duo.com
Open in
urlscan Pro
13.225.63.49
Public Scan
Submitted URL: https://duo.com/docs/device-health?elqTrackId=9e9ea46baab541d5bdb2f585b5d1b491&elq=1beb2f24f4b74d5182c21408511e8...
Effective URL: https://duo.com/docs/device-health?elqTrackId=9e9ea46baab541d5bdb2f585b5d1b491&elq=1beb2f24f4b74d5182c21408511e8...
Submission: On October 31 via api from CA — Scanned from CA
Effective URL: https://duo.com/docs/device-health?elqTrackId=9e9ea46baab541d5bdb2f585b5d1b491&elq=1beb2f24f4b74d5182c21408511e8...
Submission: On October 31 via api from CA — Scanned from CA
Form analysis 3 forms found in the DOM
GET /search
<form id="search--reveal" class="search search--reveal js-search--reveal search--label-right t-search-reveal--transparent-to-green search--label-bold-caps" action="/search" method="GET" __bizdiag="113" __biza="WJ__">
<div class="input-wrap">
<input type="search" name="q" placeholder="" class="js-search__input" title="Search" aria-label="Search">
<button class="js-search__btn" type="button">
<svg class="icon-magnifying-glass" viewBox="0 0 512 512">
<path
d="m311 0c-106 0-189 87-189 189 0 47 16 87 43 122l-161 162c-8 7-8 19 0 27 4 4 8 4 16 4 8 0 12 0 15-4l162-161c31 23 71 43 118 43 106 0 189-87 189-189-4-106-87-193-193-193z m0 339c-39 0-79-16-102-44-32-27-48-63-48-106 0-83 67-150 150-150 83 0 150 67 150 150 0 83-67 150-150 150z">
</path>
</svg>
</button>
</div>
<label class="search__label js-nav__label">Search</label>
</form>GET /search
<form class="search" action="/search" method="GET" __bizdiag="113" __biza="WJ__">
<div class="input-wrap">
<input type="search" name="q" placeholder="" title="Search" aria-label="Search">
<button>
<svg class="icon-magnifying-glass" viewBox="0 0 512 512">
<path
d="m311 0c-106 0-189 87-189 189 0 47 16 87 43 122l-161 162c-8 7-8 19 0 27 4 4 8 4 16 4 8 0 12 0 15-4l162-161c31 23 71 43 118 43 106 0 189-87 189-189-4-106-87-193-193-193z m0 339c-39 0-79-16-102-44-32-27-48-63-48-106 0-83 67-150 150-150 83 0 150 67 150 150 0 83-67 150-150 150z">
</path>
</svg>
</button>
</div>
</form>GET /search
<form class="search" action="/search" method="GET" __bizdiag="113" __biza="WJ__">
<div class="input-wrap">
<input type="search" name="q" placeholder="" title="Search" aria-label="Search">
<button>
<svg class="icon-magnifying-glass" viewBox="0 0 512 512">
<path
d="m311 0c-106 0-189 87-189 189 0 47 16 87 43 122l-161 162c-8 7-8 19 0 27 4 4 8 4 16 4 8 0 12 0 15-4l162-161c31 23 71 43 118 43 106 0 189-87 189-189-4-106-87-193-193-193z m0 339c-39 0-79-16-102-44-32-27-48-63-48-106 0-83 67-150 150-150 83 0 150 67 150 150 0 83-67 150-150 150z">
</path>
</svg>
</button>
</div>
</form>Text Content
Skip navigation
Search
About Duo
Blog
Careers Now Hiring!
Admin Login
* Product
PRODUCT
Explore Our Products
Duo provides secure access to any application with a broad range
of capabilities.
MULTI-FACTOR AUTHENTICATION (MFA)
Verify the identities of all users with MFA.
REMOTE ACCESS
Provide secure access to on-premise applications.
DEVICE TRUST
Ensure all devices meet security standards.
SINGLE SIGN-ON (SSO)
Provide secure access to any app from a single dashboard.
ADAPTIVE ACCESS POLICIES
Block or grant access based on users' role, location, and more.
DUO IN ACTION
Click through our instant demos to explore Duo features.
Explore Demos
Want access security that’s both effective and easy to use? You need Duo.
Start a Free Trial
* Editions & Pricing
EDITIONS & PRICING
Compare Editions
Get the security features your business needs with a variety of plans at
several price points.
DUO MFA
$3/User/Month
Desktop and mobile access protection with basic reporting and secure
single sign-on.
DUO ACCESS
$6/User/Month
All Duo MFA features, plus adaptive access policies and greater
device visibility.
DUO BEYOND
$9/User/Month
All Duo Access features, plus advanced device insights and remote
access solutions.
DUO FREE
Free (10 users)
Simple identity verification with Duo Mobile for individuals or very
small teams.
DUO FEDERAL
Variable Pricing
FedRAMP authorized, end-to-end FIPS capable versions of Duo MFA and
Duo Access.
PRICING QUESTIONS?
GET IN TOUCH
Have questions about our plans? Not sure where to begin? Get in touch with
us. We’ll help you choose the coverage that’s right for your business.
Contact a Duo Representative
* Solutions
SOLUTIONS
Explore Our Solutions
Duo provides secure access for a variety of industries, projects,
and companies.
BY INDUSTRY
* K-12
* Higher Ed
* Finance
* Healthcare
* Legal
* Retail
* Technology
GOVERNMENT SOLUTIONS
* Federal Government
* State & Local Government
USE CASES
* Zero Trust Security
* Passwordless
* Phishing Prevention
* Risk-Based Authentication
CUSTOMER STORIES
PASSWORDLESS AUTHENTICATION
Users can log into apps with biometrics, security keys or a mobile device
instead of a password.
