Skip navigation
Documentation

Duo Trusted Endpoints - Duo Certifier

Last Updated: May 11th, 2023

Certificate-based Trusted Endpoint verification will reach end-of-life in a future release. Migrate existing management integrations to solutions that verify endpoint status with Duo Mobile or Duo Desktop. Learn more about migration options in the Duo Trusted Endpoints Certificate Migration Guide.

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from devices not trusted by your organization.

Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.

The Duo Certifier is an optional software component you can install on your macOS managed systems to assist with identification and reporting of Duo trusted endpoints using certificate verification. We recommend use of the Duo Certifier if your macOS systems have issues reporting trusted status to Duo, whether via web browsers or third-party client applications which feature Duo authentication. You can install the Duo Certifier manually on individual systems, or deploy it using your regular software management system.

The Duo Certifier doesn't require any additional action from your users and runs silently in the background, becoming active only when a user logs into an application that displays the interactive Duo Prompt.

If the endpoint needs to be checked for Duo trusted status then the Duo authentication prompt shown in the browser or client application connects to the Duo Certifier running locally on the device via HTTPS. The Duo Certifier then accesses the Duo trust certificate in the user's macOS Keychain and sends the certificate information to Duo's service for verification.

Duo then performs the trusted endpoints check as specified in your configured "Trusted Devices" policy, along with verification that both the device and user comply with your other Duo policy settings, and then proceeds to Duo two-factor authentication.

If for some reason the Duo Certifier certificate request fails then Duo falls back on the regular method of obtaining the Duo certificate from the macOS Keychain via the browser itself.

If you choose to distribute the Duo Certifier to your users be aware that some mobile device management (MDM) systems might not properly install the certificate into the target user's keychain. The workaround for this is to have users install the Duo Certifier manually.

System Requirements

  • The Duo Certifier supports macOS 10.11 (El Capitan) or later systems.
  • The Duo Certifier listens for HTTPS connections on port 15310, so ensure this port is available.
  • The Duo certificate enrollment script must be version 3.5 or later. Visit the details page for your trusted endpoints management integration in the Duo Admin Panel to download the most recent certificate enrollment script, and update your deployment configuration accordingly (this may entail replacing your current script with the new version in Jamf or another endpoint management system, or manually running the updated script on your macOS endpoints).

Duo Certifier Install

  1. Download the Duo Certifier .pkg installer. You can also download the Duo Certifier installer from your macOS management integration's page in the Duo Admin Panel. The downloaded file name is similar to macos_certifier-1.0.4.pkg. View checksums for Duo downloads here.

  2. Run the Duo Certifier .pkg installer on a macOS endpoint, or deploy it to client systems using your device management application.

Verify Your Setup

Complete the Trusted Endpoints client certificate deployment and configure a policy to start checking for the certificate as users authenticate to Duo-protected services and applications. You must have access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles to configure a trusted endpoints management integration.

Removing the Duo Certifier

  1. Download the Duo Certifier .pkg uninstaller. You can also download the Duo Certifier uninstaller from your macOS management integration's page in the Duo Admin Panel. The downloaded file name is similar to macos_certifier_uninstaller-1.0.4.pkg. View checksums for Duo downloads here.

  2. Run the Duo Certifier .pkg uninstaller on a macOS endpoint to remove the software, or deploy the uninstaller to client systems using your device management application.

Allowing the Certifier Application

If you use application or binary block lists on your endpoints, you'll need to permit the Duo Certifier. We recommending using the SHA-256 signature for Duo's software signing certificate, to avoid having to update your application allow list settings for each release of the Duo Certifier.

The Duo signing certificate information is:

SHA-256             : 089c9b2b28b738354c43a11486651ca33266e2b7454477d6b351df09c2e97fae
       SHA-1               : 018da99c0e7062af5cc14dbc0d628c3c9bf25ce5
       Common Name         : Developer ID Application: Duo Security LLC (FNN8Z5JMFP)
       Organization        : Duo Security LLC
       Organizational Unit : FNN8Z5JMFP
       Valid From          : 2017/04/12 11:20:08 -0400
       Valid Until         : 2022/04/13 11:20:08 -0400

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.