implementing-device-posture-assessment-in-zero-trust

What this skill does

# Implementing Device Posture Assessment in Zero Trust

## When to Use

- When enforcing device health as a prerequisite for accessing corporate applications
- When integrating CrowdStrike ZTA scores, Intune compliance, or Jamf device status into access decisions
- When implementing CISA Zero Trust Maturity Model device pillar requirements
- When building conditional access policies that adapt based on real-time endpoint security posture
- When detecting and blocking access from compromised, unmanaged, or non-compliant devices

**Do not use** for IoT or headless devices that cannot run posture agents, as a standalone security control without identity verification, or when real-time posture data is unavailable and stale compliance data would create false trust.

## Prerequisites

- Endpoint Detection and Response (EDR): CrowdStrike Falcon with ZTA module, or Microsoft Defender for Endpoint
- Mobile Device Management (MDM): Microsoft Intune, Jamf Pro, or VMware Workspace ONE
- Identity Provider: Microsoft Entra ID, Okta, or Ping Identity with conditional access capability
- ZTNA Platform: Zscaler ZPA, Cloudflare Access, Palo Alto Prisma Access, or cloud-native IAP
- API access to EDR/MDM platforms for posture signal ingestion

## Workflow

### Step 1: Define Device Compliance Baselines

Establish minimum security requirements for each device category.

```powershell
# Microsoft Intune: Create device compliance policy via Graph API
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"

# Windows 10/11 Compliance Policy
$compliancePolicy = @{
    "@odata.type" = "#microsoft.graph.windows10CompliancePolicy"
    displayName = "Zero Trust - Windows Compliance"
    description = "Minimum device requirements for zero trust access"
    osMinimumVersion = "10.0.19045"
    bitLockerEnabled = $true
    secureBootEnabled = $true
    codeIntegrityEnabled = $true
    tpmRequired = $true
    antivirusRequired = $true
    antiSpywareRequired = $true
    defenderEnabled = $true
    firewallEnabled = $true
    passwordRequired = $true
    passwordMinimumLength = 12
    passwordRequiredType = "alphanumeric"
    storageRequireEncryption = $true
    scheduledActionsForRule = @(
        @{
            ruleName = "PasswordRequired"
            scheduledActionConfigurations = @(
                @{
                    actionType = "block"
                    gracePeriodHours = 24
                    notificationTemplateId = ""
                    notificationMessageCCList = @()
                }
            )
        }
    )
}

New-MgDeviceManagementDeviceCompliancePolicy -BodyParameter $compliancePolicy

# macOS Compliance Policy via Jamf Pro API
curl -X POST "https://jamf.company.com/api/v1/compliance-policies" \
  -H "Authorization: Bearer ${JAMF_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Zero Trust - macOS Compliance",
    "rules": [
      {"type": "os_version", "operator": ">=", "value": "14.0"},
      {"type": "filevault_enabled", "value": true},
      {"type": "firewall_enabled", "value": true},
      {"type": "gatekeeper_enabled", "value": true},
      {"type": "sip_enabled", "value": true},
      {"type": "auto_update_enabled", "value": true},
      {"type": "screen_lock_timeout", "operator": "<=", "value": 300},
      {"type": "falcon_sensor_running", "value": true}
    ]
  }'
```