Explore Passwordless
CISCO'S SECURE ACCESS STORY
CISCO + DUO
Discover how Cisco efficiently deployed Duo to optimize secure access and
access control in their global workforce.
"The tools that Duo offered us were things that very cleany addressed our
needs."
Watch The Video
* Partnerships
PARTNERSHIPS
Learn About Partnerships
Partner with Duo to bring secure access to your customers.
DUO TECHNOLOGY PARTNER PROGRAM
Integrate with Duo to build security into applications.
Already a Tech Partner? Sign-in
DUO MANAGED SERVICE PROVIDERS
Deliver scalable security to customers with our pay-as-you-go
MSP partnership.
DUO SECURITY SOLUTION PROVIDERS
Enhance existing security offerings, without adding complexity for clients.
Already a SSP Partner? Sign-in
Want access security that's both effective and easy to use? You need Duo.
Try Duo for Free
* Support
SUPPORT
See All Support
Have questions? We’re here to help! Our support resources will help you
implement Duo, navigate new features, and everything in between.
SUPPORT FOR ADMINISTRATORS
* Knowledge Base
* Community Forum
* How-To Videos
* Contact Support
SUPPORT FOR DUO END USERS
* End-User Guide
* Duo Mobile FAQ
* Get Duo Mobile for iOS
* Get Duo Mobile for Android
EXPERT ADVICE
* Duo Care
* Duo Quick Start
ADDITIONAL TOPICS
* Release Notes
* Security & Reliability
* System Status
DEDICATED SUPPORT
DEDICATED SUPPORT
Duo Care is our premium support package. With a dedicated Customer Success
team and extended support coverage, we'll help you make the most of your
investment in Duo, long-term.
Learn More About Duo Care
* Duo Documentation
DUO DOCUMENTATION
Browse All Docs
Get instructions and information on Duo installation, configuration,
integration, maintenance, and much more.
POPULAR TOPICS
* Getting Started with Duo
* Admin Overview
* Duo Administration - Protecting Applications
* End-User Guide
* Administrator Guides
DOCS FOR DUO EDITIONS
* Duo MFA Edition
* Duo Access Edition
* Duo Beyond Edition
* Duo Federal Editions
INTEGRATIONS
* Remote Access & VPN
* Microsoft
* Web Applications
* Identity Providers
* Cloud Service Providers
* Other Applications
* Unix & SSH
* Our APIs
RELATED
RELEASE NOTES: KEEP UP WITH THE LATEST PRODUCT UPDATES
We update our documentation with every product release. Sign up to be
notified when new release notes are posted.
Read All Release Notes
* Resources
RESOURCES
See All Resources
Explore research, strategy, and innovation in the information
security industry.
NEWS & PRESS
* Blog Articles
* Press Releases
EVENTS & WEBINARS
* Events On Demand
* Event Coverage
EBOOKS
DUO VIDEOS
* Security Education
* Product Videos
* Technical Setup Videos
INFOSEC GLOSSARY
DUO LABS RESEARCH
We disrupt, derisk, and democratize complex security topics for the greatest
possible impact.
Explore Labs Research
FEATURED
PASSWORDLESS: THE FUTURE OF AUTHENTICATION
With the rise of passwordless authentication technology, you'll soon be able
to ki$$ Pa$$words g00dby3. Learn how to start your journey to a passwordless
future today.
Get the Guide
About Duo
Blog
Careers Now Hiring!
Admin Login
Contact Sales Free Trial
Contact Sales Free Trial
DOCUMENTATION
DUO DEVICE HEALTH APPLICATION
Last Updated: September 27th, 2022
CONTENTS
* Overview
* Video Overview
* Requirements
* Understanding the Device Health Application Policy Options
* Agent Verification
* Enabling the Device Health Application Policy
* Policy Interactions
* Operating System Granular Policy
* macOS 11 and Later
* Windows 10 and Later
* Help Desk Text
* Device Health Reporting
* Application Log
* Endpoints List and Details
* Device Health Client Application
* Supported Operating Systems
* Standalone Health Check
* Duo Prompt Authentication
* Device Remediation
* Installing the Device Health Application
* User Self-install During Enrollment
* User Self-install During Authentication
* Send Download Links to Users
* Scripted or Managed Deployment
* Installation Stalled on macOS
* Start the Device Health Application
* Suppress Automatic Launch of the Device Health Application
* Update the Device Health Application
* Device Health App Silent Updates
* Uninstall the Device Health Application
* Troubleshooting
RELATED
* Duo Device Health Application Instructions
* Duo Device Health Application FAQ
* Duo Device Health Application Release Notes
FEEDBACK
Was this page helpful? Let us know how we can make it better.
Duo helps you control access to your applications through the policy system by
restricting access when devices do not meet particular security requirements.
OVERVIEW
The Duo Device Health application gives Duo Beyond and Duo Access customers more
control over which laptop and desktop devices can access corporate applications
based on the security posture of the device.
There are three key components:
1. New Duo access policies that enforce application access based on device
health.
2. A native client application for supported Windows and macOS clients that
checks the security posture of the device when a user authenticates to an
application protected by Duo's browser-based prompt with an applied device
health access policy.
