Manage Device Trust Scoring

How to configure Trust Factors and enable Trust Level-based policies in your org

  • Updated on Oct 14, 2022

This article describes features that are only available in the Banyan Business edition and Banyan Enterprise edition.

Overview

This document outlines different ways to leverage Banyan’s device Trust Factors and external factors (e.g., third-party alerts or other mechanisms) to grant or block access to Banyan-secured resources. It also outlines all possible Trust Level statuses for devices.

Supported Trust Factors by Operating System

The table below lists all Trust Factors supported by specific operating systems.

TrustScore Factor macOS Windows Linux iOS Android
Auto Updates    
Disk Encryption    
Firewall    
Not Jailbroken      
Application Check    
Screen Lock      
OS Version

Steps

1. Configure Trust Factors

Trust Factors serve as a required checklist for devices in your organization, determining access to Banyan-secured services.

When configured alongside Policies, Trust Factors allow granular access to individual services that require heightened security.

To configure device Trust Scoring for your organization, navigate from Settings > TrustProvider Settings > Trust Factors in Banyan’s Command Center.

This page lists the available Trust Factors, including:

  • Auto Update - The device automatically installs new versions of its Operating System. The device only gets credit if updates are automatically installed, but does not get credit simply for auto-checking for updates.
  • Disk Encryption - The device’s disk encryption is enabled.
  • Firewall - The device’s firewall is enabled.
  • Not Jailbroken - The device is not rooted or jailbroken.
  • Screen Lock - The device’s ability to screen lock is enabled.
  • Application Check (desktop-only) establishes a list of apps required on devices in your organization. Devices must have all apps running on their device and do not receive partial credit for having a subset of preferred apps running on their device.
  • Operating System Version sets the oldest allowed version of an OS.

2. Set the Threshold for Stale Trust Levels

Set a Threshold for Stale Trust Levels. If a device does not submit its Trust Factors for the specified numbers of hours, Banyan cannot compute an up-to-date Trust Level and so automatically sets the device’s Trust Level to Always Deny.

In the Command Center, navigate from Settings > Trust Score Settings > Trust Score Expiry, and set the number of hours before devices’ Trust Levels expire.

3. Configure External Factors

Banyan always enforces the strictest allowed Trust Level. For example, if the external factor is AlwaysDeny but the Banyan Trust Level is Low, the AlwaysDeny will be enforced.

Using the Set Max Trust Level endpoint, you can seamlessly incorporate external factors (such as third-party SEIM or other security monitoring tools) to influence a device’s Trust Level in real time.

Simply configure your third-party tool to POST /set_max_trust_level, including the query parameter (Email or SerialNumber) that needs to be updated. For the request headers, include the Authorization: Bearer $AUTHTOKEN and ContentType: application/json. This json payload includes the Level (AlwaysDeny, Low, Medium, High, AlwaysAllow), Reason (explanation displayed to the admin in the Command Center and to the end user in the Banyan App), and ExtSource (name of the external source, such as CarbonBlack, CrowdStrike, etc.)

The example json below shows a payload sent from CarbonBlack to Banyan after discovering malware associated with a user and/or device.

{
    "Level": "AlwaysDeny",
    "Reason": "Known malware MWS-2019-9842 detected on device - quarantine action taken.",
    "ExtSource": "CarbonBlack"
}

In this example, the Banyan TrustScore automatically drops to Always Deny and the device cannot access Banyan-protected resources.

4. Apply Trust Level Settings to Policies

When configuring a policy, set it to only allow devices that meet the minimum required Trust Level:

  • No Trust Level - Allows devices with any Trust Level.
  • High Trust Levels only - Allows only devices with a High Trust Level.
  • Medium or High Trust Levels Only - Allows only devices with a Medium or High Trust Level.
  • Any Trust Level except “Always Deny” - Allows devices with a Trust Level of Low, Medium, or High.

Trust Level Status

Trust Level statuses can be viewed in Banyan’s Command Center: navigate from Directory & Infrastructure > Devices to see a list of devices’ Trust Level statuses. For a more detailed view of the Trust Level status, select the status of a particular device. These statuses indicate the security posture or state of devices in your org, and they are as follows:

  • Reporting: This status indicates that the Banyan app is running and reporting a Trust Level on the device.

  • Expired: This status indicates that the device has not reported a Trust Level within the configured period of time. A “Threshold for Stale Trust Levels” can be set to enforce a Trust Level expiry timeframe (e.g., 24 hours).

  • Pending: This status indicates that a device has been registered recently and not yet reported a Trust Level. It can also indicate that the device at hand has been banned.

  • Overridden: This status indicates that the Trust Level for the device has been overridden via API.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.