We're ecstatic to announce the integration of Pomerium with FleetDM, combining their strengths to add FleetDM’s open-source device management platform into Pomerium’s security policies. This integration enables teams to enforce fine-grained authorization based on device state.

For those who want to watch a recorded webinar, here it is!

Why integrate mobile device management into access control?

It is no longer enough to grant access based on whether a user can present the correct credentials to access an account with the correct authorizations. Organizations solving this issue have turned verifying additional factors including device identity and state before granting access.

Identity

Device identity refers to a unique identifier assigned to each device within an organization's network. This identifier serves as a digital fingerprint, allowing systems to recognize and authenticate individual devices.

Mobile device management solutions (MDMs) are responsible for the registration and enrollment of devices into the organization's ecosystem. Once enrolled, MDMs like FleetDM can seamlessly communicate with Pomerium, providing real-time information about whether a user's accessing device has been properly registered and is known to the system.

Given the prevalence of compromised credentials leading to breaches, organization security postures should be positioned to restrict access or even block access attempts from accounts accessing from an unregistered or unknown device.

State

Device state refers to the current condition or status of a device in terms of security and compliance. This encompasses various aspects such as:

• the device's operating system version

• installed security patches

• antivirus software status

• and overall configuration settings

By monitoring device state, organizations can ensure that all devices accessing their network meet the required security standards.

In certain cases, a device may not have been recently updated or properly configured, potentially creating security vulnerabilities. For instance, outdated software or misconfigured security settings can leave devices susceptible to malware infections or unauthorized access. To address these concerns, MDMs like FleetDM continuously monitor and report on the current device state to Pomerium.

This real-time information about the device allows Pomerium to make informed decisions about access control. When FleetDM detects that a device's state does not meet the organization's security requirements, it communicates this information to Pomerium. Based on predefined policies, Pomerium can then take appropriate action such as limiting access to certain resources, enforcing additional authentication measures, or in cases of severe non-compliance, completely rejecting access attempts from the vulnerable device. This proactive approach helps maintain a robust security posture and minimizes the risk of potential breaches originating from compromised or non-compliant devices.

What’s unique about Pomerium’s integration?

Pomerium’ clientless access and continuous verification stands out as the best option for adding zero trust architecture and improving security while accelerating productivity.

Continuous verification

While many solutions will also do device identity and state checks when starting a user session, they do not verify if these factors are still true throughout the user’s session. It’s entirely possible for a user’s session token to be hijacked onto another device or for even the device itself to become compromised during a user session.

Pomerium addresses this security gap by continuously verifying if the factors which granted access are still true for each and every action. Our FleetDM integration is no different: FleetDM constantly reports on the device state and posture for the user to have continued access. In our recorded webinar, you can see how updating the access policy to require a registered device immediately severs an existing user session by cutting off their access.

Clientless access

We’re a fan of minimizing bloatware to accelerate productivity and workflow, so Pomerium’s clientless access feature access control without installing a client!

MDMs and access control solutions are often separate, which results in having two third-party clients installed on your end user’s device. This poses two problems:

• Maintenance and upkeep burden: Organizations with larger fleets of devices need to dedicate resources managing these client installations, upgrades, and troubleshooting problems.

• Minimize third-party breaches: As Crowdstrike proved, having third-party clients on devices can result in disastrous consequences.

Moreover, clientless access is a key component of usable security to minimize cybersecurity erosion. To understand more about why usability matters and cybersecurity erosion, read our blog post on it here.

Try it out!

Here’s our FleetDM integration guide, but there will be more! We’re always building new integrations with our nifty external data sources feature allowing us to integrate any source of context into access control decisions. If you have an integration you’d like to request, reach out to us on our Discuss!