cyber-101

What system attributes does Zscaler consider for Device Posture checks?

A quick recap of what things the client connector can look for to assess local security state of an endpoint.

Mike Berggren

Mike Berggren

2 min read
What system attributes does Zscaler consider for Device Posture checks?
Photo by FlyD / Unsplash
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

When it comes to accessing privileged resources, the security of the client system is critical. For that reason, the concept of Device Posture is very important and relevant. Zscaler's Client Connector application can gather a variety of system attributes which ultimately can be conditions for access policies.

Here's the full list:

  • Certificate Trust (available on all platforms) - Confirms if the local system trusts a certificate. This essentially validates a root CA pre-installed on a user system.
  • File Path (available on Windows and MAC only) - Checks to see if a specific file/directory exists on client system.
  • Registry Key (available on Windows only) - Checks to see if a specific registry key path/value is present on system.
  • Client Certificate (available on all platforms) - This is a variation of the prior certificate check to see if a specific certificate is present in the local trustStore.
  • Firewall (available on Windows and Mac only) - This checks to see if the local firewall on the operating system is present/enabled.
  • Full Disk Encryption (available on Windows, Mac, Linux, and android) - This checks to see if disk encryption is enabled on the endpoint.
  • Unauthorized Modification (available on iOS and Android only) - This checks to see if the system has had unauthorized modifications (e.g. jailbreaking or rooting).
  • Active Directory domain joined status (available on Windows or Mac only) - This checks to see if the endpoint is actively joined to an Active Directory Domain.
  • Azure Active Directory domain joined status (available on Windows or Mac only) - This checks to see if the endpoint is actively joined to an Azure Active Directory Domain.
  • Ownership Variable (available on iOS and Android only) - Checks to see if the alphanumeric ownership value (typically pushed down from UEM tooling) is present on device.
  • Process check (available on Windows, Mac, and Linux) - This checks to see if a specific process (signed by a specific certificate) is present on the user system.
  • Detect Carbon Black - This checks to see if Carbon Black is present and running on the user system.
  • Detect Crowdstrike - This checks to see if Crowdstrike is present and running on the user system.
  • Detect Defender (available on Windows, Mac, and Linux) - This checks to see if Microsoft Defender for Endpoint is present and running on the user system.
  • Detect SentinelOne (available on Windows or Mac only) - This checks to see if SentinelOne is present and running on the user system.
  • Detect Antivirus (available on Windows or Mac only) - This is more of a generic test to look for other AV providers.
  • JAMF Detection (available on Mac only) - Checks to see if JAMF is running on device. This can also review JAMF-defined risk levels (e.g. Secure, Low, Medium, or High).
  • CrowdStrike ZTA Device OS Score (available on Windows or Mac only) - This checks to see if ZTA device score (as determined by Crowdstrike) is at or above a specific threshold.
  • CrowdStrike ZTA Sensor Setting Score (available on Windows or Mac only) - This checks to see if ZTA sensor score (as determined by Crowdstrike) is at or above a specific threshold.

For more information on this, check out the following resource:

https://help.zscaler.com/zscaler-client-connector/configuring-device-posture-profiles

Read more