3. Additional endpoint information provided in the Duo Admin Panel.
The first time users log in to an application protected by the web-based Duo
Prompt with the Device Health Application policy set to require the app, Duo
prompts them to download and install the Duo Device Health application. After
installing the Device Health application, Duo blocks access to applications
through the Duo browser-based authentication prompt (when displayed in a browser
or in a supported thick client's embedded browser) if the device is unhealthy
based on the Duo policy definition and informs the user of the reason for
denying the authentication.
When a user's device doesn't meet the security requirements of the device health
policy, the Duo Device Health application provides the user with steps they can
take to remediate their security posture to align with the device health policy
on the application.
Note: While Duo Device Health application transmits collected information
securely, this information is not uniquely identified. This means that a bad
actor could intercept the Duo prompt and create their own response to the Duo
prompt’s request for device health information and send that response up to Duo
servers. Every authentication is uniquely identified, so a user cannot
reasonably impersonate another user’s device information.
VIDEO OVERVIEW
10:51
●●●●●
Video Overview
Enabling the Device Health Application Policy
Agent Verification (Duo Beyond)
The End-user Experience
Device Health Reporting
REQUIREMENTS
Ensure you have the following:
* A Duo Access or Duo Beyond plan in order to set Device Health policy options.
* Access to the Duo Admin Panel as an administrator with the Owner,
Administrator, or Application Manager administrative roles.
* Windows 10 and later or macOS 10.13 and later endpoints with direct access or
HTTP relay proxy connection to Duo Security's service on port 443. Proxy
connections that perform HTTPS inspection or filtering from endpoints are not
supported.
* The Duo Device Health application does not support Windows Server (i.e.
Windows Server 2022, Windows Server 2019, etc.) or earlier versions of
Windows (like Windows 7 or Windows 8.1). Additionally, Duo Device Health
does not support macOS beta versions or Windows or macOS virtual machines.
UNDERSTANDING THE DEVICE HEALTH APPLICATION POLICY OPTIONS
The Device Health Application policy can apply to either macOS endpoints,
Windows endpoints, or both, and has three operating modes:
* Don’t require users to have the app: With this option selected, the policy is
not in effect and has no impact on end user access. End users are not
prompted to install the Duo Device Health application when accessing a
Duo-protected application. Data will be collected from the Duo Device Health
application if present and running on the machine.
The Allow users to install the app during enrollment setting, enabled by
default in a new policy, prompts your users to install Duo Device Health
during their first-time Duo enrollment. If you don't want users seeing the
option to install Duo Device Health during enrollment you can uncheck this
option.
* Require users to have the app: With this option selected, but none of the
"Block access" options below it, having the Device Health application
installed and reporting information to Duo is required for access.
End users running devices that can install the app (Windows 10+ and macOS
10.13+) see a link to download the app from the Duo prompt when attempting to
access a Duo-protected application associated with the policy if they do not
already have the application installed. Devices that are capable of running
the app but do not have it installed and running will be blocked.
The app will collect health information from the device, but Duo will not
block the user from getting access if it does not pass the specific firewall,
encryption, and password health checks. This means that the device will be
able to access the application even if the device would not pass each health
check.
Devices that cannot run the app, including older versions of Windows and
macOS, Linux, etc., will not be prompted to install the app and are
effectively allowed to bypass the Device Health Application policy.
* Require users to have the app, plus any of the "Block access" options: With
this option selected with one or more of the "Block access" options, the
Device Health application must be installed, running, and reporting
information to Duo, and the device must satisfy the specified health
requirements for access.
End users running devices that can install the app (Windows 10+ and macOS
10.13+) see a link to download the app from the Duo prompt when attempting to
access a Duo-protected application associated with the policy if they do not
already have the application installed. Devices that are capable of running
the app but do not have it installed and running will be blocked.
The app collects health information from the device, and Duo will allow or
block access to the protected application based on the device health options
selected.
Devices that cannot run the app, including older versions of Windows and
macOS, Linux etc. will not be prompted to install the app and are effectively
allowed to bypass the Device Health Application policy.
When you configure any of the policy settings for an operating system, the
collapsed policy view reflects the effective configuration:
* Reporting when you don't require users to have the Device Health app, or when
you require users to have the Device Health app installed, but don't block
access based on health check status.
* Enforcing when you require users have the Device Health app installed and
block access when devices don't comply with your selected options.
Note that the default “fail-open” Device Health Application policy allows you to
enforce health checks for supported macOS and Windows devices, while not
blocking users who need to access an application using a non-supported device.
You can optionally use Duo's Operating Systems policy to restrict other device
types from accessing the application.
AGENT VERIFICATION
Duo Beyond plan customers can use the Device Health application's
antivirus/anti-malware agent check and policy options to verify that endpoints
have one of these supported security solutions listed below in place before
accessing an application:
* BitDefender Endpoint Security
* Cisco Secure Endpoint (previously known as Cisco AMP for Endpoints)
* CrowdStrike Falcon Sensor
* CylancePROTECT
* McAfee Endpoint Security
* SentinelOne
* Sophos AV
* Symantec Endpoint Protection
* Trend Micro Apex One
* VMWare Carbon Black Cloud
* Windows Defender (only shown in the list for Windows)
ENABLING THE DEVICE HEALTH APPLICATION POLICY
Duo automatically collects information from devices when the Device Health
application is installed and running with no need for you to configure a policy
to do so. Start your rollout by deploying the Device Health app to managed
devices, or inviting your end users to install the app by emailing them
installation links and instructions. Once the application is installed and
running, Duo collects Device Health information every time a user encounters the
Duo prompt. You can monitor your authentication logs in Duo to see how enforcing
Device Health policy settings would affect your organization.
