Protecting the new perimeter: From Geoblocking to OS checks, the latest in device security from Twingate
Anna Liu
•
Mar 10, 2025
For decades, private access tools neglected the question of device security.
Back in the days when a single office housed the protected network, this wasn’t a controversial decision. You could build a virtual wall around your corporate resources and be relatively confident in the security of that wall. If you wanted to add device security controls, that was a separate tool and a separate internal project.
Today, things are different.
The perimeter that needs protection is fundamentally changed. An estimated 98% of businesses globally use cloud in some capacity. Add to that multi- and hybrid-cloud environments, SaaS applications, and the growing distribution of workforces, and the perimeter that needs protection gets a lot more complicated.
Rather than a static perimeter, we think about the new perimeter as a single question, asked over and over again: Should this user, on this device, in this context, access this resource?
It’s not that this question introduces totally new datapoints to consider when making access decisions. Rather, organizations historically thought about things like the network, the user, and the device as distinct components that a security program would handle separately (and that wouldn’t necessarily play nicely with each other).
Because of the dynamic nature of modern infrastructure and modern teams, thinking about these aspects as fundamentally distinct makes it much harder to meet modern security standards.
Let’s take a look at a specific example: A user you know is based in Austin attempts to access a sensitive database via an unmanaged device in London. In this case, access should be blocked.
It may seem like an obvious scenario to protect against, but the reality is that in order to make that access decision you need a lot of different datapoints working together, continuously.
Twingate brings these pieces together, bridging a user’s identity, the device, the resource they’re attempting to access, and the relevant security policy into a single platform, informed in part by the other security investments you’ve made. This needs to be done on a dynamic basis, and update as your organization, infrastructure, and risk tolerance change.
Twingate continues to invest in both native device security functionality and new out-of-the-box integrations to give teams more granular control to protect the new perimeter.
Why both native functionality and integrations? Flexibility. Some teams are just beginning to apply enforceable device security policies, and they’ll want to start with the basics: checks for hard drive encryption, screen lock, etc. Other teams will be ready to start layering tools to further increase security, which Twingate allows you to do by bridging data from MDM and EDR tools to access requests.
Lastly, we want to give teams the power to tailor their device security policies to both the audience and the sensitivity of the resource being accessed. Contractors may need just a few basic posture checks, but your finance team accessing customer payment data should only be able to access that database via a managed, Crowdstrike-verified device.
In this blog we’ll take a closer look at just a few of our recent device security releases. Let’s dive in.
Expanding native device posture checks
Twingate already supports a host of different device posture checks across OSs (including Linux!), and over the past few weeks we’ve released even more.
Geoblocking
You can now restrict access to Twingate Resources based on a device’s location. This allows admins to implement country-based blocking on their Resources based on a device’s geolocated IP address.
This makes it extremely easy to meet compliance requirements with enforceable location-specific deny lists for high-risk countries.
On the flip side, allow lists give admins the ability to create location-based policies for groups whose location they know. If you only have offices in specific countries, or if you want to limit contractor access to a set country or countries, you can set up unique policies in minutes.
Minimum OS version
Our latest native device posture check allows you to set a minimum version for various operating systems of devices accessing Twingate.
Twingate supports a host of different device posture checks natively, which can be configured into minimum OS requirements and Trusted Profiles. These allow you to identify the minimum device requirements to access Twingate, and to configure policies with more granular controls for added security.
You may want to set minimum OS requirements for Twingate Resources contractors access, but require Trusted Profiles for the more sensitive resources that full time employees access.
In addition to minimum OS version, you can also configure checks for hard drive encryption, firewall, antivirus, screen lock, and more.
Doubling down on integrations
Twingate can’t do everything for everyone - no security tool can. That’s why we continue to invest heavily in easy-to-implement integrations so that you can extend the impact of both security and development tooling investments.
As a central access control layer, Twingate makes it easy to bridge together the various component solutions that form your unique security stack, including major IdPs, MDMs, EDRs, SIEMs, and more to implement an access control framework based on Zero Trust.
Saying that Twingate “invests in integrations” also includes our existing ones. As our partners release new functionality, we want to make sure you see those new benefits in Twingate, as well.
Let’s take a look at a few of the new and expanded device security integrations we support.
1Password Devise Trust
Back in October we announced our newest device security integration with 1Password.
1Password, a leader in identity security, has expanded its offerings via their new Extended Access Management solution to fill critical gaps in access management and identity by enabling businesses to secure every sign-in to every application from every device.
