posture check

Hello,

Thank you for your request. Currently, it is possible to add some conditional access policies to allow or deny a login. You can read more about that here: https://docs.devolutions.net/server/web-interface/administration/configuration/server-settings/security/conditional-access-policies/ Is it that kind of rules that you have in mind ? Could you elaborate more on what should be included in a security posture check?

Best regards,

Hi,

While not something we currently offer directly in the product, if you already use one of Microsoft Entra ID, Okta or PingOne as your identity provider for Devolutions Server, you could enforce those kinds of checks at logon directly from the Identity Provider using a concept usually referred to as conditional access, through which, in addition to requiring correct credentials, you can enforce additional requirements such as a compliant security posture for client devices accessing the application.

Adding security posture evaluation through our own client applications is not a feature that is completely foreign to us, but does requires significant development to ensure it would be done right. Being honest, the chance of seing such a feature deliverd in the short term is low

hi,

The conditional access policies do not give us what we want, since we want to do a compliant security posture for client devices.
Will look into the f Microsoft Entra ID, but then we have to link accounts. then my next question would be, is it possible to just get one user vault for link accounts?

In order to enforce requirements such as security posture using Microsoft Entra ID, you would need to setup Single-Sign-On between Microsoft Entra ID and Devolutions server. Your users would then need to login to Devolutions Server using their Microsoft account. At login time, Entra ID would enforce the requirements you have defined in their platform and allow or deny access to Devolutions Server.

You can find the landing page describing SSO here: Single sign-on (SSO) - Devolutions

This would also mean that you also have deployed the components that responsible for evaluating security posture on your client workstations. If it is not a piece of infrastructure that you already have in place or that you plan to use at large in the near future, it might not be practical to go that route for a single application.

I am not entirely sure I understand the question related to associating a vault with link accounts. When we discuss SSO, we are refering to user account used to access the application, not the accounts that are stored inside vaults.

Thanks for the response!
well, the reason for the one vault for each user, even if it's linked, is that we have another PA to logon to Devolutions.
so if we switch logon, then we need to link the account we have in entraID with our PA we logon to devolutions and then we can use the same personal vault, right ?

Hello,

If your users have two accounts in Devolutions Server (one for high privilege access and one for low privilege access), they will not share the personal vault. Both accounts will have their own user vault. We have already received a similar request to have only one user vault for linked accounts, and it is what you would like if I understand correctly. We haven't planned that feature and we don't have an ETA for it, but we will post back here once we have an update.

Best regards,

Hi, yes, one account for linked accounts, at least the option to select if we want to have the "merged" to be one account, with shared user vault :)
and thanks !