### Step 2: Configure CrowdStrike Zero Trust Assessment

Enable ZTA scoring and configure score thresholds for access tiers.

```bash
# CrowdStrike Falcon API: Query ZTA scores for all endpoints
curl -X GET "https://api.crowdstrike.com/zero-trust-assessment/entities/assessments/v1?ids=${DEVICE_AID}" \
  -H "Authorization: Bearer ${CS_TOKEN}" \
  -H "Content-Type: application/json"

# Response includes:
# {
#   "aid": "device-agent-id",
#   "assessment": {
#     "overall": 82,
#     "os": 90,
#     "sensor_config": 85,
#     "version": "7.14.16703"
#   },
#   "assessment_items": {
#     "os_signals": [
#       {"signal_id": "firmware_protection", "meets_criteria": "yes"},
#       {"signal_id": "disk_encryption", "meets_criteria": "yes"},
#       {"signal_id": "kernel_protection", "meets_criteria": "yes"}
#     ],
#     "sensor_signals": [
#       {"signal_id": "sensor_version", "meets_criteria": "yes"},
#       {"signal_id": "prevention_policies", "meets_criteria": "yes"}
#     ]
#   }
# }

# Define ZTA score thresholds for access tiers
# Tier 1 (Basic Access):      ZTA >= 50
# Tier 2 (Standard Access):   ZTA >= 65
# Tier 3 (Sensitive Access):  ZTA >= 80
# Tier 4 (Critical Access):   ZTA >= 90

# Query devices below minimum threshold
curl -X GET "https://api.crowdstrike.com/zero-trust-assessment/queries/assessments/v1?filter=assessment.overall:<50" \
  -H "Authorization: Bearer ${CS_TOKEN}"

# CrowdStrike ZTA signals evaluated:
# - OS patch level and version
# - Disk encryption (BitLocker/FileVault)
# - Sensor version and configuration
# - Prevention policy enforcement
# - Firmware protection (Secure Boot)
# - Kernel protection (SIP, Code Integrity)
# - Firewall status
```

### Step 3: Integrate Device Posture with Entra ID Conditional Access

Create conditional access policies that require compliant devices.

```powershell
# Create Conditional Access policy requiring compliant device
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

$caPolicy = @{
    displayName = "Zero Trust - Require Compliant Device"
    state = "enabled"
    conditions = @{
        applications = @{
            includeApplications = @("All")
        }
        users = @{
            includeUsers = @("All")
            excludeGroups = @("BreakGlass-Admins-Group-ID")
        }
        platforms = @{
            includePlatforms = @("all")
        }
        clientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    grantControls = @{
        operator = "AND"
        builtInControls = @("mfa", "compliantDevice")
    }
    sessionControls = @{
        signInFrequency = @{
            value = 4
            type = "hours"
            isEnabled = $true
            authenticationType = "primaryAndSecondaryAuthentication"
            frequencyInterval = "timeBased"
        }
        persistentBrowser = @{
            mode = "never"
            isEnabled = $true
        }
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $caPolicy

# Create risk-based policy using device compliance + sign-in risk
$riskPolicy = @{
    displayName = "Zero Trust - Block High Risk Sign-Ins on Non-Compliant Devices"
    state = "enabled"
    conditions = @{
        applications = @{ includeApplications = @("All") }
        users = @{ includeUsers = @("All") }
        signInRiskLevels = @("high", "medium")
        devices = @{
            deviceFilter = @{
                mode = "include"
                rule = "device.isCompliant -ne True"
            }
        }
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("block")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $riskPolicy
```

### Step 4: Configure Okta Device Trust with CrowdStrike Integration

Set up Okta device trust policies using CrowdStrike posture signals.

```bash
# Okta: Configure CrowdStrike device trust integration
# Admin Console > Security > Device Integrations > Add Integration

# Okta API: Create device assurance policy
curl -X POST "https://company.okta.com/api/v1/device-assurances" \
  -H "Authorization: SSWS ${OKTA_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "name": "Corporate Device Assurance",
    "platform": "WINDOWS",
    "osVersion": {
      "minimum": "10.0.19045"
    },
    "diskEncryptionType": {
      "include": ["ALL_INTERNAL_VOLUMES"]
    },
    "screenLockType": {
      "include": ["BIOMETRIC", "PASSCODE"]
    },
    "secureHardwarePresent": true,
    "thirdPartySignalProviders": {
      "dtc": {
        "browserVersion": {
          "minimum": "120.0"
        },
        "builtInDnsClientEnabled": true,