eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-28 02:18:11 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e7fcfb7e67d5df3e8a8a5da170f18fa4c6b98731
authentik/website/docs/endpoint-devices/device-compliance/device-compliance-policy.md
Teffen Ellis 6ed5cb5249 website/docs: Modal and wizard button labels (#21549) 
* website/integrations: rename "Create with Provider" to "New Application"

The application list page now uses a split-button labeled
"New Application" instead of the old "Create with Provider" dropdown.
Update all 113 integration guides to match.

* website/docs: update flow, stage, and policy button labels

- "Create" → "New Flow", "New Stage", "New Policy" for trigger buttons
- "Finish" → "Create Flow", "Create Stage", "Create Policy" for submit
- "Create and bind stage" → "New Stage" / "Bind Existing Stage"
- "Create" (binding submit) → "Create Stage Binding"

* website/docs: update provider button labels

- "Create" → "New Provider" for trigger buttons
- "Create with Provider" → "New Application" in RAC docs
- "Create" → "New Property Mapping", "New RAC Endpoint", "New Prompt"
  for related entity creation

* website/docs: update directory button labels

- "Create" → "New Source" for federation/social login pages
- "Create" → "New Role", submit → "Create Role"
- "Create" → "New Invitation"
- Policy binding submit → "Create Policy Binding"

* website/docs: update endpoint device and system management button labels

- "Create" → "New Endpoint Connector", "New Enrollment Token",
  "New Device Access Group", "New Flow"
- Submit → "Create Device Access Group"
- "Create" → "New Notification Rule", "New Notification Transport"
- Binding submit → "Create Policy Binding"

* Reorganize policy documentation

* website/docs: address policy docs review feedback

* post-rebase

* website/docs: Reorganize policy documentation -- Revisions (#21601)

* apply suggestions

* Fix escaped.

* Fix whitespace.

* Update button label.

* Fix phrasing.

* Fix phrasing.

* Clean up stragglers.

* Format.

---------

Co-authored-by: Dominic R <dominic@sdko.org>
2026-04-16 17:35:38 +00:00

98 lines
5.0 KiB
Markdown
Raw Blame History

---
title: Device compliance policy
sidebar_label: Device compliance policy
tags: [device compliance, compliance, device access, policy]
toc_max_heading_level: 4
authentik_version: "2025.12.0"
---
Device compliance policies are used to limit access to authentik and applications based on [Device Compliance](./index.mdx) information.
Device compliance policies are currently in development and inaccessible. However, similar functionality can be achieved with existing stages and policies.
## Prerequisites
You must have [configured compliance](./configuration.md) in authentik and on the endpoint device ([Linux](../../authentik-agent/agent-deployment/linux/#enable-device-compliance-ssh-server-authentication-and-local-device-login), [Windows](../../authentik-agent/agent-deployment/windows/#enable-device-compliance-and-local-device-login), [macOS](../../authentik-agent/agent-deployment/macos/#enable-device-compliance)).
## Accessing device facts within a flow
To access device facts within a flow, the flow must include an [Endpoint stage](../../add-secure-apps/flows-stages/stages/endpoint/index.md). The Endpoint stage fetches device facts via a configured [Connector](./connectors/index.mdx) and adds them to the [Flow context](../../add-secure-apps/flows-stages/flow/context/index.mdx).
The following example shows how to use these facts within an expression policy.
```python
flow_plan = request.context.get("flow_plan") # set a flow_plan object
device = flow_plan.context.get("device") # set a device object
name = device.name # the name of the device
facts = device.cached_facts.data
ak_logger.debug("device facts", facts=facts)
```
## Examples
The following are examples of how device compliance can currently be implemented:
### Only allow authentication via endpoint devices
If your goal is to only allow authentication via endpoint devices, this is achievable by adding an [Endpoint stage](../../add-secure-apps/flows-stages/stages/endpoint/index.md) to your authentication flow.
#### Create an Endpoint stage
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Flows and Stages > Flows**.
3. Select the authentication flow that you want to modify.
4. Open the **Stage Bindings** tab and click **New Stage**.
5. Select Endpoint stage as the stage type, click **Next**, and configure the following settings:
- **Name**: provide a name for the stage
- **Connector**: select a connector for the stage to fetch device facts from (e.g. `authentik agent`)
- **Mode**: set to `Device required`
6. Click **Next**.
7. Select the order for the stage. Ensure that this places the Endpoint stage in the flow wherever you want device access to be checked.
8. Click **Finish**.
### Only allow authentication via a specific type of endpoint device
If your goal is to only allow authentication via a specific type of endpoint device, this is achievable by adding an [Endpoint stage](../../add-secure-apps/flows-stages/stages/endpoint/index.md) and a [Deny stage](../../add-secure-apps/flows-stages/stages/deny.md) to your authentication flow.
The following example will only allow authentication via Apple devices.
#### Create an Endpoint stage
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Flows and Stages > Flows**.
3. Select the authentication flow that you want to modify.
4. Open the **Stage Bindings** tab and click **New Stage**.
5. Select Endpoint stage as the stage type, click **Next**, and configure the following settings:
- **Name**: provide a name for the stage
- **Connector**: select a connector for the stage to fetch device facts from (e.g. `authentik agent`)
- **Mode**: set to `Device required`
6. Click **Next**.
7. Select the **Order** for the stage. Ensure that this places the Endpoint stage in the flow wherever you want device access to be checked.
8. Click **Finish**.
#### Create a Deny stage
9. On the **Stage Bindings** tab, click **New Stage**.
10. Select **Deny Stage** as the stage type and configure the following settings:
- **Name**: provide a name for the stage
- **Deny message**: provide a message explaining why access was denied
11. Click **Next**.
12. Select the **Order** for the stage. Ensure that this number is higher than the Endpoint stage created in the previous section.
13. Click **Finish**.
14. Expand the Deny stage that you just created and click **Create and bind Policy**.
15. Select **Expression policy** as the policy type, click **Next**, and configure the following settings:
- **Name**: provide a descriptive name for the policy
- **Expression**:
```python
flow_plan = request.context.get("flow_plan")
device = flow_plan.context.get("device")
if device.manufacturer.lower() != "apple":
return True
return False
```
:::info Deny stage
Because this is a deny stage, the policy must evaluate true when a requirement is not met.
:::
16. Click **Next** and then click **Finish**.
Reference in New Issue View Git Blame Copy Permalink