WebAuthn on mobile
We've extended our two-factor authentication (2FA) capabilities so that you can now register and sign in via biometrics on mobile devices. This makes it easier and more secure for your team members to meet 2FA requirements configured across Twingate. Team members need to be using the latest version of a mobile Client to register and use biometrics.
For more information, see our documentation.
Favorite Resources
Clients now allow Resources to be favorited. Favorited Resources are placed in their own easy-to-access section of the Client, giving users an easier way to find their most frequently used Resources.
WebAuthn support on the Admin Console
We've extended our two-factor authentication capabilities so that you can now authenticate into the Admin Console via biometrics or a security key. By bringing our WebAuthn offerings to the Admin Console, admins can now use more secure and easier methods to log in to and manage Twingate.
For more information, see our documentation.
Resource Aliases
We've added the ability to add aliases to Resources. Aliases let your users access Resources using an alternate address. For example, a server with the IP address 10.0.0.10 could be aliased to myserver.internal with zero configuration outside of Twingate.
For more information, including required Connector and Client versions, see our documentation.
Add Identity Provider and Social Login Users
Twingate now allows users to be automatically added or synced from a linked identity provider’s user directory, while also allowing users who use social logins (e.g. Google or LinkedIn) to be manually added by an admin. This can be useful if you need to provide access to external parties like contractors who don’t have accounts that are managed through your identity provider. Previously, admins were limited to adding users from either an identity provider or a social login provider, but not both at the same time.
To enable this functionality for your Twingate account, please contact Twingate support.
For more information on our supported identity providers, see our documentation.
Kandji Integration
Our Device Security integrations now include Kandji!
You can now configure Twingate Security Policies so that only Kandji-verified devices can sign into Twingate or access protected Resources.
This means organizations using Kandji can opt not to use manual device verification and choose to identify company-managed devices through Kandji instead.
For more information, see our documentation.
WebAuthn support for Two-Factor Authentication
Twingate has expanded its native two-factor authentication capabilities. Twingate now supports authentication with WebAuthn using biometrics and security keys, in addition to our existing time-based one-time password authentication option. Authenticating via methods such as Touch ID or YubiKeys are more secure as they provide device-based two-factor authentication while also offering more ease of use. Users will now be given the option to configure biometrics or security keys for authentication, allowing these methods to be used to meet Twingate’s native two-factor authentication requirements.
For more information, see our documentation.
SentinelOne Integration
We’ve expanded our Device Security integrations to now include SentinelOne.
Twingate Security Policies can now be configured so that only SentinelOne-compliant devices can sign into Twingate or access protected Resources.
This means SentinelOne users can bypass manual device verification and opt to identify company-managed devices through SentinelOne instead.
For more information, see our documentation.
Archiving and Blocking Devices
Twingate admins can now archive and block devices.
Old or decommissioned devices can be archived and hidden from the Admin Console.
Lost devices can be blocked so that they can no longer authenticate with or access Twingate.
For more information, see our documentation.
Client Resource Visibility
Twingate admins are now able to hide specific Resources from the main list of Resources displayed in end user Clients. Marking a Resource as hidden will move it into a “Background Resources” sub-menu in the Client. Additionally, admins can now disable the “Open in Browser” shortcut for Resources that aren’t intended to be opened directly from the Client or that don’t open in a web browser.
For more information, see our documentation
Client requirements
macOS
1.0.25
or newerWindows
1.0.23
or neweriOS
1.0.25
or newerAndroid
1.0.23
or newerLinux
1.0.74
or newer
Display Protocol Restrictions
Protocol restrictions that apply to Resources are now displayed wherever Resources appear in the Admin Console. This allows you to quickly see if a Resource is allowed, restricted, or blocked from using TCP, UDP, or ICMP.
Team Page Refresh
We’ve revamped the Team page in the Admin Console. With this update, you can now search, sort, and filter users, groups, and service accounts. This lets you easily find users and identify their access rights at a glance, or search for a group to quickly determine its resource policy. Scrolling endlessly to find a user is now a thing of the past!
