Skip to main content

Restricting Allowed Endpoints for TrustNest Platform Access

Overview

Entities or projects utilizing the TrustNest platform have the ability to enhance security by enforcing endpoint restrictions. This feature allows an entity to limit access to the platform exclusively through the TrustNest access points and endpoints connected to the corporate network (Réseau Interne de l’Entreprise - RIE).

Prerequisites

  • Access Rights: Access to azure portal in TrustNest azure tenant, and be able to list users. (enabled by default, or use myaccess portal to ask for it)

How it works ?

By default, in the never trust zone, Bring your Own Device (BYOD) is allowed, meaning your can access to TDP services using a nominative account from a tablet, a mobile and a laptop not considered as a TNAP. (note: admin account cannot be used from BYOD).

The restriction of allowed endpoints allows an entity or a project to limit a subset of users to use a TNAP or a device connected to RIE.

Technically, entraID is using a conditional access policy that checks the compliance of the TNAP or if the source IP is coming from RIE during the authentication phase.

img

How to enable it ?

Go to postIT and a dedicated item is going to be available SOON

Fill the request with:

  • your TDPaccountID
  • the project or entity name (used to identified the entraID group)
  • the list of users who'll operate the group

Once the conditional access policy is put in place, the owner of the group can add or remove users in self service. the group follow the naming convention:

  • tdp-iam-enforced-project_name

Important Notes

  • Impact on Users: Once enabled, any attempt to access the TrustNest platform from non-approved endpoints will be blocked. Users must be within the RIE or use designated TrustNest access points.
  • Disabling Restrictions: To revert this enforcement, contact one of the owner of the entraID group mentioned earlier and ask to be removed from the group.

Contact Support

  • In case of issue, first contact your project/entity just to check if this enforcement is put in place or not; and raise an incident using postIT