How to restrict access only to certified devices for users in an AD user group but not a different group

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

How to restrict access only to certified devices for users in an AD user group but not a different group

L1 Bithead

LDAP authentication is required for all the users. On top of that, we also want to restrict access to only certified devices for employees (must use company machines) but not contractors (can use private machines). Device certifications are pushed out through GPO to company devices. Employees and contractors belong to different AD user groups. How can it be done?



L4 Transporter

HIP checks is what you need

L1 Bithead

If I understand correctly, to use HIP we would have to plant a registry entry to identify those interested machines and then use security policy to control what they are allowed or not allowed to access. GP only collects HIP data but not doing any access controls which is not an ideal solution I am looking for. 


Portal allows multiple Client Authentication and multiple Agent. Somewhere in there I believe can do what I am looking for somehow. 

Following on from @Sec101 it is true that GP only collects the HIP data, but that data can then be used in a security policy to allow or deny the traffic based on the information contained within, so for instance in this case I would check for the certificate and put a security policy that allows the traffic for that group including the HIP check in the policy, if the device fails the HIP check the firewall will fall through to a rule underneath that could pick up the remaining users and provide that connectivity.


L4 Transporter



HIPS have predefined- and some custom checks you can look for on an endpoint.   The firewall will enforce on those HIP checks if you have them in security policy

Isn't that what I said ?

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!