Intune Integration
We’re excited to announce that we’ve expanded our Device Security capabilities with a new integration with Microsoft Intune. You can now configure Twingate Security Policies so that only Intune-compliant devices can be used to sign into Twingate or access protected Resources. This removes the burden of manual device verification by automatically identifying company-managed endpoints.
For more information, see our documentation.
Manage Billing Plans
We’ve updated our self-serve billing functionality to allow you to manage your plan within the Admin Console. Admins will now be able to modify billing plan and frequency from the Billing page.
For more information, see our documentation.
NextDNS integration
Twingate now integrates with NextDNS, a leading DNS filtering service that protects users from a wide range of internet security threats. NextDNS can be enabled directly from the Twingate Admin Console, allowing admins to extend DNS security protections to all Twingate users on desktop platforms. No additional app installation or network configuration is required beyond enabling NextDNS in Twingate. Profiles that are configured in NextDNS, which allow sets of different DNS security settings to be defined, can be selected directly within the Twingate Admin Console.
For more information, see our documentation.
Jamf Integration
We’re happy to share that our Device Security capabilities now support an integration with Jamf. Admins can configure Twingate Security Policies so that only devices managed in your Jamf tenant can be used to sign in to Twingate or access protected resources. This allows you to define what it means to be a Trusted Device using your existing Jamf deployment, bridging your device source of truth and network access management policies.
For more information see our documentation.
Connected state for devices
We’ve updated our Admin Console so you can see which devices across your team are currently connected to Twingate. Device connectivity can now be seen across Device and User pages and the total count of currently connected devices is visible on the Devices page. Now, you can more easily monitor active devices, troubleshoot issues, and identify realtime Twingate usage throughout your company.
Resource authentication states in clients
We’ve added new functionality to the Twingate Client to display a Resource’s authentication state. This change gives your users insight into what they can access at any given time. For each Resource, users can now see whether they are currently authenticated and how much time is left before they need to authenticate again. Users can also manually authenticate before accessing a Resource, giving them more control over how authentication fits into their workflow.
Client requirements
macOS
1.0.23
or newerWindows
1.0.21
or neweriOS
1.0.23
or newerAndroid
1.0.21
or newerLinux support will be available in a future release
Linux ARM
Our latest Linux Client (1.0.68
) now supports ARM64 architecture, which means that the Client can now run on endpoints such as newer Raspberry Pi and other IoT devices. Virtualized Linux environments running on ARM-based Apple Silicon devices are also now supported. Combined with running the Linux Client in headless mode using our Service functionality, this enables Twingate to be used across a broader range of use cases and devices within your network.
For more information, see our documentation.
Network Events in Admin Console
We’ve enabled network events in the admin console, bringing details about network traffic to the individual user and resource pages. You can now navigate within the admin console to see details about recent network traffic associated with a team member or protected resource. This enables you to easily understand who’s accessing what across Twingate and investigate or troubleshoot issues directly from the admin console.
For more information see our documentation.
User Activity Report
We’ve added new reporting functionality to the admin console: now you can export a list of active users on Twingate and their last access time. This allows you to easily see who’s recently been using Twingate, which can help with auditing, tracking, and monitoring.
For more information, see our documentation.
DNS Security & DoH
We’re pleased to announce Twingate’s first capability to protect user privacy and improve security posture on any network by automatically encrypting DNS traffic. Despite advancements to protect DNS such as DNSSEC, the vast majority of DNS requests are still both unencrypted and unvalidated, and hence vulnerable to a range of exploits from data collection to DNS poisoning and phishing.
A solution to the problem of unencrypted DNS traffic already exists in the form of DNS-over-HTTPS (DoH), which simply encapsulates standard DNS requests into HTTPS requests, hiding the contents of the requests from third parties. The Twingate Client’s transparent DNS proxy not only enables configurationless private DNS resolution, but it also allows us to offer automatic DoH protection for the entire operating system. Any DNS request on a user’s device, both foreground and background, will be encrypted, regardless of the application, and automatically forwarded to a trusted DoH resolver.
