Setting Up Extended Device Compliance
This walkthrough will help you get started with Extended Device Compliance, as well as test it within a smaller group before rolling it out to your organization.
Before You Begin
Before you can set up Extended Device Compliance, you’ll need:
- 1Password Business
- 1Password Device Trust Core or 1Password Device Trust Connect. Contact Kolide support to upgrade.
- A Chrome-based web browser (for example Google Chrome, Chromium, Microsoft Edge, Brave, or Arc)
- The Nightly release of the 1Password browser extension
- Extended Device Compliance currently only works with Chrome-based web browsers.
- If you already have the 1Password browser extension installed, turn off the stable version in
chrome://extensions/
, then pin the Nightly version to Chrome’s toolbar. - Users can currently bypass Extended Device Compliance if they use a different browser or disable/uninstall the 1Password browser extension.
- You can’t enforce specific Kolide Checks on an app-by-app basis. Any Checks you enable a Blocking strategy for, will be applied to all configured apps.
Step 1: Create a Test Group
There are two ways you can test Extended Device Compliance before you roll it out to your entire team. You can create a device group within Kolide and add devices of team members who want to participate in testing to the group. Then, create Checks that target the device group.
Alternatively, have all team members you want to test Extended Device Compliance install the Nightly release of the 1Password browser extension. During the Early Access period, only team members with the Nightly extension installed in a Chrome-based browser will experience Extended Device Compliance.
Step 2: Turn On Device Trust for a Web App
To add Device Trust to a web app:
- Sign in to Kolide.
- Select the Apps tab. You’ll see a list of web apps Kolide has discovered that members of your team are using.
- Choose an app that you want to protect with Device Trust.
- Toggle on Device Trust.
Step 3: Configure Checks
In Kolide, create a Check or use an existing check that’s straightforward for end users to fix. Some examples include:
- Finder - Require File Extensions to be Visible in Finder (macOS)
- Windows Explorer - Require File Extensions to Be Visible (Windows)
- Terminal - Require Secure Keyboard Entry to be Enabled (macOS)
You’ll test Kolide by failing this check and fixing the issue.
If you’d like to test what it’s like to be blocked from a web app, choose a check that will Block Immediately.
If you want to add a check that blocks you:
- Select the Checks tab.
- Find and select the check, preferably a check that’s easy to fix.
- Make sure the check is turned on, then select the vertical ellipses and choose Configure.
- If you made a device group for testing, in the “This Check Runs Against” field choose your device group and select Save.
- In the “Remediation Strategy" section, select Configure.
- Choose Block Immediately, then select Save.
After you have the check you want to test, make sure your device is not in compliance with that check. For example, if you have a check that requires content caching to be turned off, you’ll turn content caching on.
When you’ve made sure your device is not in compliance, manually re-check your device:
- Select the Checks tab.
- Find the check you’re using to test Extended Device Compliance and select it.
- Find the device name you’re testing with and select it.
- Select the Check Results tab.
- Find the check and select it again.
- Select Recheck Device Now, and you’ll see that your device is now failing the check.
Step 4: Test Extended Device Compliance
To test Extended Device Compliance, you’ll need your device to fail a check.
Sign out of the web app you’d like to test, then sign in again. You’ll see a 1Password notification in your browser listing any issues you need to fix before you can access the web app. You can select the issue in the notification to see instructions on how to fix the issue yourself.
Fix the issue and select Recheck in the 1Password notification. If you choose a check that allows you to snooze the notification, you’ll be able to select Snooze on this notification.
If you choose a check that blocks your device immediately, you won’t be able to sign in to the app until you fix the issue.