User Guide - Device Identity Verification & Enforcement (DIVE)

CloudConnexa's Device Identity Verification & Enforcement (DIVE) is a Wide-area Private Cloud (WPC) security policy that reduces your attack surface by locking the .ovpn profile to specific devices – allowing only authorized devices to connect to your WPC.

DIVE gives Owners and Administrators the power to leverage one of the key principles of ZTNA – Least Privilege – granting access to only the resources a user should have from only the devices they are authorized to use.

The device's identity is important to consider while providing access to applications. DIVE allows you to build a security policy around device identity.

If device identity is not part of your security policy, it is possible for an authorized user to transfer the connection profile from a company-owned laptop to a personal smartphone and continue to access applications. Worse yet, a bad actor can obtain the connection profile from a compromised device and try and access the applications with their device.

The Device Identity Verification and Enforcement (DIVE) feature, when enabled, creates a mapping of the connection profile and the device that stores it. It checks device identity (UUID of the device) during requests to connect and import profile operations, ensuring that only authorized devices can connect and obtain configuration profiles.

With DIVE, you can ensure that your users use only trusted devices to connect to your WPC. These devices could be company-owned devices or other devices that are approved by your company policy.

The functionality that is needed for DIVE to work is supported by the OpenVPN client with the following minimum versions:

This mode allows you the option to create a Device with or without its Device ID (UUID). If a Device is created without the ID, the Device ID will propagate in the administration portal on the next successful connection, and the User will only be able to connect from that Device on future connections (i.e., the profile from that device cannot be used to connect with any other device).

DIVE learns the identity ( UUID) of an unknown device on that device's first successful connection and locks the connection profile (digital certificate) used to authenticate that connection with that device. On future connections using that connection profile, DIVE enforces that those connections were made by the same device.

When the Enforce mode is enabled, you must configure the UUID of the Device when it is created. Only users with trusted Devices (i.e., configured devices with their UUID) can connect successfully.

Once enabled, the user can import a Profile in the Connect App, only if the Device is trusted. Owners / Administrators must associate a UUID with the configured Device (this can be done once the client has been installed on the device and UUID is obtained from the OpenVPN Client settings as pictured below). The Administrator has to enter the UUID in existing Devices or when creating new Devices using the Users > Devices menu.

The Device ID can be added in the Users > Devices menu by clicking the edit icon (pencil), of the Device.

To enable, follow the procedure below: