Device-only Resource Policies

Applicability

This policy setting can only be applied to Resource Policies.

Functionality

By default, all Resource Policies include both user authentication requirements and device requirements. Setting a Resource Policy to device-only results in a policy that only checks device requirement rules. Even if a Resource Policy has been set to device-only, the Minimum Authentication Requirements validity is always checked before Resource access is authorized.

As an example, a device-only policy can be created to allow devices marked as trusted to access a Resource without any additional user authentication requirements as long as the user is signed in to the Twingate client and the session is still valid.

To disable user authentication requirements, select the Disable option next to “Authentication Requirements”. The screenshot below shows the resulting state. Authentication requirements may be re-enabled in the same configuration screen.

Minimum Authentication Requirements evaluation

As shown in the screenshot above, even when user authentication requirements are disabled for a Resource Policy, the Minimum Authentication Requirements are always enforced. The following rules apply when evaluating a device-only policy:

  • The Minimum Authentication Requirements must be valid and active. In the example above, the requirements are set to a session length of 30 days. This means that the user must have authenticated successfully within the last 30 days and the Device Security requirements must be met for the policy above to authorize user access to a Resource protected by this policy.
  • The authentication session is maintained between restarts unless the user explicitly logs out in the Twingate Client. This means that Resources behind device-only policies are immediately accessible after either machine restart or after re-launching the Twingate Client as long as the user last authenticated within the Minimum Authentication Requirements session length. This allows both frictionless access to low-risk Resources for users and access to system Resources before an interactive user session is available (see: Windows Start Before Logon).

Note: Resource Policy sessions are never maintained between restarts or Client re-launches, and users must always re-authenticate to access Resources behind standard Resource Policies.

Last updated 2 months ago