Introducing mobile checks for device trust

Introducing mobile checks for device trust

Jason Meller by Jason Meller on

I am excited to announce the immediate availability of Mobile Checks and mobile end-user self-remediation for 1Password® Extended Access Management Device Trust customers.

Here’s a quick demo.


The Checks

As part of this release, we are proud to launch the initial set of Checks:

These Checks leverage the same core set of data that is collected from mobile devices each time a user opens the app to authenticate.

A screenshot of the checks catalog.

The new Checks are not enabled by default for existing customers, but you can enable them right in our Check Catalog.

This initial set provides great functionality to get you started, and more Checks are on the way!

Self-Remediation

In addition to shipping new Checks, we’ve updated our Kolide Mobile App to version 8. This version allows end-users to self-remediate any issues directly from the mobile application.

When users attempt to authenticate with a device that’s not in a good state, they will be asked to launch the mobile app to fix issues. After fixing the issues, they can try to authenticate again or simply swipe back to their web browser to complete the authentication process.

A screenshot showing how users will open fix instructions.

Just like on their desktop, users can now fix issues during authentication.

In addition to fixing issues during authentication, end-users can also launch the Kolide Mobile App directly from their phone to review their devices, including any failing Checks. Just like before, the fix instructions are available right there inside the app.

A screenshot of how it looks to launch the Kolide mobile app.

Users can launch the Kolide Mobile App (which can be associated with more than one organization) and review and fix issues.

Like Checks that run on desktop devices, users will only be asked to fix issues that are set to “notify only,” “warn then block,” or “block immediately.” Admins can also configure checks to “report only,” which will not notify users of the issue.

Also, just like with our other Checks, you can customize the remediation and fix instructions for any Mobile Check.

A screenshot of fix instructions within XAM.

Customize the fix instructions for any Mobile Check with full markdown support. You can even add links to preference panes to make it easier for your users to complete the steps.

MDM Enrollment Verification

One critical Check is the ability to verify that a mobile device is enrolled in a Mobile Device Management (MDM) provider. To enable this, we’ve added a new feature called Device Management Providers.

This feature allows you to specify one or more MDM providers associated with your organization. For each MDM provider you add, we will generate a secret key. Once you have the key, simply use your MDM to distribute the Kolide app to your managed mobile devices, with the key as part of the configuration.

When the Kolide app starts up on a user’s phone, it will look for this key. If it matches the MDM in your account, we know that phone must be enrolled in the MDM!

A screenshot of how an enrolled mobile device looks in an MDM.

If your mobile device is enrolled in an MDM, Kolide will report the name right on the device’s summary page.

More importantly, you can use this ability to ensure only mobile devices that are enrolled in your MDM are allowed to register and authenticate to Kolide. Just like with desktop devices, you can set the corresponding Check right in the Device Registration configuration page.

A screenshot from our docs that shows how to add MDM as a registration requirement.

A screenshot from our docs that shows how to add MDM as a registration requirement.

Of course, just like any Check, you can ensure that not only is the device enrolled in an MDM at registration time, but you can also make sure it stays that way by blocking a device from future authentications if it ever un-enrolls. To get that capability, you just need to set the Check’s device trust settings to block immediately. For more information on this feature, check out our documentation.

With the launch of Mobile Checks and self-remediation, we’re excited to bring even more flexibility and control to 1Password Extended Access Management customers. These new features help ensure that only secure, managed devices are able to authenticate, while empowering end-users to fix any issues directly from their mobile devices.

We can’t wait for you to start using these new tools to strengthen your device security posture.

VP, Product Management

Jason Meller - VP, Product Management Jason Meller - VP, Product Management

Tweet about this post