Because we met even more end-user with Linux or MAC clients, we want to check that the operating system used by the client is NOT a Microsoft Operating System. After some investigation I didn't find any proper solution to configure that.
It exists already the possibility to check that the operating system is really a Microsoft OS (and we can specify which OS version).
A good idea behind this Windows OS Checks could be the same possibility as we have behind a "Process" check: we can trigger for a specific running process, but we can choose to "Require" this process or to "Deny" the connection if this process is running. In this way, we have a simple solution to check & validate that the client running OS is NOT a Windows OS (present in the list that we checked).
Or is there something else planned in this way ?
Thanks for your feedback.
Hey Fabien - I am not sure if you have had a chance to search the SSL Forum in regards to this issue. There have been several threads that talk about nice, clean ways to deal with this. Some very creative ideas on how to validate that only Windows or only MAC's connect, or don't as the case may be.
How about taking the opposite approach and looking for something you know doesn't exist on a Windows workstation?
For example, check the registry for HKLM|Software\this\key\does\not\exist
Since no Windows machine is going to have this key, the check will always fail and go to remediation. This isn't the same thing as being able to deny a single process, but it may get you to the end result you're looking for.
There was a writeup on doing this same thing for other operating systems somewhere out on the Juniper site, but I don't recall what it was for. The example checked for a bogus file path which also wouldn't exist, but it accomplished the same thing and could be used to deny if it would never evaluate to true.
Another way you can do this is to do create a Host Checker policy that checks for all Windows operating systems. From there....
Role Mapping with Custom Expressions:
Create a role mapping rule based on Custom Expressions:
Users-->Users Realm--><realm>-->Role Mapping-->New Rule
Change "Rule based on" to Custom Expression-->Updated-->Expressions
Create two Host Check Policy custom expressions as follows:
hostCheckerPolicy = ("Windows OS Checks")
hostCheckerPolicy != ("Windows OS Checks")
This will allow you to create role mapping rules based on the expressions. This way you can force users into different roles depending on whether or not they have passed the host check. Alternatively, you can deny them access to a role if that's your desire.