Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Vice Admiral
Vice Admiral
888 views

How to restrict access by Device ID (Fingerprint?)

Hi,

We want to limit access to previously registered devices. It seems that the solution would be to use the risk policies with Fingerprint, but all the information that it seems that we can capture from the device is descriptive (version, language, operating system, cpu, etc ...) but not identifying (serial number, Device ID, etc ...)

Do you know if it is possible to make a policy of this type? Is it possible to know the DeviceID or serial number in the authentication process?

What we are really looking for is to achieve something similar to Conditional Access in Azure AD, for example, not allowing access if the device is not managed by Intune.
Thanks for your ideas.

Regards

 

0 Likes
6 Replies
Vice Admiral
Vice Admiral

The issue you're running into is caused by browser security and the fact that browsers are sandboxed to explicitly block access to such information. From the browser, you can only get allowed data unless you add some executable/extension that bypasses browser security. Without this, your best option is fingerprinting or persistent cookies.

0 Likes
Vice Admiral
Vice Admiral

Thanks for you answer.
With fingerprint can we unequivocally identify a device? Surely it is that I do not know enough how fingerprint works, but I cannot see how we can identify it other than by its characteristics.
Micro Focus Expert
Micro Focus Expert

You can use only user browser properties to create the device fingerprint.

You can create a Risk DFP rule to explore the various options:

Device FingerPrint SettingsDevice FingerPrint Settings

Vice Admiral
Vice Admiral

Would there be a way to leave a fingerprint or token on the device that allows us to identify it? For example, through Intune we distribute a permanent cookie. If the device has this cookie, I recognize it as a trusted device.

0 Likes
Vice Admiral
Vice Admiral

Yes, a cookie with the IDP domain can be used in this way. The issue is getting it installed in the browser. The persistent authN class can do this but it requires you authenticate some other way before you lay the cookie down.

The issue is that this will need to be done separately for each browser they might use and I'm not even sure it's possible on mobile devices.

0 Likes
Vice Admiral
Vice Admiral

The idea is to control access based on whether the device is managed by Intune, so perhaps it is possible to distribute this cookie through Intune itself, which would be proof that it is a device managed by the organization.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.