cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

F5 APM check if client azure ad joined

denristo
Nimbostratus
Nimbostratus

hi,

 

for our non company devices we would like to check if they're azure ad joined before they're allowed to setup an sslvpn connection.

as far as i know there is a Registry key in a key with a random number under HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo so not easy to check unless i'm missing something.

Anyone have any ideas how to verify if a device is azure ad joined?

4 REPLIES 4

Yes this can be done using registry key.

Kin
F5 Employee
F5 Employee

Alternatively you can use domain group policy to assign each company device a machine cert and use machine cert auth to authentication

https://support.f5.com/csp/article/K13614

denristo
Nimbostratus
Nimbostratus

Hi kin,

yes but can't they just copy the machine cert to another device?

 

hi Mayur

but how can we do the registry key if we don't know the subfolder? For example in my case

HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo/5952C00980E77529710149770533FF14BD2A6824/UserEmail

 

As far as i know folder 5952C00980E77529710149770533FF14BD2A6824 is variable and changes for each user.

Kin
F5 Employee
F5 Employee

The APM machine cert auth can check for the presence of a valid cert and also the private key.

https://support.f5.com/csp/article/K12354

You can prob use a combination of restricting (domain policy again) users from opening certmgr.msc to export the cert and using a non exportable private key to address this. On exporting, the soln would leverage mostly on Windows security.