Within 1Password, you have the ability to granularly select requirements from an extensive library of device checks. Especially important is the ability to extend these checks to every device – even for bring-your-own devices and contractors, in addition to corporate devices managed via MDM.
You can now use 1Password as a verification method when creating Trusted Profiles in Twingate. This means that only trusted devices are accessing protected Twingate Resources, so you get stronger device security, even in BYOD environments.
The integration automatically syncs device verification status every five minutes for Windows, macOS, and Linux devices, and you can monitor device compliance status directly in the Twingate Admin Console.
Kandji Auto-App
Kandji helps you keep Apple devices and users secure by incorporating device security and device management into one platform. We’ve partnered with Kandji for years, and we’ve now expanded that partnership: Twingate’s standalone macOS client is now available in the Kandji Auto App catalog!
Kandji Auto Apps are pre-packaged applications that are ready for instant deployment through the Kandji Web App. When you use the Twingate Auto App, Kandji automatically handles several critical tasks for you:
Automated Updates: Kandji manages and enforces updates for Twingate
Background Items for macOS Ventura and Later: Twingate is seamlessly integrated into the background processes of macOS.
Privacy Preferences Policy Control (PPPC): Kandji ensures that Twingate complies with your pre-existing privacy settings.
Customizable Notifications: Administrators can tailor Twingate notifications to manage the end user experience effectively.
This is in addition to our existing integration with Kandji, which allows you to configure Twingate Security policies that require Kandji on a device attempting to access private resources protected by Twingate. We do this via the Kandji API, and you can find more information on that process and our Kandji-verification requirements in our documentation.
Expanding CrowdStrike for Linux
Windows may be the most commonly used operating system for developers worldwide, but tons of developers call Linux their preferred OS.
That’s part of why you often see special security policy exceptions carved out for engineering teams: lots of security tools only offer limited support for machines running on Linux, and some don’t support Linux at all.
At Twingate we’re focused on helping teams work securely from anywhere, and that includes teams running on Linux.
That’s why we’re excited to share that we’ve extended our CrowdStrike integration to support Linux devices.
CrowdStrike is one of the most widely used endpoint security providers, counting over half of Fortune 500 companies as customers.
CrowdStrike customers can extend the impact of their implementation by leveraging Twingate’s native integration. This allows you to layer on the best of CrowdStrike’s device controls (now for Linux devices, too!) and management with Twingate’s granular access policies.
Operationalizing Zero Trust
These investments in device security are a critical part of helping teams take the concept of Zero Trust and implement it into enforceable security programs. Twingate makes it easy to bridge identity, devices, and access all within the same policy engine.
For more information about these new device security releases, or for a refresh on all of Twingate’s device security capabilities, the best place to get started is on our documentation page.
Not a Twingate customer yet? If you’re interested in taking Twingate for a spin, you can request a personalized demo from our team or try it out yourself for free.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
Protecting the new perimeter: From Geoblocking to OS checks, the latest in device security from Twingate
Anna Liu
•
Mar 10, 2025
For decades, private access tools neglected the question of device security.
Back in the days when a single office housed the protected network, this wasn’t a controversial decision. You could build a virtual wall around your corporate resources and be relatively confident in the security of that wall. If you wanted to add device security controls, that was a separate tool and a separate internal project.
Today, things are different.
The perimeter that needs protection is fundamentally changed. An estimated 98% of businesses globally use cloud in some capacity. Add to that multi- and hybrid-cloud environments, SaaS applications, and the growing distribution of workforces, and the perimeter that needs protection gets a lot more complicated.
Rather than a static perimeter, we think about the new perimeter as a single question, asked over and over again: Should this user, on this device, in this context, access this resource?
It’s not that this question introduces totally new datapoints to consider when making access decisions. Rather, organizations historically thought about things like the network, the user, and the device as distinct components that a security program would handle separately (and that wouldn’t necessarily play nicely with each other).
Because of the dynamic nature of modern infrastructure and modern teams, thinking about these aspects as fundamentally distinct makes it much harder to meet modern security standards.
Let’s take a look at a specific example: A user you know is based in Austin attempts to access a sensitive database via an unmanaged device in London. In this case, access should be blocked.
It may seem like an obvious scenario to protect against, but the reality is that in order to make that access decision you need a lot of different datapoints working together, continuously.
