Implementing Device Posture Assessment in Zero Trust

When to Use

• When enforcing device health as a prerequisite for accessing corporate applications
• When integrating CrowdStrike ZTA scores, Intune compliance, or Jamf device status into access decisions
• When implementing CISA Zero Trust Maturity Model device pillar requirements
• When building conditional access policies that adapt based on real-time endpoint security posture
• When detecting and blocking access from compromised, unmanaged, or non-compliant devices

Do not use for IoT or headless devices that cannot run posture agents, as a standalone security control without identity verification, or when real-time posture data is unavailable and stale compliance data would create false trust.

Prerequisites

• Endpoint Detection and Response (EDR): CrowdStrike Falcon with ZTA module, or Microsoft Defender for Endpoint
• Mobile Device Management (MDM): Microsoft Intune, Jamf Pro, or VMware Workspace ONE
• Identity Provider: Microsoft Entra ID, Okta, or Ping Identity with conditional access capability
• ZTNA Platform: Zscaler ZPA, Cloudflare Access, Palo Alto Prisma Access, or cloud-native IAP
• API access to EDR/MDM platforms for posture signal ingestion