate in the table, and click .

Installing a Valid Certificate on the Device

On the device, install a valid certificate with a private key that is trusted by any one of the Certificate Authority (CA) issued certificates uploaded.

Note - The device certificate must be of the type base-64-encoded x.509.

For Windows, open Manage user certificates and install the certificate with a private key under Certificates > Personal.

For macOS, open the Keychain Access app and install the certificate with a private key under System Keychains > System > Certificates.