Enabling DoH for your users in Twingate is very simple. Simply turn on DoH in the “DNS Security” section in your Admin Console Settings page, and any macOS, Windows, or Linux users will automatically have DoH protection enabled. Select from a number of trusted DoH resolvers, or use the custom resolver option to use your existing DoH provider, which can also be used to enable DNS filtering for all Twingate users automatically.
CrowdStrike Integration
We’re excited to announce that we’ve extended our Device Security capabilities to integrate with CrowdStrike. You can now configure your Twingate Security Policies so that only devices managed in your CrowdStrike Falcon platform can be used to sign in to Twingate or access protected resources. This enables you to layer on the best of CrowdStrike’s device controls and management with Twingate’s granular access policies.
For more information see our documentation.
Admin Roles
We’ve added new admin roles to our Twingate Admin Console, enabling restricted access for DevOps and Support team members. With the new admin roles, DevOps team members can set up and modify Resources, Remote Networks, and Connectors while only having read access to groups, policies, etc. Support team members will only have read-only access to the entire admin console. This new feature allows admins to delegate admin management and support responsibilities to the right people without granting overprivileged access.
For more information see our documentation.
Terraform Provider Updates
A new version of our Terraform Provider, v0.1.7
, is now available from Terraform’s Provider Registry.
In addition to a number of bug fixes, we have made the following enhancements:
Added support for a new
twingate_group
resource that allows you to both import existing and create Twingate Groups in your Terraform configuration.Added a new
DENY_ALL
shorthand port restriction when configuring atwingate_resource
resource.Added a new GKE + Helm deployment guide to our documentation.
We’re continuing to work on a number of highly-requested enhancements to our Terraform Provider, and so expect to see another update here in the near future. The full changelog for v1.0.7
is available on Github.
Device Security
We’re excited to launch Device Security, a new controls framework that allows fine-grained definition over which devices are authorized to access specific Resources. Device Security includes native device posture checks across all platforms and is integrated into Twingate’s existing Security Policies.
For more information see our blog post and documentation.
Service Account API
We’ve updated our public GraphQL Admin API to include all create, update, and management actions for our Service Accounts functionality. This allows Service Accounts to be created and managed programmatically as part of our commitment to automation on our platform.
Resources Page Refresh
We’ve updated our Resources page within the Admin Console so that admins can more easily see and manage Resources. With this overhaul, admins can now sort, search, and view more details about the Resources configured within Twingate. This makes it easy to audit and make changes, including enabling and disabling the Resource as well as adding and removing access.
JumpCloud integration
JumpCloud integration
Today we’re excited to share that we now integrate with JumpCloud. Adding to our existing identity provider integrations with Azure AD, Google Workspace, Okta, and OneLogin, you can now connect Twingate to your JumpCloud account for authentication and user & group sync. This makes it easier than ever to get your team set up and deployed with Twingate.
For more information, see our documentation.
Peer-to-peer Transport via NAT Traversal
We’re excited to introduce a significant upgrade to our network infrastructure that reduces round trip latency and incorporates the latest networking standards. Clients and Connectors will now prioritize negotiating a direct peer-to-peer connection whenever possible; our Relay infrastructure remains available as a secondary data path.
This upgrade also introduces the use of QUIC at the network transport level. QUIC was designed to address the challenges of real-world internet usage by:
Maximizing throughput for concurrent data streams
Reducing connection startup time
Improving resilience to network changes
We are in the process of rolling out this functionality to all of our customers. If you’d like to opt in for early access, please contact your account manager. For more on how we think about Twingate’s underlying network architecture, including these most recent upgrades, see our blog post.
