Yeah, it’s pretty cool how granular you can get!
I didn’t have to. HR did.
I’m not talking about the technical controls we have because my boss also hangs out in this subreddit (hi, Jim! o/ ) and he’ll have my head on a platter for it. But I know I can talk about the administrative controls because I asked him about it on Slack before replying.
The Macs aren’t managed. At least mine isn’t. It’s my own personal machine. I refuse to use the POS 13.5" laptops they give employees. They’re garbage.
Of course. The question was how we force users to use corporate laptops, not about vpn type and encryption
And a horrible user experience. But they are terrible at a lot of things.
Girl Scouts of the Appalachian Council
Garden State Arts Center
Global Secure Access Client.
Thought this was a sysadmin sub?
My bad, overlooked the “non”
I don’t think I’d try. We use a full VPN client from a major vendor.
User certs can be exported by users. Machine certs require admin rights to export.
Don’t rely on the active directory certificate templates settings where you can say “can not export private key” as Microsoft will tell you that’s optional and anyone can request a new cert and manually uncheck that box.
“Beware there sometimes are ways to export the keys to those non exportable certificates.”
A truly non-exportable key is not the one marked so by Windows CSP/KSP, but the one generated and stored inside an active crypto token which doesn’t permit exporting the key under any conditions.
Can you tell me more about how you set this up? Are you saying you exposed an internal SCEP endpoint via app proxy? How do clients authenticate for enrollment?
Wait, what do you mean “it will be the only option”?
This is the way. Works great
Why are they able to install the company VPN in the first place?
The issue is the shitty Palo VPN is not actually “always on” like it claims to be.
Our certs are valid for one year.