Device-only Policies
Resource Policies that enforce device requirements without re-authentication, useful for system services or always-on access scenarios.
A device-only Resource Policy enforces device requirements without requiring the user to re-authenticate. This is useful for Resources that should remain accessible as long as the user’s device meets the security requirements and their Sign In Policy session is valid. Examples include system services, monitoring endpoints, or Resources that need to be reachable before an interactive user session is available.
How It Works
By default, all Resource Policies include both authentication requirements and device requirements. Setting a Resource Policy to device-only disables the authentication requirement, leaving only the device security check.
To create a device-only policy, open a Resource Policy in the Admin Console and select Disable next to Authentication Requirements.
Even with authentication disabled on the Resource Policy, the Sign In Policy is always enforced. The user must have a valid sign-in session (meaning they authenticated within the Sign In Policy’s configured timeframe) before they can access any Resource, including those behind device-only policies.
Session Behavior
Device-only policies interact with session timers differently than standard Resource Policies:
- The Sign In Policy timer does not extend. Because device-only policies do not require authentication, accessing Resources behind them does not satisfy the Sign In Policy’s authentication requirements. The Sign In Policy timer continues counting down from its last reset. It is not extended by device-only Resource access.
- Sessions persist across restarts. The sign-in session is maintained when the Client restarts or the device reboots. Resources behind device-only policies are immediately accessible after a restart, as long as the Sign In Policy session has not expired and the device still meets the required profile. Standard Resource Policy sessions, by contrast, are not maintained across restarts.
- Device posture is checked periodically. Twingate re-evaluates device posture approximately every 5 minutes. If the device falls out of compliance with the required profile, access is revoked at the next check.
Start Before Logon
On Windows, device-only policies can be combined with Start Before Logon to provide network access to system-level services before a user signs in interactively.
For a detailed walkthrough of how device-only policies interact with the Sign In Policy and IdP sessions, see the sessions guide.
Last updated 6 days ago