Client and Connector requirements
Connector
1.31.0
or newerWindows
1.0.13
or newermacOS
1.0.16
or newerLinux
1.0.32
or neweriOS
1.0.16
or newerAndroid support will be available in the next release
Admin Actions Report
Admin Actions Report
Today we’ve expanded our reporting capabilities. Adding to our previous analytics on network traffic, we now offer Business and Enterprise admins the option to export reports on admin actions. This gives insight into what’s being created, deleted or edited across Remote Networks, Connectors, Users and Groups, Service Accounts, and more. It’s now easier than ever to keep track of what changes and updates are being made across your Twingate network.
For more information, see our documentation.
Connector Downtime Notifications
We’ve added email notifications for Connector availability status changes, making it easier for admins to be aware of and troubleshoot access issues. With this feature, admins will receive emails if Connectors go offline and also when they come back online. Admins have the option to mute status emails if these availability status changes are expected behavior.
For more information, see our documentation.
Devices Page Refresh
We’ve revamped and optimized our Devices page within the Admin Console. With this overhaul, we’ve improved the performance of the Devices page so admins can quickly see their organization’s details. This makes it easy to view which devices have been used to access Twingate, ensure they’re up to date, and manage Trusted Devices.
For more detailed information, see our documentation.
Device Requirements in Resource Policies
Platform Requirements and Trusted Devices in Resource Policies
We’ve extended Resource Policies so that they now support Device Requirements. In addition to the previous options on Sign-In Policy and Authentication Requirements, Resource Policies now support setting requirements on the operating system and Trusted Device state. With this update, Resources can be configured so that they can only be accessed via devices marked as Trusted Devices or running specific platforms.
For more information, see our documentation.
Google Workspace Updates
Today we’re excited to share three updates to our Google Workspace integration. These changes make our integration more fully featured and performant so that you can get your team organized and configured within Twingate. The three major updates are support for Organizational Units, use of webhooks to sync changes, and support for multiple Google Workspace domains. For more detailed information, see our documentation.
Google Organizational Unit sync
Twingate’s Google Workspace integration now supports syncing Organizational Units (OUs) and Google Groups. Customers using Google Workspace as their identity provider will have the option to sync either or both OUs and Groups as Twingate groups, which can then be granted access to specific resources. This makes it easier than ever to seamlessly integrate existing user management architecture into Twingate.
Google Workspace webhooks
We also updated how we sync users via our Google Workspace integration. By using webhook-based triggers to identify changes, Twingate is now able to reflect updates even faster, significantly reducing sync times. With this, you’ll be able to easily get your team set up and stay up to date within Twingate.
Multiple Google Workspace domains
Customers using Google Workspace as an identity provider will now also be able to sync multiple domains from a single Google Workspace account (secondary domains within Google Workspace). This ensures that users from these different domains will be able to authenticate, sync changes, and be given access to resources as needed.
MacOS pre-configuration updates
Now updated: MacOS pre-configuration updates
We’ve expanded support for pre-configuration of the MacOS Twingate client via Apple property list files (.plist). The first change is that the client can be pre-configured to start at login via a setting in the .plist. The second update is that the client can now read .plist files from /Library/Managed Preferences/
in addition to the previously supported /Library/Preferences/
. This makes it easier to deploy and manage Twingate across your organization’s devices. These two updates are now live in our latest version of the MacOS client (1.0.16
), available in the Mac App Store.
For more information, see our documentation.
Service Accounts & Headless Clients
Now available: Service accounts
We’ve expanded support for CI/CD pipeline integration and automated processes by adding service accounts to Twingate. Services can be created in the Admin console and access can be provided to any existing resources. Service keys assigned to a service are used to authorize access using the new headless mode available in our Windows and Linux clients. Upgrading connectors to 1.0.30
or later is required to enable service access to resources.
For more information, see our product announcement and documentation.
Minor Fixes and Improvements
Clients
Linux
1.0.21
and Windows1.0.11
Clients now support service accounts with headless modes.
Admin Console
The Google Workspace integration now supports webhook-based triggers for user changes.
Connectors are now given random names, and connector names can be edited after creation.
The admin user who created a given Admin API key is now visible in the admin console.
Resources can now be edited directly from the resource list view in the Network page.
Admin API
Added support for devices into the Admin API, including updating device trusted status.