When you're ready to begin requiring the presence of the Device Health app
during authentication, create a new policy targeting a test group of users and a
pilot application to start, with the Duo Device Health policy configured to
require installation of the Device Health application but not to block access
based on security posture. This continues collecting information about access
devices to see how deployment of both the application and policy affects a
sample population of your overall user base, while requiring that the targeted
users accessing Duo-protected applications install Device Health if they have
not already done so.
After deployment, you can review the states of devices accessing Duo-protected
applications in the Admin Panel and then make assessments to identify the policy
that will protect all your users.
1. Log on to the Duo Admin Panel as an administrator with the Owner or
Administrator admin role.
2. Navigate to the details page of the application you'll use to pilot the
Device Health Application policy. This must be an application that features
the inline Duo Prompt.
3. Click the Apply a policy to groups of users link to assign the new Device
Health Application policy to just the pilot group.
4. Click the Or, create a new Policy link instead of selecting a policy to
apply from the drop-down list.
5. The policy editor launches with an empty policy.
6. Enter a descriptive Policy Name at the top of the left column, and then
click the Device Health Application policy item on the left. Change the
selected option for either macOS or Windows (or both) to Require users to
have the app to require that the app is installed and running before
permitting authentication for those configured operating systems.
To prevent authentication based on an endpoint's security posture, select
any or all of the "Block access" options for an operating system in the
policy editor.
Duo Beyond customers see additional options in the policy editor. To prevent
authentication using the agent verification check, select the Block access
if an endpoint security agent is not running option and select the required
agent(s) from the list. If you select multiple agents, a device will pass
the policy if it has any one of the required selected agents installed.
After you select which security agents to allow, you can enter the
remediation instructions that end users will see in the Device Health
application client if they attempt to authenticate without the required
security agent.
7. Click the Create Policy button to save the settings and return to the "Apply
a Policy" prompt, with the new Device Health Application policy selected.
Start typing in the pilot group's name in the Groups field and select it
from the suggested names.
8. Click the Apply Policy button. The application page shows the new group
policy assignment.
For more information about creating and applying group policies, see the Policy
documentation.
POLICY INTERACTIONS
You can combine a Device Health Application policy in combination with most
other existing Duo policies including Browsers, Plugins and Operating Systems
policies.
For example, you can create a custom policy that only allows access if the
device:
* Has an encrypted drive (using FileVault for macOS or BitLocker for Windows
10+)
* Has the host firewall enabled (using Application Firewall for macOS or
Windows Defender Firewall for Windows 10+)
* Is protected by a password
* Is accessing the application using a Chrome browser
In that case, enforce the first three conditions with the Device Health
Application policy's "Block access if system password is not set.", "Block
access if disk encryption is off.", and "Block access if firewall is off."
options. Enforce the fourth condition in the same custom policy by checking all
browsers except Chrome in the Browser policy's "Always block" option.
Note: Duo does not use information gathered by the Device Health App to enforce
browser policy.
OPERATING SYSTEM GRANULAR POLICY
In order to enforce access based on operating system (OS) version, you can use
the existing OS policy in combination with the Device Health application policy.
The Duo Device Health application will be the preferred source of information
about an endpoint when evaluating OS policy. This means that we will trust
information provided by the installed Duo Device Health application more than
the browser user agent provided by the web requests to Duo.
MACOS 11 AND LATER
The Operating Systems policy settings for macOS remain the same as when the Duo
Device Health Application policy is not enabled, and continue to look for a
macOS version similar to “10.14.6”. The Duo Device Health application provides
information that is more trustworthy than the user agent reported by a browser
or embedded web view.
As of macOS 11, up-to-date versions of major browsers (Safari, Chrome, Firefox,
and Edge) have frozen the OS version reported via the browser user agent string
as 10.15.6, 10.15.7, or 10.16, impacting the ability to detect whether macOS is
truly up to date when relying only on information reported to Duo by the
browser.
The Duo Device Health app detects and reports the actual macOS version, enabling
reliable OS version verification during Duo authentication. Duo recommends using
the Device Health app on macOS 11 or newer clients to enable accurate checking
and reporting, especially if you choose to apply a Duo operating systems policy
with the "If less than the latest" option selected, or pick a static version of
11.0 or greater.
WINDOWS 10 AND LATER
Windows OS has some additional changes in the Operating Systems policy when the
Duo Device Health application is present. A browser user agent provides a
limited amount of information about the Windows version. The Duo Device Health
application is able to retrieve the Windows build version and the security patch
version for a device. This allows you to make policy decisions on specific
Windows versions to keep users up to date.
You’ll notice these changes under the Operating Systems policy section under the
“Allow Windows devices” header. Open the dropdown under the “Encourage users to
update” or “Block versions” label and you’ll see new Windows version options.
When you select these options, additional information appears on the right side
of the policy screen containing the details of activating an Operating Systems
policy with this setting.
If the Duo Device Health application is not enabled, then the policy engine will
fallback to simply “Windows 10” when assessing the windows version of the device
accessing a Duo protected application.
Major browsers will not accurately report the OS version in the browser user
agent string on Windows 11, so the detection of and policy enforcement against
Windows 11 will require the Duo Device Health app.
HELP DESK TEXT
The Duo Device Health application displays the same help message text configured
in the first listed Help Desk custom message in global Settings.
The application shows this information in the "Need Help?" area whenever the
Action Required dialog is displayed to help the user remediate authentication
issues.
