Here is the final word from support. In short, you can only do machine cert checking if you have the client login as a service, which I dont want to do. You can not do machine cert checking on demand. You can do user cert checking.
would like to inform you we have only two possibilites via PCS device.
- Enabling host checker based certificate restriction.
- To enable you to configure host checker policy on the PCS device.
- Pulse Secure client machine certificate authentication.
- User will be getting connected automatically once the machine boots up.
- However, you cannot connect via browser when certificate authentication enabled at realm level. It works only through Pulse Secure client.
Possibility 3: (Your actual requirement)
- Certificate restrictiion should be configured on the PCS device at realm or role level and the configuration should check the machine certificate store and connects the user.
- We can configure only user certificate authentication/restriction at realm or role level.
I would like to inform you that the third possibility is not achievable through PCS device. It is a new feature needs to implemented on the code level, so you need to go via sales channel to add the feature support.
Also I will invole the sales engineer Robin to create feature enhancement request.