Twingate brings these pieces together, bridging a user’s identity, the device, the resource they’re attempting to access, and the relevant security policy into a single platform, informed in part by the other security investments you’ve made. This needs to be done on a dynamic basis, and update as your organization, infrastructure, and risk tolerance change.
Twingate continues to invest in both native device security functionality and new out-of-the-box integrations to give teams more granular control to protect the new perimeter.
Why both native functionality and integrations? Flexibility. Some teams are just beginning to apply enforceable device security policies, and they’ll want to start with the basics: checks for hard drive encryption, screen lock, etc. Other teams will be ready to start layering tools to further increase security, which Twingate allows you to do by bridging data from MDM and EDR tools to access requests.
Lastly, we want to give teams the power to tailor their device security policies to both the audience and the sensitivity of the resource being accessed. Contractors may need just a few basic posture checks, but your finance team accessing customer payment data should only be able to access that database via a managed, Crowdstrike-verified device.
In this blog we’ll take a closer look at just a few of our recent device security releases. Let’s dive in.
Expanding native device posture checks
Twingate already supports a host of different device posture checks across OSs (including Linux!), and over the past few weeks we’ve released even more.
Geoblocking
You can now restrict access to Twingate Resources based on a device’s location. This allows admins to implement country-based blocking on their Resources based on a device’s geolocated IP address.
This makes it extremely easy to meet compliance requirements with enforceable location-specific deny lists for high-risk countries.
On the flip side, allow lists give admins the ability to create location-based policies for groups whose location they know. If you only have offices in specific countries, or if you want to limit contractor access to a set country or countries, you can set up unique policies in minutes.
Minimum OS version
Our latest native device posture check allows you to set a minimum version for various operating systems of devices accessing Twingate.
Twingate supports a host of different device posture checks natively, which can be configured into minimum OS requirements and Trusted Profiles. These allow you to identify the minimum device requirements to access Twingate, and to configure policies with more granular controls for added security.
You may want to set minimum OS requirements for Twingate Resources contractors access, but require Trusted Profiles for the more sensitive resources that full time employees access.
In addition to minimum OS version, you can also configure checks for hard drive encryption, firewall, antivirus, screen lock, and more.
Doubling down on integrations
Twingate can’t do everything for everyone - no security tool can. That’s why we continue to invest heavily in easy-to-implement integrations so that you can extend the impact of both security and development tooling investments.
As a central access control layer, Twingate makes it easy to bridge together the various component solutions that form your unique security stack, including major IdPs, MDMs, EDRs, SIEMs, and more to implement an access control framework based on Zero Trust.
Saying that Twingate “invests in integrations” also includes our existing ones. As our partners release new functionality, we want to make sure you see those new benefits in Twingate, as well.
Let’s take a look at a few of the new and expanded device security integrations we support.
1Password Devise Trust
Back in October we announced our newest device security integration with 1Password.
1Password, a leader in identity security, has expanded its offerings via their new Extended Access Management solution to fill critical gaps in access management and identity by enabling businesses to secure every sign-in to every application from every device.
Within 1Password, you have the ability to granularly select requirements from an extensive library of device checks. Especially important is the ability to extend these checks to every device – even for bring-your-own devices and contractors, in addition to corporate devices managed via MDM.
You can now use 1Password as a verification method when creating Trusted Profiles in Twingate. This means that only trusted devices are accessing protected Twingate Resources, so you get stronger device security, even in BYOD environments.
The integration automatically syncs device verification status every five minutes for Windows, macOS, and Linux devices, and you can monitor device compliance status directly in the Twingate Admin Console.
Kandji Auto-App
Kandji helps you keep Apple devices and users secure by incorporating device security and device management into one platform. We’ve partnered with Kandji for years, and we’ve now expanded that partnership: Twingate’s standalone macOS client is now available in the Kandji Auto App catalog!
Kandji Auto Apps are pre-packaged applications that are ready for instant deployment through the Kandji Web App. When you use the Twingate Auto App, Kandji automatically handles several critical tasks for you:
Automated Updates: Kandji manages and enforces updates for Twingate
Background Items for macOS Ventura and Later: Twingate is seamlessly integrated into the background processes of macOS.
Privacy Preferences Policy Control (PPPC): Kandji ensures that Twingate complies with your pre-existing privacy settings.
Customizable Notifications: Administrators can tailor Twingate notifications to manage the end user experience effectively.