DEVICE HEALTH REPORTING
Information reported from the Duo Device Health application is shown in the
Admin Panel along with existing Endpoint information. The Authentication Log
report, Endpoints page list and endpoint details, and endpoint information shown
for Users will be augmented with details from the Duo Device Health application.
APPLICATION LOG
With the Device Health Application app installed, authentication log events show
checks related to the Duo Device Health application in the "Access Device"
information. Operating system version information includes the build version for
macOS and the build and revision versions for Windows.
ENDPOINTS LIST AND DETAILS
The Endpoints list receives additional filters that allow you to search for
devices that have Duo Device Health installed, or a particular state or OS
version and build as reported by the Device Health application. The device
warning information for a given device now includes Device Health reasons, if
present.
An endpoint's details page shows information about and from the Duo Device
Health application.
DEVICE HEALTH CLIENT APPLICATION
The Duo Device Health application analyzes a device to assess the status of its
security posture and reports the results of this scan to Duo. During
authentication, Duo applies and enforces access policies using the device
security posture information. When access is denied by Duo due to the state of
security posture on the device, the Duo Device Health application receives the
results of the policy check and presents guidance for the user to remediate the
issue and successfully login the next time.
SUPPORTED OPERATING SYSTEMS
Duo Device Health supports the following:
* Windows 10 and 11 Enterprise, Pro, and Home client editions (and the
"Education" variants of these editions)
* macOS 10.13 and later, including macOS 12
The Duo Device Health application relies on the Windows Security Center present
in client versions of the OS, so it does not support Windows Server (i.e.
Windows Server 2022, Windows Server 2019, etc.) or earlier versions of Windows
(like Windows 7 or Windows 8.1) as they lack this feature. Additionally, Duo
Device Health does not support macOS beta versions.
STANDALONE HEALTH CHECK
The home screen of the Duo Device Health application performs a health check on
the system and reports information to the user about the state of the device.
This information is Duo’s basis of a secure device and does not apply directly
to the evaluation of policy or authentication to an application protected by
Duo. While the status of a local security agent (collected if you've configured
agent verification) isn't shown on the Duo Device Health app home screen, the
app will raise an "Action Required" screen with the agent status if access gets
blocked for that reason.
The health check will be performed anytime the application is opened from the
menu bar (macOS) or the system tray (Windows).
macOS Example App Icon and Health Check
Windows Example App Icon in System Tray
Windows Example Health Check
This health check provides your preferred Duo device security posture. By
keeping all of these health checks green, Duo helps users keep a secure system
and alleviates issues that may arise before an authentication is required. If
this check reports an issue, such as the firewall turned off or OS out of date,
users have the opportunity to perform remediation before attempting to
authenticate.
macOS Example Health Check Alert with Remediation Guidance
DUO PROMPT AUTHENTICATION
When a user first lands at a Duo Prompt with Device Health enabled, a loading
spinner appears while Duo performs the health check. If the Device Health
application is already installed and running this spinner should only appear for
a few seconds and the user will continue with authentication. In the event of a
failed authentication, the user will be directed to remediate these issues.
When the Device Health application is not already installed and running users
see a notice indicating that the Duo Prompt is attempting to launch the Device
Health application.
Traditional Duo Prompt
Duo Universal Prompt
If the application was already installed and the browser has been told to
remember it, the application launches and the health check will be performed
without any need for interaction.
Otherwise, the user will be asked to download and install the application if it
isn't currently installed.
Traditional Duo Prompt
Duo Universal Prompt
DUO PROMPT, DEVICE HEALTH, AND THICK CLIENTS
When accessing Duo-protected applications with rich client applications that
display the Duo prompt in an embedded browser (i.e. thick clients such as Cisco
AnyConnect, Outlook, and others), the endpoint health checks function only when
the Device Health Application is already running during a Duo authentication.
Thick client embedded browsers cannot launch Duo Device Health from the Duo
prompt, unlike standalone browsers, which can launch Duo Device Health app in
the background during authentication.
If Duo Device Health isn't running it can be started manually; see Starting the
Device Health Application.
INSTALLING THE DEVICE HEALTH APPLICATION FROM THE DUO PROMPT
To install the Device Health application:
1. Click the Download Now button to download the installer.
Note that if your users find that the download button isn't functional, they
may be authenticating from a non-browser client application (like Outlook),
or the page displaying the Duo prompt prevents the download. If this is the
case, suggest the users try a different Duo-protected application without
those limitations, or distribute the app directly to your users via emailed
download links or managed deployment.
2. Windows users: Double-click the MSI file and follow the installer prompts.
macOS users: Double-click the DMG or PKG file to extract the installer. Then
double-click the extracted installer and follow the installer prompts.
Note that installation requires administrator privileges on both Windows and
macOS. During installation if the user doesn't have admin rights they'll get
prompted to provide credentials of an account that is able to install software
on the client.
The user may be prompted to launch the application if it is already installed
and just not running. For some browsers, this prompt may include a “Remember my
choice” option (actual dialog format varies by browser and operating system).
Having the application already running or checking the “Remember my
choice”/”Always open these types of links” checkbox skips this prompt for future
health checks.
If the Device Health application was uninstalled after selecting the “Remember
my choice” checkbox, the operating system may still try to handle the request.
On macOS this results in a “Search the App Store” dialog and on Windows this
results in a “Look for an app in the Store” dialog.
On macOS click Cancel to close the dialog, and on Windows click OK to close it.
