Configure tiers and tags

With tiers and tags you can group together enterprise devices that have the same values for a certain type of signals. For example, you could assign to the low risk tier devices that comply with the corporate security policy such as anti-malware and firewall status. See Configure device risk assessments.

You can then use your tiers and tags in the application access control (ACL) rules that allow you to control the application traffic and protect your data. See Control access to applications.

Anti-malware Profiles

Windows or macOS

With anti-malware profiles, you can collect anti-malware signals that help you to monitor the security posture of enterprise devices. There are two types of anti-malware entries that you may select as values for the Anti-malware Status criterion:
  • Any Vendor. Reports if any anti-malware is installed and considered active on the end user’s device.
    • On macOS this corresponds to a preset list of anti-malware software that is detected by the EAA Client, and contains the following anti-malware programs: Avast, AVG, Avira, Bitdefender, Carbon Black, CrowdStrike, ESET, Intego, Kaspersky, Malwarebytes, McAfee, Norton, SentinelOne, Sophos, Symantec, Tanium, Trend Micro, Webroot.
    • On Windows this indicates any anti-malware software registered with Windows Security Center.
  • Custom. Checks the existence of specific vendor's anti-malware. Once a custom profile is configured and selected in a tier or tag rule, this signal allows you to confirm if a particular vendor’s anti-malware is installed and considered active on the device. For example, you can configure a CrowdStrike or Carbon Black anti-malware profile, and select it as a tier or tag criterion value to check if this software is present on the device.

Biometrics

Android or iOS

Biometrics are features such as fingerprint readers or facial recognition systems.

By selecting Biometrics > Enabled, you can check if the biometric authentication is enabled on the mobile device.

Carbon Black Policy

Windows or macOS

Determines if the selected Carbon Black policy is protecting the device.

You can specify the policy name only if previously you had selected the Enabled checkbox in the Integrations tab. See Integrate with VMware Carbon Black to learn more.

Carbon Black Status

Windows or macOS

By selecting Carbon Black Status > Healthy, you can check if the Carbon Black agent is running on the device.

You can set this condition only if previously you had selected the Enabled checkbox in the Integrations tab. See Integrate with VMware Carbon Black.

Certificate profile

Windows or macOS

Configure a tier or tag with this criterion to verify device certificates and identify devices that do not comply with parameters defined in the certificate profile. You may select up to three certificate profiles if they are configured.

See Configure a certificate profile to learn more.

Compromised Device - ETP

Windows or macOS

By configuring Compromised Device - ETP > Not Detected as a criterion, you can check if ETP has determined the device to be compromised or not.

You can set this condition only if ETP and EAA are both on the same contract.

Note: Device Posture only collects this information from devices running ETP Client.
See Enterprise Threat Protector Product guide to learn more about ETP.

See Integration with ETP to learn more about the ETP integration.

CrowdStrike Status

Windows or macOS

By configuring CrowdStrike Status > Healthy as a criterion, you can check if a device’s Falcon sensor is regularly communicating with the CrowdStrike cloud.

You can set this condition only if previously you had selected the Enabled checkbox in the Integrations tab. See Integrate with CrowdStrike.

Disk Encryption

Windows or macOS

By configuring Disk Encryption > Enabled as a criterion, you can check the disk encryption status on the device.

EAA Client Status

Determines the status of the EAA Client Connector running on devices. If it is running, the status is either Healthy or Unhealthy.

This healthcheck is an indicator of possibly risky devices in the enterprise network.

If the status is Healthy, it means that the EAA Client is communicating with the Akamai cloud as expected, and providing device posture updates.

If the status is Unhealthy, it means that the EAA Client may have an issue communicating with the Akamai cloud and device posture signal may not be accurate.

EAA Client Version

Windows or macOS

Displays the EAA Client version running on devices. Latest is the default value.

Latest
Represents the most recent fully patched release of the newest major version of the EAA Client. This category is automatically updated.
Latest+
Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.
Up-to-date
Represents the most recent fully patched releases of all supported major versions (except the latest) of the EAA Client. This category is automatically updated.
Up-to-date+
Includes patch releases to the up-to-date version that have not been released to general availability.
Custom
Lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.
Note: If you have selected Custom, make sure that the EAA Client tab specifies EAA Client custom values for desktop devices. If no custom values are specified, the device does not match the tier/tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

ETP Client Status

Windows or macOS

By configuring ETP Client Status > Installed as a criterion, you can check if the ETP Client is installed on the device.

Firewall Status

Windows or macOS
By configuring Firewall Status > Good as a criterion, you can check the firewall status on the device.
Note:
  • On Windows this represents any firewalls integrated with the Windows Security Center including the OS built in firewall.
  • On macOS this is the OS built in firewall.

Installed Browser Version

Windows or macOS

You can configure a tag or tier indicating a required installed browser version based on the values specified on System > Device Posture > Versions > Installed Browsers tab.
Note: This feature does not verify the browser used for application access.
Latest
Represents the most recent fully patched release of the newest major browser version. This category is automatically updated.
Latest+
Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.
Custom
Lets you manually configure versions not represented in latest version. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.
Note: If you have selected Custom, make sure that the Installed Browsers tab specifies custom values for applicable browsers. If no custom values are specified, the device does not match the tier/tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

Jailbroken

Android or iOS

By selecting to your tier or tag rule Jailbroken > Not Detected, you can indicate if a given device is jailbroken or rooted.

Mobile EAA Client Version

Android or iOS

Displays the EAA Client version running on mobile devices. Latest is the default value.

Latest
Represents the most recent fully patched release of the newest major version of the EAA Client. This category is automatically updated.
Latest+
Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.
Custom
Lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.
Note: If you have selected Custom, make sure that the EAA Client tab specifies EAA Client custom values for mobile devices. If no custom values are specified, the device does not match the tier/tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

OS Version

Use this condition to detect the OS version running on devices.

Select one or more values:

Latest
Represents the most recent fully patched release of the newest major browser version of an operating system. This category is automatically updated.
Latest+
Represents releases later than the newest known release. This includes later version or build numbers that could be classified as beta or developer releases.
Up-to-date
Represents the most recent fully patched releases of all supported major versions (except the latest) of the operating system. This category is automatically updated.
Up-to-date+
Any OS version that's between up-to-date and latest. For example, if macOS Catalina gets a beta build, it will be covered in up-to-date+, as Big Sur is latest and Catalina is up-to-date.

Select this option if you want to allow your users to use developer/beta versions of the OS.

Custom
Lets you manually configure versions not represented in latest or up-to-date. Here you can specify beta and experimental versions. Adding a specific build/version includes only that build/version. This category is optional and is not automatically updated.
Note: If you have selected Custom, make sure the OS Versions tab specifies custom OS values. If no custom values are specified, the device does not match the tier/tag.

When multiple values are selected, a device satisfies the tier/tag if it is running any of the selected values.

Screen Lock

Android or iOS

By selecting Screen Lock > Enabled as a criterion, you can check the status of the device's screen lock.