You can also use the result of Host Checker policy evaluation in role-mapping rules in the realm. So, if the user passes a specific Host Checker policy (or some combination of policies), you could assign them to a more "open" role. Don't pass the policy, and yet get assigned to a role with only (say) Outlook Web Access.
What option are you looking for? Are you refering to Ken's comment on using host check to assign roles? If that is what you are asking about it is not an option.
If you want to do that you go must enforce host check at the realm level. Then under realms / role mapping - you would create a role mapping rule based on a "custom expression" - You would create an expression of your own that would assign the role based on that value.
nope am still looking for way to configure it in the way that first user will need to provide username and pwd and then host checker will check pc
My configuration works the way you want yours to. Here is how it is set up -
For example, if you defined a policy called "Antivirus" which passed if your antivirus was working correctly, you would check "Evaluate Policies" to the left of "Antivirus" on the Authentication Policies - Host Checker page for the realm, and then could define an expression like
hostCheckerPolicy = "Antivirus"
This expression will be true if the Antivirus policy passed when Host Checker ran. I actually define mine as
hostCheckerPolicy != "Antivirus"
and then use that policy to assign the user to a role which tells them (via the welcome message) that their antivirus does not meet standards, and which displays a bookmark which the user can click on for remediation help.
You could also use the Host Checker restrictions on the role. I have never done that, so I don't know what type of experience that affords the end user.
Hope this is helpful.