After a short timeout the Duo Prompt in the browser loads the download prompt
for the Device Health application.
When the Device Health application is running it analyzes the user’s system and
report the state of the device to Duo. Policy will then be applied to the
information received from the device, and if there is a problem with the health
posture it will be reported back to the user. If the health posture is
acceptable under the policy, no further interaction is required from the user
and the Duo Device Health application.
DEVICE REMEDIATION
When an issue is reported by the Duo Device Health application, a red
exclamation point will be shown next to the item that has an issue. This can
happen as part of the standalone health check or as a report from an
authentication failure due to device health.
If a user is attempting to access an application with a Device Health blocking
policy, and their endpoint's security posture does not comply with the policy
requirements, then the Duo Prompt notifies the user that they must take action
before they can access the application and the Duo Device Health application
automatically opens with with information about why the authentication was
denied.
Traditional Duo Prompt
Duo Universal Prompt
Each non-compliant setting shown is a clickable item, that directs the user to
instructions on how to fix the problem. Additionally, there is a link at the
bottom that will take the user to a page in the application that briefly
explains why keeping the device healthy is important.
INSTALLING THE DEVICE HEALTH APPLICATION
The easiest way to distribute the Device Health application is to apply a Device
Health policy to a web-based application that features Duo's inline
authentication prompt, and then let users self-install the client when prompted
during Duo authentication or enrollment.
Note that installation requires administrator privileges on both Windows and
macOS.
USER SELF-INSTALL DURING ENROLLMENT
When the effective Device Health application policy has "Allow users to install
the app during enrollment" enabled, then new Duo users have the chance to
download and install Duo Device Health as the first step of Duo self-enrollment.
Users can choose to download and install Duo Device Health before enrolling
their first second-factor authentication device. A user who wants to complete
2FA enrollment without installing Duo Device Health can skip the step to
proceed.
Traditional Duo Prompt
Duo Universal Prompt
If the application accessed by the new Duo user has an effective Device Health
application policy of "Require users to have the app", then the option to skip
Duo Device Health installation during enrollment does not appear, and users must
install the Device Health app to continue with 2FA device enrollment.
USER SELF-INSTALL DURING AUTHENTICATION
When the effective Device Health application policy is set to "Require users to
have the app" enabled, then new Duo users must download and install Duo Device
Health to continue to Duo two-factor authentication and access the destination
application.
Traditional Duo Prompt
Duo Universal Prompt
SEND DOWNLOAD LINKS TO USERS
If you'd like to notify your users of the new Device Health application
requirement and give them the chance to install the application ahead of time,
you can send these client download links to your users:
macOS: https://dl.duosecurity.com/DuoDeviceHealth-latest.pkg
Note: Duo Device Health app macOS is released in PKG format as of version
3.0.0.0.
Windows: https://dl.duosecurity.com/DuoDeviceHealth-latest.msi
View checksums for Duo downloads here.
Note that installation requires administrator privileges on both Windows and
macOS. During installation if the user doesn't have admin rights they'll get
prompted to provide credentials of an account that is able to install software
on the client.
SCRIPTED OR MANAGED DEPLOYMENT
If you'd like to deploy the Device Health application via a scripted install or
an endpoint management tool, download the installers using the links above, and
use the following information to automate installation:
macOS 11 and Later
MDM silent deployments on macOS as of version 11 require installation of a
trusted certificate in the user's keychain, with full access to the private key,
before installing the application. The steps to a managed deployment of Duo
Device Health to macOS 11+ clients are:
1. Download the Duo_Device_Health_App_Identity_Generation_Script.sh script.
2. Run the script, choosing to create a .mobileconfig profile or a PFX
certificate.
Choose to create a PFX certificate if you want more control over the
deployment process and your MDM has an option to set the private key access
level. Run the script without any options to create a .PFX file. Note the
PFX password output by the script, as you'll need it when configuring your
MDM to distribute the PFX certificate.
sh Duo_Device_Health_App_Identity_Generation_Script.sh
Otherwise, choose to create a .mobileconfig profile with the -m option.
sh Duo_Device_Health_App_Identity_Generation_Script.sh -m
This creates both a .mobileconfig and a .PFX file, but you can delete the
.PFX as it's not needed for your .mobileconfig deployment.
3. Distribute an empty file named DisableMacOS11CertManagement in the directory
/Library/Application Support/Duo/Duo Device Health/ to your managed
endpoints via MDM (so the full path to the file is /Library/Application
Support/Duo/Duo Device Health/DisableMacOS11CertManagement).
4. Distribute the certificate to your managed endpoints via MDM. If you opted
to use a .PFX, ensure that the private key is set to allow access from all
applications. The Device Health application will not function properly if
the private key is not set to allow access from all applications. If
distributing via a .mobileconfig profile, the private key access
configuration will be set for you automatically.
5. Distribute the Device Health application to your managed endpoints via MDM.
Refer to the Guide to Duo Device Health App certificate deployment for macOS 11+
users for more details about deploying the device health certificate.
To install the application (after adding the required certificate to your users'
keychains):
1. If you did not download a .pkg installer from Duo, extract the .pkg
installer file from the downloaded .dmg file first. Ensure that you have
downloaded version 2.17.0.0 or later when deploying to macOS 11 or 12.
2. Use this syntax to install the app if you downloaded a .pkg installer from
Duo:
sudo installer -pkg /path/to/installer/DuoDeviceHealth-3.0.0.0.pkg -target /
Use this syntax if you extracted the .pkg from a downloaded .dmg file:
sudo installer -pkg /Volumes/DuoDeviceHealth/Install-DuoDeviceHealth.pkg -target /
macOS 10 releases:
1. If you did not download a .pkg installer from Duo, extract the .pkg
installer file from the downloaded .dmg file first.
