Device compliance policy
Device compliance policies are used to limit access to authentik and applications based on Device Compliance information.
Device compliance policies are currently in development and inaccessible.
However, similar functionality can be achieved with existing stages and policies.
Prerequisites
You must have configured compliance in authentik and on the endpoint device.
Accessing device facts within a flow
To access device facts within a flow, the flow must include an Endpoint stage. The Endpoint stage fetches device facts via a configured Connector and adds them to the Flow context.
The following example shows how to use these facts within an expression policy.
flow_plan = request.context.get("flow_plan") # set a flow_plan object
device = flow_plan.context.get("device") # set a device object
name = device.name # the name of the device
facts = device.cached_facts.data
ak_logger.debug("device facts", facts=facts)
Examples
The following are examples of how device compliance can currently be implemented:
Only allow authentication via endpoint devices
If your goal is to only allow authentication via endpoint devices, this is achievable by adding an Endpoint stage to your authentication flow.
Create an Endpoint stage
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Flows and Stages > Flows.
- Select the authentication flow that you want to modify.
- Open the Stage Bindings tab and click Create and bind stage.
- Select Endpoint stage as the stage type, click Next, and configure the following settings:
- Name: provide a name for the stage
- Connector: select a connector for the stage to fetch device facts from (e.g.
authentik agent) - Mode: set to
Device required
- Click Next.
- Select the order for the stage. Ensure that this places the Endpoint stage in the flow wherever you want device access to be checked.
- Click Finish.
Only allow authentication via a specific type of endpoint device
If your goal is to only allow authentication via a specific type of endpoint device, this is achievable by adding an Endpoint stage and a Deny stage to your authentication flow.
The following example will only allow authentication via Apple devices.
Create an Endpoint stage
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Flows and Stages > Flows.
- Select the authentication flow that you want to modify.
- Open the Stage Bindings tab and click Create and bind stage.
- Select Endpoint stage as the stage type, click Next, and configure the following settings:
- Name: provide a name for the stage
- Connector: select a connector for the stage to fetch device facts from (e.g.
authentik agent) - Mode: set to
Device required
- Click Next.
- Select the Order for the stage. Ensure that this places the Endpoint stage in the flow wherever you want device access to be checked.
- Click Finish.
Create a Deny stage
-
On the Stage Bindings tab, click Create and bind stage.
-
Select Deny Stage as the stage type and configure the following settings:
- Name: provide a name for the stage
- Deny message: provide a message explaining why access was denied
-
Click Next.
-
Select the Order for the stage. Ensure that this number is higher than the Endpoint stage created in the previous section.
-
Click Finish.
-
Expand the Deny stage that you just created and click Create and bind Policy.
-
Select Expression policy as the policy type, click Next, and configure the following settings:
- Name: provide a descriptive name for the policy
- Expression:
flow_plan = request.context.get("flow_plan")
device = flow_plan.context.get("device")
if device.manufacturer.lower() != "apple":
return True
return FalseDeny stageBecause this is a deny stage, the policy must evaluate true when a requirement is not met.
-
Click Next and then click Finish.