I'm about to turn on enforcement for host checker, we are currently having it alert, but we all know people ignore the alerts and when we do turn on enforcement there will be a few people that NEED to sign into VPN, is there a way to make an AD group an exception to host checker? If not, can I have two mirrored realms (with the exact same mappings) for those that need to sign in and are non-compliant?
AD group exception: short answer, no (see long answer below) two mirrored realms: short answer, no (see long answer below)
Long answer: There are a few options available for achieving the end-goal of having a subset of users _always_ having access to login, despite the security posture. Some of the off-the-cuff options are: custom expressions that map based on the Host Checker result dual realms - one that has Host Checker required and enforced and one that either has no requirements _or_ set to evaluate only (making sure that the more restrictive is at the top of the list on the URL) dual roles - one that has Host Checker enforced and one that does not
if you have further questions, please let us know; alternately, you can always open a case with support in the event it is not working the way you want