2. Use this syntax to install the app if you downloaded a .pkg installer from
Duo:
sudo installer -pkg /path/to/installer/DuoDeviceHealth-3.0.0.0.pkg -target /
Use this syntax if you extracted the .pkg from a downloaded .dmg file:
sudo installer -pkg /Volumes/DuoDeviceHealth/Install-DuoDeviceHealth.pkg -target /
Windows: Replace the example MSI file name with your actual MSI filename.
msiexec /i /path/to/installer DuoDeviceHealth-2.18.0.msi
After the initial installation, the Duo Device Health application will check
your device health at the time of authentication. You can verify installation by
looking for the Duo Device Health application icon in the menu bar. When you
click on the app icon, you will be able to view device health status.
INSTALLATION STALLED ON MACOS
The Duo Device Health Application installer should complete quickly, with the
progress bar step taking a matter of seconds for most users. However, it's
possible the installation process could stall for several minutes due to macOS
prioritizing another process on the system. In that case, our installation will
pause until the other process completes. Large, slow-installing applications,
such as XCode, are most likely to trigger this behavior.
If the installation or upgrade process appears to have hung and is not
completing, we recommend canceling it and resuming later when other processes
have completed.
START THE DEVICE HEALTH APPLICATION
The Duo Device Health application starts automatically after an interactive
installation to enable users pass the health check as quickly and easily as
possible. If it is not running when a user lands on the Duo Prompt in a browser,
the prompt attempts to launch the application.
The Device Health application may also be started manually. This could be
necessary when you've installed Device Health silently via endpoint management
tools or scripted install, or when authenticating with a thick client
application and Device Health app is not already running.
macOS Users:
1. Open Spotlight with Command key ⌘ + Space bar.
2. Type Duo Device Health and click the application search result.
Windows Users:
1. Open the Start Menu with Windows key ⊞ key or click the Windows logo on the
far left of the taskbar, or click the search icon in the task bar.
2. Type DuoDeviceHealth and click the application search result.
SUPPRESS AUTOMATIC LAUNCH OF THE DEVICE HEALTH APPLICATION
In some circumstances you may wish to perform an installation (e.g. mass
rollouts to managed devices) without automatically launching the application
immediately after installation completes. You can prevent automatic launch of
the Device Health application until you're ready to use it across your
organization.
Windows:
When installing the Windows application from the command line include the LAUNCH
parameter set to False:
msiexec /i /path/to/installer DuoDeviceHealth-2.17.0.msi LAUNCH=False
macOS:
The macOS installer is unable to utilize custom arguments or environment
variables, so indicating you wish to suppress the autolaunch must be done via
the filesystem.
Create the folder /Library/Application Support/Duo/Duo Device Health and then
create a file in that folder called NoAutoLaunchAfterInstall before installing
Duo Device Health. The existence of this file prevents automatic launch of the
application by the installer. Then run the installer, and remove the
NoAutoLaunchAfterInstall file when done.
If you do not remove the NoAutoLaunchAfterInstall file after installation,
future installs and upgrades will skip auto-launching the application as well.
This may be the desired behavior if you will always roll out upgrades to your
users in a managed environment. However, if your users may upgrade the
application themselves, we recommend removing the file to preserve the default
behavior.
The following set of example commands creates the /Library/Application
Support/Duo/Duo Device Health folder and the NoAutoLaunchAfterInstall file, runs
the Device Health app .pkg installer that you downloaded from Duo, and removes
the NoAutoLaunchAfterInstall file when done:
sudo mkdir -p "/Library/Application Support/Duo/Duo Device Health"
sudo touch "/Library/Application Support/Duo/Duo Device Health/NoAutoLaunchAfterInstall"
sudo /usr/sbin/installer -pkg /path/to/installer/DuoDeviceHealth-3.0.0.0.pkg -target /
sudo rm "/Library/Application Support/Duo/Duo Device Health/NoAutoLaunchAfterInstall"
Here are the same commands, but in a single line:
sudo mkdir -p "/Library/Application Support/Duo/Duo Device Health" && sudo touch "/Library/Application Support/Duo/Duo Device Health/NoAutoLaunchAfterInstall" && sudo /usr/sbin/installer -pkg /path/to/installer/DuoDeviceHealth-3.0.0.0.pkg -target / && sudo rm "/Library/Application Support/Duo/Duo Device Health/NoAutoLaunchAfterInstall"
UPDATE THE DEVICE HEALTH APPLICATION
Duo Device Health app automatically checks for updates at app launch, during
each Duo authentication, and at the interval specified in the Device Health app
preferences. To manually check for updates, open the Device Health app's
preferences and click the Check Now button.
If a newer version of Device Health app was detected during app launch or Duo
authentication, the Device Health app icon in the menubar or systray changes to
notify you of the available update. If the scheduled or manual check finds a
newer version available, it will pop-up a prompt to install the update.
Update at any time by downloading a newer version of the app and manually
installing it on a workstation. Managed devices can have the new installer
pushed to them via your endpoint management system.
DEVICE HEALTH APP SILENT UPDATES
Duo Device Health now offers the option of silent app updates as of version
3.0.0. This means that after the initial installation of Duo Device Health with
administrator privileges, the app will silently self-update to future releases
without user action or requiring the end-user to have elevated rights on their
workstation.