Connector Real-time Logs & Metadata
Connector Real-time Connection Logs
We’ve added real-time network logging to the Connector to enable feeding this information directly into a SIEM system. Logs are output in JSON format and are identity-indexed, allowing you to link user identity directly to the resource that was accessed, the rule that allowed access, which device was used, and how much data was transferred. For more detailed information, please see our documentation.
Connector Metadata
We’ve augmented the Connector detail page in the Admin console to display additional information about each Connector. We now:
Report the Connector’s current version
Indicate if an update is available for the Connector
Display any custom metadata
See our documentation for information on setting custom metadata. We will be continuing to enhance the Connector information we provide over the coming weeks.
Minor Fixes and Improvements
Clients
Added NixOS distribution support in Linux
1.0.12
.macOS and iOS Clients are now available in the corresponding French Apple App Stores.
General
Improved the Twingate Universal 2FA experience by introducing a sliding window for code entry. This prevents user codes from being rejected just after the 2FA code transitions.
Device Trust & Visibility
Device Details
Twingate now displays information about all of your users’ devices across all platforms. This information is exposed in both the user detail page for an individual user and in the new Devices tab in the Admin console. At a glance, you are now also able to see what devices are connected to Twingate, detailed information about devices, and whether the device is trusted. This information can also be sorted, exported, and summarized in the Devices tab.
Over time we will be expanding the range of device information that we collect, both via the Twingate client application and from 3rd party integrations with MDM and EDR products our customers already have deployed. We will also be enriching our existing identity-based network analytics information with collected device information to continue to provide our customers with the most complete picture of network activity.
Devices running Twingate Clients of the following versions or later support sending device details to Twingate:
Windows
1.0.8
macOS
1.0.9
iOS
1.0.8
Android
1.0.11
Clients running prior versions of Twingate will be shown as a generic Device without additional details or metadata. We recommend that your users update to the latest version of the Twingate Client to take advantage of this and future functionality.
Trusted Devices
The Trusted Device functionality that we’re launching today is a very first step towards building a dynamic trust status. Admins are now able to mark devices as trusted, which allows defining Security Policies that take this status into account. This policy requirement can be enforced for any device, on any platform, and in any location with nothing but the Twingate client app required.
While this trusted/untrusted status is suitable for many scenarios where access must be restricted to known devices, we see this functionality as a fundamental building block for more nuanced policies in the future. We will soon be extending this concept to make device trusted status be conditional on a number of factors, including the destination resource that is being accessed, 3rd party reporting from MDM and EDR systems, and additional context collected from the Twingate client application itself.
Minor Fixes and Improvements
Clients
Modified the Client authentication flow so that users no longer need to click a deeplink notification to open Twingate and complete the authentication flow.
Improved the Admin console sign-in experience by allowing login directly from twingate.com.
Twingate Terraform Provider
Today we’re proud to release Twingate Terraform Provider 0.1.0
, which is available now in Terraform’s Provider Registry. Many of our customers have fully standardized on Infrastructure-as-Code processes, and we’re pleased that they can now integrate secure zero trust access into these processes automatically using our Terraform Provider.
One of the major benefits of Twingate is that it allows you to decouple planning decisions around network infrastructure from user access. By deploying Connectors in any network segment where access is needed, it’s no longer necessary to route traffic between networks to accommodate the need for access. You can focus on managing and securing your network to best practices, knowing that access can be provided anywhere it’s needed.
We’ve gotten valuable early feedback on our Provider as we were developing it, and if you have any feedback once you’ve given it a try, we’d love to hear from you, too.
Security Policies
We’re excited to announce Twingate Security Policies, which is a new framework to help you manage access to Resources. This will enable you to apply more granular security rules to sensitive assets. For example, you may want to require 2FA, but only for users accessing billing systems with customer financial data.
Twingate has three types of Security Policies, each of which come together to protect access to your Twingate network. Different Policy types may have different rules available to them, based on what is appropriate for the use case.
