Feature Request - ZeroTrust Device Posture - Check OS Update Level

Alongside disk encryption and firewall checks, a basic check to ensure that the Windows / macOS are not missing any critical / security patches.

Provide a warning for X days (CF Teams admin configurable), then fail / block access after admin-defined threshold is passed.

I believe that this is something any EDR handles out of the box; it feels redundant having it added to CF.

It has minimum version already. https://developers.cloudflare.com/cloudflare-one/identity/devices/os-version/

I agree with @jnperamo other products designed to manage and patch already done this kind of advanced behavior. Or you can roll your own script to check your machines and use file check to check your script output to allow/deny in device posture of OS is insufficient.

OK, but by that logic, then why does Cloudflare ZTNA assess OS firewall and full disk encryption status? Other tools can handle that as well, no?

I take your points, but in the context of ZTNA replacing legacy VPNs, it would be a lot easier if Warp could assess the client patch status to integrate into the policy rules, for example, as a condition to allow them remote access into sensitive internal servers / networks.

Also, minimum OS version check is an OK baseline to rule out outright outdated systems, but not good enough to assess security posture, because the endpoint has Windows 10 21H2 (build 10.0.19044) for example, right now you could potentially be missing 5-6 months of patches but would still pass the build number posture check.

I’ve been a sysadmin for 23+ years, and I’m fully aware that there are third-party tools, scripts, etc. that can handle this, but the idea is to make it a more seamless experience for Cloudflare ZTNA admins; it would be very helpful to have this kind of assessment native to Warp ZTNA when building application/network access policies for sensitive internal servers/networks.

Probably because it was ~= 3 lines of code. :smiley:

I don’t disagree, but it’s a pretty robust feature in terms of scope… I get this is a feature request so Cloudflare itself would have the final say regardless.

Fully agree that it is more complex to assess OS patch level than firewall and encryption, as those are binary, and patch level is more dynamic/nuanced.