A quick look at deviceTRUST, a simple conditional access tool for virtual desktop environments

deviceTRUST components

First, there’s deviceTRUST Client. This is an agent app that runs on endpoints that are accessing your virtual desktop environment, and its job is to actually collect all the context that’s used for conditional access decisions.

The context can be all sorts of things: The identity of the device; the OS; is it patched; are the firewall and Windows Defender turned on; is it a corporate or BYO device; what certificates does it have; is it domain joined; what network is it on; device location; and so on.

The deviceTRUST client is delivered as an MSI and runs as a service, and it supports Windows 7, 8, and 10; Windows Server 2008 R2 through 2019; eLux RP 6.5 and higher; IGEL OS 10.03.500 and higher; plus they’re working on a macOS agent.

Next, the agent on the client relays all of the context information to another agent running on the host. This happens in real time via a virtual channel in the remoting protocol.

The deviceTRUST Host agent is responsible for enforcing actions, which typically means blocking access to an app or desktop because conditional access policies are not met. This blocking can happen via integrations with AppLocker, FSLogix; or via APIs provided by Citrix, VMware, or Microsoft. When this happens, the user is presented with a customizable message that provides them with an explanation or remediation instructions. 

The deviceTRUST Host agent supports Windows 7, 8, and 10; Windows Server 2008 R2 through 2019; Amazon WorkSpaces; Citrix; pure RDS; VMware; Parallels; and Systancia AppliDis Fusion. 

All of the policies are configured in the deviceTRUST Host via Group Policy (and you don’t really have to configure the client agent). The deviceTRUST management console is just a plug-in for your Active Directory Group Policy management console. (Some customers use other client management platforms to configure the host agent, too.)

When you step back and look at this, you realize how simple it is: There’s no new infrastructure to add, since it’s just riding on everything you already have. 

You can build all sorts of policies, like blocking app access if the client firewall is turned off or if the OS isn’t patched; geolocation policies; printer management policies; blocking non-corporate devices; using it to attest BYOD devices; and so on. (deviceTRUST has templates for common policies.) And again, all these policies happen in real time.

deviceTRUST also has an iOS agent, which is a little different, as it communicates with the host via an external gateway hosted in Azure, not by virtual channels.

More notes

As you can see, this is quite different from other conditional access solutions, as it’s designed around desktop virtualization, not around your identity and access management stack.  This does mean that deviceTRUST is focused only on this segment for now, but so far, they seem to be off to a good start.

deviceTRUST has received an investment from the High-Tech Gründerfonds, a public-private seed investor in Germany. They have about 10 employees, and their go-to-market is entirely via the channel. They’re focused in the DACH region, but do have some U.S. customers as well. 

As I’ve written before, there are many different ways to build and integrate conditional access policies, so I’m curious to see what product moves they’ll make to get closer to the rest of the space. Either way, deviceTRUST is addressing a market that they’re close to, and their approach is rather clever.