Good day all. I am not sure if what I am trying to do can be done directly, but perhaps someone can chime in with how to do this directly, or some form of work around or variable process to accomplish this.
We use Duo Essentials and run our VPN service through Cisco Meraki firewalls. We are utilizing trusted endpoints for VPN access. Our settings cover computers verified to be attached to our domain running the Duo Desktop app, or mobile devices that are used for users push notifications. We also use an AD group based policy that allows members access to the vpn. We are noticing a trend of users starting to access the vpn via their mobile devices and it is working due to them being trusted endpoints, and them currently being granted access through the ad group policy. Is there a way for us to essentially filter that down and apply a policy that would allow only permitted users mobile devices to access the vpn and restrict anyone not covered by that policy, while still allowing those restricted phone users to access the vpn via their company provided equipment?
So are you using the "Duo Mobile" trusted endpoints management integration https://duo.com/docs/trusted-endpoints-duo-mobile? That doesn't require the Duo Mobile app to be managed by an organizational MDM. I think in your scenario we would suggest switching to a different Duo Mobile mobile management integration that requires Duo Mobile to be managed by your organization's MDM (like Meraki Systems Manager) and you would require the users you want to access VPN from mobile devices to enroll in the MDM and receive the managed app.