HomeGlossary › Conditional Access for Devices
Glossary

What is Conditional Access for devices?

A security pattern where access to a resource is granted only if the requesting device's posture signal meets a threshold. The signal — typically a Security Score from a Device Trust Platform — represents how well the device matches a security baseline.

The two halves: identity + device

Conditional Access started as identity-only: "this user signed in from this IP at this time with this MFA factor — can they access this resource?". That works until the right user is on a wrong device — disk unencrypted, firewall off, OS three versions behind. The right answer is "no" and the identity-only system cannot say no, because the signal it needs is not in its data model. Device posture is the missing half. A Device Trust Platform supplies it.

How the access flow works

1️⃣

User requests access

User opens a resource (SaaS app, internal service, tailnet host). The identity provider intercepts and applies a Conditional Access policy.

2️⃣

Policy evaluates posture

The policy checks identity, MFA, then queries the Device Trust Platform for the device's current Security Score. The score must clear the resource's threshold.

3️⃣

Grant, deny, or remediate

If score clears, grant. If not, deny with a remediation message ("update macOS, re-scan, try again"). The user fixes the issue, score recovers, access works.

Recommended threshold pattern

Start permissive. Monitor the distribution of fleet scores for two weeks. Set thresholds where the distribution suggests a natural baseline. Communicate before enforcing.

Related terms

Add device posture to your Conditional Access

Free for up to 10 devices. Security Score API for integration with Okta / Azure AD / Tailscale / JumpCloud.

Get started free →