Skip to main content

About Device Posture

Abstract

The OpenVPN Connect app shares device attributes with CloudConnexa during the tunnel connection and periodically after that. You can configure a device posture policy that uses this data to evaluate the device's security and compliance and decide if it is safe to connect and stay connected to CloudConnexa.

The OpenVPN Connect app shares device attributes with CloudConnexa during the tunnel connection and periodically after that. You can configure a device posture policy that uses this data to evaluate the device's security and compliance and decide if it is safe to connect and stay connected to CloudConnexa.

Note

Device Posture is a Beta feature.

Minimum client versions for device posture

For device posture policies to work, the OpenVPN Connect App installed on the device must have a version number equal to or higher than the ones listed below.

  • Windows: OpenVPN Connect 3.5

  • macOS: OpenVPN Connect 3.5

  • Linux: OpenVPN3 Client v_23 (with additional dependencies: openvpn3-addon-devposture and openvpn3-dpc-openvpninc). Refer to Tutorial: Enable device posture check for Linux OpenVPN client.

    Note

    The Linux client needs both openvpn3-addon-devposture and openvpn3-dpc-openvpninc packages to be installed for Device Posture functionality to work.

  • iOS: OpenVPN Connect 3.5

  • Android: OpenVPN Connect 3.5

Device attributes for posture checks

The attributes in this section can determine the device's security posture. Policies to allow or maintain the connection can be configured based on the attributes listed below:

  • Operating System: The device's operating system (Windows, macOS) can determine whether a connection is allowed.

  • Operating System Version: A connection can be allowed if the version of the operating system on the device is equal, greater or equal, less or equal than a specified version string (major.minor.patch). For example, 3.5.124

    Note

    To find your OS version, use the command sw_vers in the terminal for macOS and systeminfo for Windows.

  • Antivirus: At least one antivirus running on the device can determine whether a connection is allowed. Supported antivirus software are Norton, Bitdefender, McAfee, Avast, ESET, AVG, Avira, SentinelOne, Malwarebytes, and Microsoft Defender (for Windows OS only).

  • Client Certificate: To allow the connection, the device must have a certificate matching the one uploaded as a .pem file in the configured device posture policy. If the certificate uploaded in the policy is a Root or Intermediate certificate, then the certificate present in the device can be directly signed by the certificate in the policy (i.e., only chaining of 1-level is allowed). The encryption used for the signing can be either RSA (min key size - 2048) or ECDSA (min key size - 256).

    Note

    The certificate needs to be located in the Current User/Personal folder for Windows and keychain/login for macOS.

  • Disk Encryption: To allow the connection, the disk must be encrypted using FileVault on macOS devices. For Windows devices, the full disk or a specific volume must be encrypted using BitLocker.

In this section: