Admin-defined assignment of Trust Factors to subsets of devices in an org
- Trust Profile Overview
Trust Profile Overview
A Trust Profile applies admin-defined Trust Factors to a specific subset of devices within an org. Trust Profiles allow admins to assign a set of Trust Factors (with designated Trust Effects) to user groups, device serial numbers, operating systems, and device ownership types.
Historically, all Trust Factors were enabled at the organizational level and globally applied to all devices; with the introduction of Trust Profiles, specific Trust Factors can be applied to subsets of devices, offering admins granular control over devices’ security posture.
Trust Profile Assignment
Each device must be associated to a Trust Profile. If a device is not associated to a custom Trust Profile, it will then be associated with the Default Trust Profile, which exists in every org.
When the background job runs (every 10 mins or so) and we sync devices, the just-registered device will move to its new Trust Profile based on the assignment criteria.
The Default Trust Profile’s assignment criteria cannot be changed. This profile serves as the “catch all” and is automatically assigned to devices without an assigned profile. It is always the lowest priority Trust Profile.
- Trust Profile assignment criteria include User Groups, Device Serial Numbers, Operating Systems, and Device Ownership types. Admins can configure assignment criteria, and then apply Trust Factors to these users’ devices.
In order to create a Trust Profile, admins must have at least one assignment criterion to apply to devices.
Trust Profile assignment is conjunctive. A profile assigned to two separate assignment criteria (e.g., a user group as well as an OS) will only apply if both criteria are met (e.g.,, the user is a contractor and working on a macOS device; not a user who is a contractor or working on a macOS device).
If an assignment criterion is not selected during Trust Profile creation (e.g., no operating systems are selected), the associated Trust Profile will apply to any of the criterion’s available options (e.g., the profile will apply to macOS, Windows, Linux, iOS, and Android if no operating systems are selected).
If an admin selects Yes to Include only MDM-managed devices, then this Trust Profile will only apply to MDM-managed devices (determined via the zero-touch installation process). If, alternatively, an admin selects No, then this Trust Profile will not evaluate for MDM-management.
Each Trust Profile can contain only one vendor’s trust integration (i.e., only one Crowdstrike integration). If two or more trust integrations from the same vendor exist, only one can be applied to a given Trust Profile. Once one is applied, others from that same vendor will disappear as Trust Factor selection options for your profile.
Trust Profile Prioritization
Since devices can only be assigned to one Trust Profile, Trust Profile prioritization is required. A device will be assigned the Trust Profile that (i) matches selected criteria and (ii) has the highest priority level. The Default Trust Profile will always be the lowest priority on the list.
To prioritize Trust Profiles, select the top right triangle button, and complete the following:
- Drag and drop the profiles in the preferred order;
Trust Profile Example: Applying the CrowdStrike Integration factor to Contractors
An admin wants to create a Trust Profile for contractors in their org. The admin defines the profile by adding the user group Contractors.
The admin then selects the CrowdStrike Trust Integration factor to apply to Contractors’ devices.
Trust Profile Example: Prioritizing Trust Profiles
An admin creates two Trust Profiles: one profile applies a set of Trust Factors to the Developers user group; the other profile applies a separate set of Trust Factors to the Contractors user group. A device in the org is part of both user groups, Developers and Contractors. Therefore, both Trust Profiles apply to this device.
In Banyan, the rule is that a device can only be assigned to one Trust Profile. Since the device’s features apply to both Trust Profiles, the profiles must be prioritized. To resolve this, the admin can navigate to the Trust Profile Prioritization page in the Command Center, and drag the Trust Profiles in order of priority, where 1 is the highest priority.
The admin decides that the Contractors Trust Profile is higher priority than the Developers Trust Profile, and drags the profiles to reflect this. Now, the device will be assigned to the Contractors profile.
Can’t find what you’re looking for?
We’re happy to help. Contact our team.