cancel
Showing results for 
Search instead for 
Did you mean: 

NC or Pulse - only allow if corporate device (eg not home pc)

SOLVED
Highlighted
Occasional Contributor

NC or Pulse - only allow if corporate device (eg not home pc)

Hi,

Is it possible (I'm sure it is) / what is the best way to:

Only allow users to use NC or Pulse connections (basically a full VPN connection) if they are using a corporate device?

I don't want to allow this on their home PC etc.

(I have a SA 2500)

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Contributor

Re: NC or Pulse - only allow if corporate device (eg not home pc)

What we've done is create a Host Checker policy that checks for the registry key associated with being joined to a domain, and then we look for the value to equal our domains. We also check for our corporate antivirus.

Registry Root Key: HKEY_LOCAL_MACHINE

Registry Subkey: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

Name: Domain

Type: String

Value: example.com

As for the policy discussion, we bind Host Checker to our Network Connect role. This way, personal PC's can be used to access the web links we provide, like OWA, Intranet, etc, but to actually connect to the network, it must be joined to our domain.

View solution in original post

7 REPLIES 7
Highlighted
Regular Contributor

Re: NC or Pulse - only allow if corporate device (eg not home pc)

you can do this with host checker, probably looking for the machine name to end in the domain is one way, and you will probably find that disallowing home pc's will not fly with people that are already using them and need to connect to perform a simple task.
Highlighted
Occasional Contributor

Re: NC or Pulse - only allow if corporate device (eg not home pc)

Hi,

Never fear, I'm not trying to take away what has already been given, but there is not use case for our users to connect a personal device to the corporate network.

From a security perspective, I'm trying to do the right thing.

I give the host checker a shot but I didn't think I saw what I needed there.

So I'll need to write a custom rule to check the netbios name?

Highlighted
Regular Contributor

Re: NC or Pulse - only allow if corporate device (eg not home pc)

oh trust me i would love to limit devices to corp only but i myself use my personal devices from PC to to droid phone to Xoom tablet, and yes you will have to make a custom rule.
Highlighted
Contributor

Re: NC or Pulse - only allow if corporate device (eg not home pc)

What we've done is create a Host Checker policy that checks for the registry key associated with being joined to a domain, and then we look for the value to equal our domains. We also check for our corporate antivirus.

Registry Root Key: HKEY_LOCAL_MACHINE

Registry Subkey: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

Name: Domain

Type: String

Value: example.com

As for the policy discussion, we bind Host Checker to our Network Connect role. This way, personal PC's can be used to access the web links we provide, like OWA, Intranet, etc, but to actually connect to the network, it must be joined to our domain.

View solution in original post

Highlighted
Occasional Contributor

Re: NC or Pulse - only allow if corporate device (eg not home pc)

Fantastic!

So you have to create a seperate role which is just NC? (different login url or how do you do it?)

I'd idealy like the user to go to the same login page, but if the host checker fails this check, the user can't access NC, but can access the web stuff.

Highlighted
Super Contributor

Re: NC or Pulse - only allow if corporate device (eg not home pc)

What you want to do is to set your realm up to evaluate (not enforce) your Host Checker check. Then, use the results of the Host Checker check in the role-mapping rules for the realm. So, if your role for your company PCs is "Company" and the role for personal PCs is "Personal", the role-mapping rules might look like.

If (Expression Company-check passes), assign to "Company"

If (User="*"), assign to "Personal"

The first rule would have the "stop Flag" set. The expression "Company-check" would be something like -

HostChecker = "DomainCheck"

where DomainCheck is the name of the Host Checker policy which checks the PC against the company's domain.

Ken

Highlighted
Occasional Contributor

Re: NC or Pulse - only allow if corporate device (eg not home pc)

Thanks kenlars.

I can't mark two posts as answers but you both provided the necessary solution.

Greatly appreciated.

Smiley Happy