Device Profiles
Define device trust criteria and operating system requirements for your Twingate network.
Device Profiles define what qualifies a device to access your Twingate network. Configuration is split into two sections on the Device Profiles tab of the Policies page: Trusted Profiles and Approved Operating Systems.
Think of these as wristbands: a device can earn multiple wristbands depending on which profiles it satisfies. When a user signs in to Twingate, any device with at least one wristband is allowed. When a user accesses a Resource, only devices with the specific wristbands required by that Resource’s policy are granted access.
Trusted Device Profiles
Trusted Device Profiles identify devices that have been verified through a specific method, either manual verification by an admin or an automated check via an MDM/EDR integration. Each Trusted Device Profile targets a single platform and can optionally include device posture checks in addition to the verification method.
Trusted Device Profile Requirements are Additive
All requirements enabled in a Trusted Device Profile are evaluated together. A device must satisfy every verification method and posture check in the profile to be considered trusted.
To create a Trusted Device Profile, click Create on the Device Profiles tab, select a platform, choose a verification method, and configure any additional posture requirements.
Verification Methods
Each Trusted Device Profile requires at least one verification method:
- Manual verification: Admins verify devices by serial number or by individual device instance. Serial numbers can be bulk-uploaded before or after devices sign in to Twingate. Devices can also be trusted programmatically via the Twingate API. → Manually Verified Devices
- CrowdStrike: Verifies devices via the CrowdStrike Falcon API and ZTA score. → CrowdStrike Configuration
- Intune: Verifies device compliance status via the Microsoft Intune API. → Intune Configuration
- Jamf: Verifies macOS devices via the Jamf API. → Jamf Configuration
- Iru (previously Kandji): Verifies macOS devices via the Iru API. → Iru Configuration
- SentinelOne: Verifies devices via the SentinelOne API. → SentinelOne Configuration
- 1Password: Verifies devices via 1Password Extended Access Management. → 1Password Configuration
Using Trusted Device Profiles in Policies
Once created, Trusted Device Profiles are automatically available in both the Sign In Policy and Resource Policies:
- Sign In Policy: Any device that meets any Trusted Device Profile (or Approved Operating System requirement) can sign in to Twingate.
- Resource Policies: You can require specific Trusted Device Profiles for individual Resources. Set the Device Security requirement to Only Trusted Devices to restrict access to verified devices, or use Custom to select specific profiles.
Approved Operating Systems
Approved Operating Systems set the baseline device requirements for each platform. You can enable or disable platforms individually. Disabling a platform blocks all devices on that platform from signing in to Twingate, unless they meet a Trusted Device Profile.
For each enabled platform, you can configure native device posture checks. These checks are performed by the Twingate Client and vary by platform:
| Platform | Available posture checks |
|---|---|
| Windows | HD encryption, screen lock, firewall, antivirus, minimum OS version |
| macOS | Screen lock, biometric configuration, firewall, HD encryption, minimum OS version |
| Linux | HD encryption, firewall |
| iOS | Screen lock, biometric configuration, minimum OS version |
| Android | HD encryption, screen lock, biometric configuration |
macOS firewall and HD encryption
Firewall and HD encryption posture checks on macOS are only available with the macOS standalone Client.
For detailed information about how each posture check is evaluated on each platform, see the Device Posture Checks reference.
Blocking a Platform
When a platform is disabled in Approved Operating Systems, devices on that platform cannot sign in to Twingate unless they satisfy a Trusted Device Profile for that platform. This is useful for organizations that want to block unmanaged devices on a platform while still allowing managed, verified devices through.
Common Configurations
The following examples illustrate how to combine Trusted Device Profiles, Approved Operating Systems, and Resource Policies for common scenarios.
| Scenario | Device Profiles configuration | Resource Policies configuration |
|---|---|---|
| Only allow macOS and iOS with basic posture checks | Disable Windows, Linux, and Android in Approved Operating Systems. Configure posture checks for macOS and iOS. | Set Device Security to Any Device or use Custom to select only the macOS and iOS profiles. |
| Employees on trusted devices, contractors on baseline | Configure Approved Operating Systems with the posture checks needed for contractor devices. Create Trusted Profiles for employee platforms using manual verification. | Assign Trusted Profiles to Resources that employees access. |
| Block all Android except verified test devices | Disable Android in Approved Operating Systems. Create a Trusted Device Profile for Android using manual verification and mark test devices as trusted. | Add the Android Trusted Device Profile as an allowed device on the relevant Resource Policies. |
| Require MDM/EDR verification for macOS | Disable macOS in Approved Operating Systems. Set up the applicable MDM/EDR integration. Create a Trusted Device Profile for macOS with the MDM/EDR integration as the verification method. | Add the macOS Trusted Device Profile to Resource Policies for Resources that macOS devices should access. |
Blocked Devices
If a device does not meet the Device Profile requirements (either for sign-in or for a specific Resource), the user sees a block message in the Twingate Client explaining that the device does not meet the security requirements.
Last updated 25 days ago