In modern attacks, taking over an account does not always mean cracking a password. The user may be the right person and may pass MFA successfully — but the device they are using may be running an outdated OS, have its security agent disabled, lack disk encryption, be infected with malware or be rooted. In that case, even a successful authentication leaves the access risk intact.
Remote work and Personal Device (BYOD) models amplify this problem. A corporate device, a personal device, a managed mobile device, a temporary browser session and an unknown endpoint may all be trying to reach the same applications. Granting the same level of access trust to all of these devices contradicts a zero-trust approach.
Traditional load balancer or WAAP layers typically cannot see device posture. When user traffic arrives they can interpret IP, headers, TLS or session information — but they cannot naturally bind the access decision to whether the device is managed, its disk encryption state, security agent activity or OS compliance.
The right approach is to make device trust a first-class signal in access policy. User identity, device posture, location, risk level, session behaviour and MFA state should all be evaluated in the same conditional-access chain.
TR7 Endpoint Trust Manager delivers this model: it binds the trust signals from device posture to AAM access policies and makes the access decision on the user + device + context triad.
TR7 ETM operates through device posture collection, agentless signals, continuous evaluation and access policy integration.
On managed devices, operating system version, disk encryption, security agent state, firewall status, device management enrolment and compliance information can be collected. These rich signals provide a high-confidence context for the access decision.
On devices without an installed agent, browser information, TLS fingerprint, OS hints and client context can be evaluated. This model is not as rich as full posture, but it does not leave unknown devices completely blind.
The device is evaluated not only at login but continuously throughout the session. If posture degrades, the access level can be reduced, additional MFA can be requested or the session can be terminated.
Devices can be classified as compliant, non-compliant or at-risk. These classes are bound directly to AAM policies such as allow, MFA, block or restricted access.
Endpoint Trust Manager converts device trust signals into actionable decision inputs for AAM access policies.
TR7 ETM is positioned to include posture signals from desktops, laptops and mobile devices in the access decision. Corporate devices, personal devices and managed mobile devices can all be evaluated in the same policy chain. This approach reduces the need to build separate security silos for different endpoint types. The access decision is shaped by device type and trust level.
Outdated operating system versions, unpatched endpoints and end-of-life platforms increase access risk. TR7 ETM can use OS version and patch status as a trust signal. Outdated devices can receive a direct block, additional MFA or a low-privilege access policy. Application access is thus tied to a safe platform requirement.
Devices without disk encryption carry high risk in lost or stolen endpoint scenarios. TR7 ETM can evaluate disk encryption status as one of the core signals of device trust. Access to critical applications can be granted only from devices with encrypted disks. This model is particularly important in environments handling financial, healthcare and government data.
Whether a security agent is active on the endpoint is an important posture indicator. If the security agent is off, disabled or out of date, the device can be placed in the at-risk class. In that case AAM policy can request additional MFA, restrict access or block it entirely. The access decision becomes aligned with the endpoint's defensive posture.
Management state sourced from modern MDM/EMM integrations can indicate whether a device is under corporate control. Managed devices can be granted a higher trust level while unmanaged personal devices receive more restricted access. This approach makes it possible to manage Personal Device (BYOD) use on a risk basis rather than banning it outright. A more practical balance is achieved between user experience and security policy.
Rooted or jailbroken devices carry high risk from the perspective of application isolation, certificate security and data protection. TR7 ETM can place these devices in the non-compliant or at-risk class. For mobile banking, healthcare portals or enterprise management access, this signal can be a direct reason for blocking. Mobile endpoint trust becomes part of the access policy.
Not every device will have an agent installed. In those cases, agentless signals such as browser version, TLS fingerprint, OS hints and header context can be used. These signals do not provide full device posture, but they help distinguish between unknown and trusted devices. AAM can apply additional MFA or a lower trust level in these situations.
Device posture alone is not sufficient — location and network context also matter. Access from a high-risk country, an unusual location or an unexpected network can be evaluated together with the device trust signal. When an outdated OS is combined with a high-risk location, a stronger action can be taken. This model makes the access decision multi-dimensional.
Many posture signals can be complex for operations teams to manage. TR7 ETM can convert these signals into a trust score from 0 to 100 or a comparable classification behaviour. Teams writing policy can make decisions using low, medium and high trust levels rather than interpreting every individual signal. This turns trust signals into actionable access policy.
Device trust level can be used directly inside AAM conditional-access policy. Compliant devices receive allow, at-risk devices receive MFA and non-compliant devices receive block policy. As a result, device posture is not merely reported information — it becomes an input to the live access decision. Application access operates closer to zero-trust principles.
A device may be safe at login but have its security agent shut down or its posture state change during the session. TR7 ETM can detect this change through periodic re-evaluation. If posture degrades, the session can be suspended, MFA can be re-requested or access can be terminated. This approach eliminates the assumption that a successfully logged-in session remains trustworthy.
Device posture changes, trust score updates, non-compliance detections, MFA triggers and block events can be sent to the SIEM. SOC teams can correlate endpoint risk with application access events. This visibility strengthens analysis of account takeover, device non-compliance and abnormal access patterns. Endpoint trust signals become part of security operations.
Endpoint Trust Manager operates with posture data storage, trust signal protocol, policy integration, continuous evaluation, audit trails and SIEM streaming.
Device posture can be associated with the AAM session context. This means the access decision is made not only on the login result but also on the device trust state of the session. Carrying posture data with the session makes policy decisions more consistent.
In agent-based scenarios, posture signals from the device can be forwarded to the TR7 ETM layer over a secure channel. In agentless mode, signals derived from browser and TLS context are used. Both models feed into policy with different trust levels.
ETM signals work together with the conditional-access policy, MFA methods and the continuous-trust-evaluation engine. This integration makes allow, challenge, block or session-suspend decisions possible. Device trust is not a standalone report — it is an access action.
Device posture can be re-evaluated at defined intervals. The default cycle can be tuned to organisational policy. More frequent evaluation can be preferred for critical applications and less frequent evaluation for lower-risk applications.
Every posture event, trust score change and access decision can be written to the audit log. The question of who accessed which application from which device with which posture becomes answerable. These records support compliance and incident review processes.
ETM events can be forwarded to the SIEM log streaming pipeline. Events such as endpoint non-compliance, MFA triggering, access denial or session suspension can be correlated in the central security monitoring system. Endpoint trust is thus connected to application security visibility.
Banking teams can classify rooted or jailbroken mobile devices as non-compliant. Access from these devices is blocked or subjected to additional verification.
Government agencies can grant access to classified applications only from managed devices with disk encryption enabled and a security agent active. Non-compliant devices are rejected at the policy level.
When healthcare workers access from personal devices, additional MFA or restricted access can be applied if the device trust score is low. If the security agent shuts down, the session can be suspended.
Rather than granting direct access to a user on an outdated OS coming from a high-risk location, step-up MFA can be applied. If the risk level rises further, access can be blocked entirely.
Evaluate user identity, device posture and context together. Let's walk through a live setup on your own environment.