About Device Posture
The OpenVPN Connect app shares device attributes with CloudConnexa during the tunnel connection and periodically after that. You can configure a device posture policy that uses this data to evaluate the device's security and compliance and decide if it is safe to connect and stay connected to CloudConnexa.
The OpenVPN Connect app shares device attributes with CloudConnexa during the tunnel connection and periodically after that. You can configure a device posture policy that uses this data to evaluate the device's security and compliance and decide if it is safe to connect and stay connected to CloudConnexa.
Note
Device Posture is a Beta feature.
Minimum client versions for device posture
For device posture policies to work, the OpenVPN Connect App installed on the device must have a version number equal to or higher than the ones listed below.
Windows: OpenVPN Connect 3.5
macOS: OpenVPN Connect 3.5
Linux: OpenVPN3 Client v_23 (with additional dependencies:
openvpn3-addon-devposture
andopenvpn3-dpc-openvpninc
). Refer to Tutorial: Enable device posture check for Linux OpenVPN client.Note
The Linux client needs both
openvpn3-addon-devposture
andopenvpn3-dpc-openvpninc
packages to be installed for Device Posture functionality to work.iOS: OpenVPN Connect 3.5
Android: OpenVPN Connect 3.5
Device attributes for posture checks
The attributes in this section can determine the device's security posture. Policies to allow or maintain the connection can be configured based on the attributes listed below:
Operating System: The device's operating system (Windows, macOS) can determine whether a connection is allowed.
Operating System Version: A connection can be allowed if the version of the operating system on the device is equal, greater or equal, less or equal than a specified version string (major.minor.patch). For example, 3.5.124
Note
To find your OS version, use the command
sw_vers
in the terminal for macOS andsysteminfo
for Windows.Antivirus: At least one antivirus running on the device can determine whether a connection is allowed. Supported antivirus software are Norton, Bitdefender, McAfee, Avast, ESET, AVG, Avira, SentinelOne, Malwarebytes, and Microsoft Defender (for Windows OS only).
Client Certificate: To allow the connection, the device must have a certificate matching the one uploaded as a .pem file in the configured device posture policy. If the certificate uploaded in the policy is a Root or Intermediate certificate, then the certificate present in the device can be directly signed by the certificate in the policy (i.e., only chaining of 1-level is allowed). The encryption used for the signing can be either RSA (min key size - 2048) or ECDSA (min key size - 256).
Note
The certificate needs to be in needs to be in .p12 format and located in the
Current User/Personal folder
for Windows orkeychain/login
for macOS.Disk Encryption: To allow the connection, the disk must be encrypted using FileVault on macOS devices. For Windows devices, the full disk or a specific volume must be encrypted using BitLocker.