Resource Policies: These policies are applied to Resources at the time they are accessed by a user. Use these policies to apply extra security to more sensitive Resources on your Network. There is always one Default Policy which is applied to all new Groups by default. You can create additional Resource Policies in the Admin Console.
Network Sign In: This policy is applied to all users of Twingate when they attempt to log into the network. Users must fulfill the criteria in this Policy before attempting to access any Resources, even if those Resources have more permissive Security Policies than the Network Sign In policy.
Admin Console Sign In: This policy is only applied to Twingate administrators when they sign into the Admin Console. Admins do not need to sign into Twingate to access the Admin Console, so the Network Sign In policy is not applied here.
General Product Updates
Twingate now has a SOC 2 Type 2 report available on request from our team.
Minor Fixes and Improvements
Clients
Added Windows “Start on Login” support in
1.0.4
.Added support for unqualified DNS names on macOS
1.0.7
and Windows1.0.5
.Fixes Sophos incompatibility issues on macOS
1.0.7
.Added support for Arch Linux in Linux
1.0.6
.
Connectors
Improved the speed and resiliency of Connectors when switching between different Relay cluster regions.
Admin console
Added wanrning for admins when attempting to create multiple Resources with the same address.
Added ability to disable group sync for Google Workspace.
Added Universal 2FA support for non-IdP configurations.
Universal 2FA & Identity-indexed network flow logs
Universal 2FA
Today we’re launching native two-factor authentication to our Business and Enterprise customers, which will allow more fine-grained controls independent of your chosen identity provider and independent of the destination resource. We call this experience Universal 2FA because it can be applied to any type of resource with zero application changes.
One of the “wow” moments for our customers is using Twingate’s Universal 2FA to apply discretionary security levels to resources according to their sensitivity. For example, admins can ensure that users with production network SSH access are subject to an additional 2FA challenge. The lack of application changes, and flexibility to work with any protocol or resource, means that security changes can be made immediately. The user experience is also seamless, operating in-line with the user’s workflow thanks to Twingate’s transport-level network routing.
Identity-indexed network flow logs
Every network connection in your Twingate network is authenticated against a central IdP and authorized by security policies defined in Twingate. This means that for the first ever, our customers now have an identity-first view of their private network flow. All private traffic is always directly associated with user identity, including the authorization rule that allowed the connection, network path information, data volume transferred, and port details.
Identity-indexed network analytics make it straightforward to not only determine who accessed internal resources, but to quickly identify usage patterns, trends, and spot anomalous behavior. For forensic investigations, gone are the days of piecing together time-stamped network logs and IP addresses from disparate systems to try to understand a sequence of events. Identity ties all access information together, regardless of location, device, operating system, or network.
General Product Updates
You can now specify ports and ranges that are allowed as part of resource definitions. Any port restrictions are checked and applied before any traffic leaves the user’s device, meaning that traffic for disallowed ports will never enter your private network.
We now support group sync updates for Okta, OneLogin, Google Workspace, and Azure AD. SCIM is used for updates where supported by the identity provider.
We’ve updated our macOS and Windows clients to make them compatible with DNSFilter. You can read more about our partnership announcement on our blog.
The Connector provisioning workflow has been completely overhauled, and we now have pre-configured deployment scripts for Docker, Linux (via systemd), AWS EC2, AWS AMI, K8s (via Helm Chart), and Azure (via ContainerInstance).
ChromeOS is now an officially supported platform for Twingate clients, starting with Android/ChromeOS
1.0.5
.
Minor Fixes and Improvements
Clients
Added correct handling of CNAME chains on bypass (non-protected) traffic.
Added “Start on Login” support in macOS
1.0.5
.Added native Apple M1 support in macOS
1.0.5
.Addresses performance improvements for any traffic that tends to send small packets (eg. SSH).
Added ability for the macOS client to have its Twingate network name pre-configured via plist, which is useful for MDM/EMM deployments.
Added ICMP proxy support so that
ping
requests are correctly handled via both bypass and protected routes.
Connectors
Reduced overall Connector memory usage.