This is in addition to our existing integration with Kandji, which allows you to configure Twingate Security policies that require Kandji on a device attempting to access private resources protected by Twingate. We do this via the Kandji API, and you can find more information on that process and our Kandji-verification requirements in our documentation.
Expanding CrowdStrike for Linux
Windows may be the most commonly used operating system for developers worldwide, but tons of developers call Linux their preferred OS.
That’s part of why you often see special security policy exceptions carved out for engineering teams: lots of security tools only offer limited support for machines running on Linux, and some don’t support Linux at all.
At Twingate we’re focused on helping teams work securely from anywhere, and that includes teams running on Linux.
That’s why we’re excited to share that we’ve extended our CrowdStrike integration to support Linux devices.
CrowdStrike is one of the most widely used endpoint security providers, counting over half of Fortune 500 companies as customers.
CrowdStrike customers can extend the impact of their implementation by leveraging Twingate’s native integration. This allows you to layer on the best of CrowdStrike’s device controls (now for Linux devices, too!) and management with Twingate’s granular access policies.
Operationalizing Zero Trust
These investments in device security are a critical part of helping teams take the concept of Zero Trust and implement it into enforceable security programs. Twingate makes it easy to bridge identity, devices, and access all within the same policy engine.
For more information about these new device security releases, or for a refresh on all of Twingate’s device security capabilities, the best place to get started is on our documentation page.
Not a Twingate customer yet? If you’re interested in taking Twingate for a spin, you can request a personalized demo from our team or try it out yourself for free.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
Protecting the new perimeter: From Geoblocking to OS checks, the latest in device security from Twingate
Anna Liu
•
Mar 10, 2025
For decades, private access tools neglected the question of device security.
Back in the days when a single office housed the protected network, this wasn’t a controversial decision. You could build a virtual wall around your corporate resources and be relatively confident in the security of that wall. If you wanted to add device security controls, that was a separate tool and a separate internal project.
Today, things are different.
The perimeter that needs protection is fundamentally changed. An estimated 98% of businesses globally use cloud in some capacity. Add to that multi- and hybrid-cloud environments, SaaS applications, and the growing distribution of workforces, and the perimeter that needs protection gets a lot more complicated.
Rather than a static perimeter, we think about the new perimeter as a single question, asked over and over again: Should this user, on this device, in this context, access this resource?
It’s not that this question introduces totally new datapoints to consider when making access decisions. Rather, organizations historically thought about things like the network, the user, and the device as distinct components that a security program would handle separately (and that wouldn’t necessarily play nicely with each other).
Because of the dynamic nature of modern infrastructure and modern teams, thinking about these aspects as fundamentally distinct makes it much harder to meet modern security standards.
Let’s take a look at a specific example: A user you know is based in Austin attempts to access a sensitive database via an unmanaged device in London. In this case, access should be blocked.
It may seem like an obvious scenario to protect against, but the reality is that in order to make that access decision you need a lot of different datapoints working together, continuously.
Twingate brings these pieces together, bridging a user’s identity, the device, the resource they’re attempting to access, and the relevant security policy into a single platform, informed in part by the other security investments you’ve made. This needs to be done on a dynamic basis, and update as your organization, infrastructure, and risk tolerance change.
Twingate continues to invest in both native device security functionality and new out-of-the-box integrations to give teams more granular control to protect the new perimeter.
Why both native functionality and integrations? Flexibility. Some teams are just beginning to apply enforceable device security policies, and they’ll want to start with the basics: checks for hard drive encryption, screen lock, etc. Other teams will be ready to start layering tools to further increase security, which Twingate allows you to do by bridging data from MDM and EDR tools to access requests.
Lastly, we want to give teams the power to tailor their device security policies to both the audience and the sensitivity of the resource being accessed. Contractors may need just a few basic posture checks, but your finance team accessing customer payment data should only be able to access that database via a managed, Crowdstrike-verified device.
In this blog we’ll take a closer look at just a few of our recent device security releases. Let’s dive in.
Expanding native device posture checks
Twingate already supports a host of different device posture checks across OSs (including Linux!), and over the past few weeks we’ve released even more.
Geoblocking
You can now restrict access to Twingate Resources based on a device’s location. This allows admins to implement country-based blocking on their Resources based on a device’s geolocated IP address.
This makes it extremely easy to meet compliance requirements with enforceable location-specific deny lists for high-risk countries.
On the flip side, allow lists give admins the ability to create location-based policies for groups whose location they know. If you only have offices in specific countries, or if you want to limit contractor access to a set country or countries, you can set up unique policies in minutes.
