Skip to main content

User Guide - Device Identity Verification & Enforcement (DIVE)



CloudConnexa Device Identity Verification & Enforcement (DIVE). Only allow trusted Devices to connect to your WPC.

CloudConnexa's Device Identity Verification & Enforcement (DIVE) is a Wide-area Private Cloud (WPC) security policy that reduces your attack surface by locking the .ovpn profile to specific devices – allowing only authorized devices to connect to your WPC.

DIVE gives Owners and Administrators the power to leverage one of the key principles of ZTNA – Least Privilege – granting access to only the resources a user should have from only the devices they are authorized to use.



DIVE is Off by default and has 2 active modes: Learn and Enforce and Enforce.

The device's identity is important to consider while providing access to applications. DIVE allows you to build a security policy around device identity.

If device identity is not part of your security policy, it is possible for an authorized user to transfer the connection profile from a company-owned laptop to a personal smartphone and continue to access applications. Worse yet, a bad actor can obtain the connection profile from a compromised device and try and access the applications with their device.

The Device Identity Verification and Enforcement (DIVE) feature, when enabled, creates a mapping of the connection profile and the device that stores it. It checks device identity (UUID of the device) during requests to connect and import profile operations, ensuring that only authorized devices can connect and obtain configuration profiles.

With DIVE, you can ensure that your users use only trusted devices to connect to your WPC. These devices could be company-owned devices or other devices that are approved by your company policy.

The functionality that is needed for DIVE to work is supported by the OpenVPN client with the following minimum versions:

Learn and Enforce

This mode allows you the option to create a Device with or without its Device ID (UUID). If a Device is created without the ID, the Device ID will propagate in the administration portal on the next successful connection, and the User will only be able to connect from that Device on future connections (i.e., the profile from that device cannot be used to connect with any other device).

DIVE learns the identity ( UUID) of an unknown device on that device's first successful connection and locks the connection profile (digital certificate) used to authenticate that connection with that device. On future connections using that connection profile, DIVE enforces that those connections were made by the same device.


When the Enforce mode is enabled, you must configure the UUID of the Device when it is created. Only users with trusted Devices (i.e., configured devices with their UUID) can connect successfully.

Once enabled, the user can import a Profile in the Connect App, only if the Device is trusted. Owners / Administrators must associate a UUID with the configured Device (this can be done once the client has been installed on the device and UUID is obtained from the OpenVPN Client settings as pictured below). The Administrator has to enter the UUID in existing Devices or when creating new Devices using the Users > Devices menu.


To discover the UUID for Linux clients, run the following command in the terminal: openvpn3-admin variables --machine-id. For Windows OS the command is wmic path win32_computersystemproduct get UUID. For macOS you can find the UUID from the About this Mac (Apple icon) > System Report.



If the configured UUID for the Device does not match during the profile import, the profile cannot be imported. For Devices that already have a .ovpn profile, if the Device ID (UUID) provided during connection does not match the configured device, the connection will be denied.

The Device ID can be added in the Users > Devices menu by clicking the edit icon (pencil), of the Device.


UUID visibility for devices that use the min required client version, the UUID will be shown, irrespective of device enforcement settings.


Enable Device Identity Verification & Enforcement

To enable, follow the procedure below:

  1. Navigate to Settings > Users and click Edit.

  2. Select Learn and Enforce or Enforce.

  3. Click Update.

  4. Click Confirm.