An updater service runs in the background, checking for new versions of Duo
Device Health every four hours. If a new version of Duo Device Health is
available, the updater service downloads and installs it without interrupting
the user to request approval.
If the new release contains significant changes, a pop-up notification appears
after installation inviting the user to learn more by reading the release notes.
The release notes are also linked from the Duo Device Health app's "Preferences"
menu item.
If you manage your Device Health app client installations and do not want silent
updates enabled when your user endpoints update from Duo Device Health v2.x to
v3.0.0, then we recommend performing the steps to disable automatic updates in
the next section before installing v3.0.0.
DISABLE AUTOMATIC UPDATES
Users with administrator privileges on their system can disable silent automatic
updates by opening the Device Health app's preferences and toggling the
Automatically download and install updates option. Disabling this option from
the app stops the updater service from running. This setting may not be changed
by users without administrator rights.
Administrators can also disable automatic updates across multiple systems by
pushing a configuration option to workstations before installing Duo Device
Health. Choosing to disable automatic updates means that you will need to
manually push updates to your users' endpoints in the future.
In rare situations running an out-of-date version of Duo Device Health could
cause users to get blocked if a new blocking policy is added that is not
supported on a user's machine. We recommend that you push Device Health app
updates frequently if you will not permit automatic silent updates.
macOS
Disable automatic updates on macOS systems by creating a plist entry with the
following command prior to Duo Device Health app installation:
sudo /usr/libexec/PlistBuddy -c "add :DisabledByAdministrator bool true" /Library/Application\ Support/Duo/Duo\ Device\ Health/Config.plist
To enable automatic updates after using this method, follow this process:
1. Use this command to delete the previously created "DisabledByAdministrator"
plist entry:
sudo /usr/libexec/PlistBuddy -c "delete :DisabledByAdministrator" /Library/Application\ Support/Duo/Duo\ Device\ Health/Config.plist
2. Reinstall Duo Device Health over the existing installation, which defaults
to enabling automatic updates.
Windows
Disable automatic updates on Windows systems by creating the string registry
value HKLM\Software\Duo\Duo Device Health\AutoUpdater\DisabledByAdministrator
set to 1 prior to Duo Device Health app installation. Example reg command to
create this value:
reg add "HKEY_LOCAL_MACHINE\Software\Duo\Duo Device Health\AutoUpdater" /v DisabledByAdministrator /d 1 /f
To enable automatic updates after using this method, follow this process:
1. Uninstall Duo Device Health from the Windows systems.
2. Delete the previously created DisabledByAdministrator registry value.
Example reg command to delete this value:
reg delete "HKEY_LOCAL_MACHINE\Software\Duo\Duo Device Health\AutoUpdater" /v DisabledByAdministrator /f
3. Reinstall Duo Device Health, which defaults to enabling automatic updates.
UNINSTALL THE DEVICE HEALTH APPLICATION
macOS Users (10.14.4 or later):
1. Click on the Duo Device Health menu bar icon to open the Duo Device Health
application.
2. Click the menu icon (three stacked horizontal lines) in the upper right.
3. Click Preferences.
4. Click the Uninstall button under "Uninstall Duo Device Health Application".
macOS Users (10.14.3 or earlier):
1. Press Command + space bar and type in Terminal to open a command line shell
session.
2. Enter the following command in the Terminal window:
sudo /Applications/Duo\ Device\ Health.app/Contents/Library/LaunchServices/com.duosecurity.UninstallDuoDeviceHealth
3. Enter your macOS password when prompted to allow the uninstaller to run with
elevated privileges.
Windows users:
1. Go to Start → Settings.
2. Click Apps & Features.
3. From the list, select the "Duo Device Health" application and click
Uninstall.
TROUBLESHOOTING
Need some help? Take a look at the Device Health Frequently Asked Questions
(FAQ) page or try searching our Device Health Knowledge Base articles or
Community discussions. For further assistance, contact Support.
All Duo customers have access to Level Up, our online learning platform offering
courses on a variety of Duo administration topics. To access Level Up content,
sign in with the same email address you use to sign in to the Duo Admin Panel.
Level Up course: Improving End-User Security with Duo Device Health Application
--------------------------------------------------------------------------------
TRY DUO FOR FREE
With our free 30-day trial you can see for yourself how easy it is to get
started with Duo's trusted access.
Start Your Free Trial
CUSTOMER STORIES
Hear directly from our customers how Duo improves their security and their
business.
EBOOKS
Learn more about a variety of infosec topics in our library of informative
eBooks.
* Contact Support
* Contact Sales
Facebook Twitter Instagram LinkedIn
* International Resources:
* Select Language Français Deutsche Español 日本語
Français Deutsche Español 日本語
* EVENTS & WEBINARS
* NEWS & PRESS
* DUO BLOG
* DUO LABS
* CAREERS AT DUO NOW HIRING!
Search
* © 2022 Duo
* Terms of Service
* Privacy Statement
* Duo Privacy Data Sheet
* Cookie Policy
* Copyright Dispute Policy
* Open Source Licenses
* Service Level Agreement
* Security Response
* Business Continuity During COVID-19
* Manage Cookie Preferences
Top
By continuing to use our website, you acknowledge the use of cookies. Privacy
Statement | Change Settings
CONSENT MANAGER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* TARGETING COOKIES
* FUNCTIONAL COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer. Privacy Directory
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Back Button
BACK
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Clear
checkbox label label
Apply Cancel
Save Settings
Allow All