Depends on their infrastructure. HIP checks still let users connect and authenticate. HIP security profile can't be applied until after they've connected and sent the HIP data. If this is an unwanted device, you're better off preventing connections completely. Portal auth configs allow you to specify OS as match criteria. Or you could combine saml with machine certs so only devices with assigned and installed certs can connect and authenticate.
Yep agree. We deployed in such a way that it checks OS and patches and certain things that would be deployed while the pc was issued. Even deployed for a coffee shop style of office but very granular. It doesnt necessarily tear the tunnel but agree to your point
7
u/rahomka 14d ago
Look at HIP checks