Minimum OS version
Our latest native device posture check allows you to set a minimum version for various operating systems of devices accessing Twingate.
Twingate supports a host of different device posture checks natively, which can be configured into minimum OS requirements and Trusted Profiles. These allow you to identify the minimum device requirements to access Twingate, and to configure policies with more granular controls for added security.
You may want to set minimum OS requirements for Twingate Resources contractors access, but require Trusted Profiles for the more sensitive resources that full time employees access.
In addition to minimum OS version, you can also configure checks for hard drive encryption, firewall, antivirus, screen lock, and more.
Doubling down on integrations
Twingate can’t do everything for everyone - no security tool can. That’s why we continue to invest heavily in easy-to-implement integrations so that you can extend the impact of both security and development tooling investments.
As a central access control layer, Twingate makes it easy to bridge together the various component solutions that form your unique security stack, including major IdPs, MDMs, EDRs, SIEMs, and more to implement an access control framework based on Zero Trust.
Saying that Twingate “invests in integrations” also includes our existing ones. As our partners release new functionality, we want to make sure you see those new benefits in Twingate, as well.
Let’s take a look at a few of the new and expanded device security integrations we support.
1Password Devise Trust
Back in October we announced our newest device security integration with 1Password.
1Password, a leader in identity security, has expanded its offerings via their new Extended Access Management solution to fill critical gaps in access management and identity by enabling businesses to secure every sign-in to every application from every device.
Within 1Password, you have the ability to granularly select requirements from an extensive library of device checks. Especially important is the ability to extend these checks to every device – even for bring-your-own devices and contractors, in addition to corporate devices managed via MDM.
You can now use 1Password as a verification method when creating Trusted Profiles in Twingate. This means that only trusted devices are accessing protected Twingate Resources, so you get stronger device security, even in BYOD environments.
The integration automatically syncs device verification status every five minutes for Windows, macOS, and Linux devices, and you can monitor device compliance status directly in the Twingate Admin Console.
Kandji Auto-App
Kandji helps you keep Apple devices and users secure by incorporating device security and device management into one platform. We’ve partnered with Kandji for years, and we’ve now expanded that partnership: Twingate’s standalone macOS client is now available in the Kandji Auto App catalog!
Kandji Auto Apps are pre-packaged applications that are ready for instant deployment through the Kandji Web App. When you use the Twingate Auto App, Kandji automatically handles several critical tasks for you:
Automated Updates: Kandji manages and enforces updates for Twingate
Background Items for macOS Ventura and Later: Twingate is seamlessly integrated into the background processes of macOS.
Privacy Preferences Policy Control (PPPC): Kandji ensures that Twingate complies with your pre-existing privacy settings.
Customizable Notifications: Administrators can tailor Twingate notifications to manage the end user experience effectively.
This is in addition to our existing integration with Kandji, which allows you to configure Twingate Security policies that require Kandji on a device attempting to access private resources protected by Twingate. We do this via the Kandji API, and you can find more information on that process and our Kandji-verification requirements in our documentation.
Expanding CrowdStrike for Linux
Windows may be the most commonly used operating system for developers worldwide, but tons of developers call Linux their preferred OS.
That’s part of why you often see special security policy exceptions carved out for engineering teams: lots of security tools only offer limited support for machines running on Linux, and some don’t support Linux at all.
At Twingate we’re focused on helping teams work securely from anywhere, and that includes teams running on Linux.
That’s why we’re excited to share that we’ve extended our CrowdStrike integration to support Linux devices.
CrowdStrike is one of the most widely used endpoint security providers, counting over half of Fortune 500 companies as customers.
CrowdStrike customers can extend the impact of their implementation by leveraging Twingate’s native integration. This allows you to layer on the best of CrowdStrike’s device controls (now for Linux devices, too!) and management with Twingate’s granular access policies.
Operationalizing Zero Trust
These investments in device security are a critical part of helping teams take the concept of Zero Trust and implement it into enforceable security programs. Twingate makes it easy to bridge identity, devices, and access all within the same policy engine.
For more information about these new device security releases, or for a refresh on all of Twingate’s device security capabilities, the best place to get started is on our documentation page.
Not a Twingate customer yet? If you’re interested in taking Twingate for a spin, you can request a personalized demo from our team or try it out yourself for free.
Solutions
Solutions
The VPN replacement your workforce will love.
Solutions