Implements device posture assessment in zero-trust access control by integrating CrowdStrike ZTA, Microsoft Intune, and Jamf endpoint health signals into conditional access policies to enforce compliance before granting resource access.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 将设备健康作为访问企业应用的前提条件时
Integrates CrowdStrike ZTA, Intune, and Jamf endpoint signals into zero trust conditional access policies to enforce device compliance before resource access.
Implements device posture assessment in zero trust by integrating CrowdStrike ZTA, Intune, and Jamf signals into conditional access policies to enforce endpoint compliance before resource access.
Creates ZPA Access Policy rules gating private app access on identity (SCIM/SAML), device posture profiles (by UDID), platform, country, and risk-score. For conditional/multi-check access requests.
Share bugs, ideas, or general feedback.
不适用于无法运行态势 Agent 的物联网或无头设备、没有身份验证的独立安全控制,以及实时态势数据不可用而陈旧合规数据会产生虚假信任的场景。
为每个设备类别建立最低安全要求。
# Microsoft Intune:通过 Graph API 创建设备合规策略
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"
# Windows 10/11 合规策略
$compliancePolicy = @{
"@odata.type" = "#microsoft.graph.windows10CompliancePolicy"
displayName = "Zero Trust - Windows Compliance"
description = "零信任访问的最低设备要求"
osMinimumVersion = "10.0.19045"
bitLockerEnabled = $true
secureBootEnabled = $true
codeIntegrityEnabled = $true
tpmRequired = $true
antivirusRequired = $true
antiSpywareRequired = $true
defenderEnabled = $true
firewallEnabled = $true
passwordRequired = $true
passwordMinimumLength = 12
passwordRequiredType = "alphanumeric"
storageRequireEncryption = $true
scheduledActionsForRule = @(
@{
ruleName = "PasswordRequired"
scheduledActionConfigurations = @(
@{
actionType = "block"
gracePeriodHours = 24
notificationTemplateId = ""
notificationMessageCCList = @()
}
)
}
)
}
New-MgDeviceManagementDeviceCompliancePolicy -BodyParameter $compliancePolicy
# 通过 Jamf Pro API 设置 macOS 合规策略
curl -X POST "https://jamf.company.com/api/v1/compliance-policies" \
-H "Authorization: Bearer ${JAMF_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Zero Trust - macOS Compliance",
"rules": [
{"type": "os_version", "operator": ">=", "value": "14.0"},
{"type": "filevault_enabled", "value": true},
{"type": "firewall_enabled", "value": true},
{"type": "gatekeeper_enabled", "value": true},
{"type": "sip_enabled", "value": true},
{"type": "auto_update_enabled", "value": true},
{"type": "screen_lock_timeout", "operator": "<=", "value": 300},
{"type": "falcon_sensor_running", "value": true}
]
}'
启用 ZTA 评分并配置访问层级的评分阈值。
# CrowdStrike Falcon API:查询所有端点的 ZTA 评分
curl -X GET "https://api.crowdstrike.com/zero-trust-assessment/entities/assessments/v1?ids=${DEVICE_AID}" \
-H "Authorization: Bearer ${CS_TOKEN}" \
-H "Content-Type: application/json"
# 响应包含:
# {
# "aid": "device-agent-id",
# "assessment": {
# "overall": 82,
# "os": 90,
# "sensor_config": 85,
# "version": "7.14.16703"
# },
# "assessment_items": {
# "os_signals": [
# {"signal_id": "firmware_protection", "meets_criteria": "yes"},
# {"signal_id": "disk_encryption", "meets_criteria": "yes"},
# {"signal_id": "kernel_protection", "meets_criteria": "yes"}
# ],
# "sensor_signals": [
# {"signal_id": "sensor_version", "meets_criteria": "yes"},
# {"signal_id": "prevention_policies", "meets_criteria": "yes"}
# ]
# }
# }
# 定义访问层级的 ZTA 评分阈值
# 第 1 层(基本访问): ZTA >= 50
# 第 2 层(标准访问): ZTA >= 65
# 第 3 层(敏感访问): ZTA >= 80
# 第 4 层(关键访问): ZTA >= 90
# 查询低于最低阈值的设备
curl -X GET "https://api.crowdstrike.com/zero-trust-assessment/queries/assessments/v1?filter=assessment.overall:<50" \
-H "Authorization: Bearer ${CS_TOKEN}"
# CrowdStrike ZTA 评估的信号:
# - 操作系统补丁级别和版本
# - 磁盘加密(BitLocker/FileVault)
# - 传感器版本和配置
# - 防护策略执行
# - 固件保护(Secure Boot)
# - 内核保护(SIP、Code Integrity)
# - 防火墙状态
创建要求合规设备的条件访问策略。
# 创建要求合规设备的条件访问策略
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$caPolicy = @{
displayName = "Zero Trust - Require Compliant Device"
state = "enabled"
conditions = @{
applications = @{
includeApplications = @("All")
}
users = @{
includeUsers = @("All")
excludeGroups = @("BreakGlass-Admins-Group-ID")
}
platforms = @{
includePlatforms = @("all")
}
clientAppTypes = @("browser", "mobileAppsAndDesktopClients")
}
grantControls = @{
operator = "AND"
builtInControls = @("mfa", "compliantDevice")
}
sessionControls = @{
signInFrequency = @{
value = 4
type = "hours"
isEnabled = $true
authenticationType = "primaryAndSecondaryAuthentication"
frequencyInterval = "timeBased"
}
persistentBrowser = @{
mode = "never"
isEnabled = $true
}
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $caPolicy
# 创建基于设备合规性和登录风险的风险策略
$riskPolicy = @{
displayName = "Zero Trust - Block High Risk Sign-Ins on Non-Compliant Devices"
state = "enabled"
conditions = @{
applications = @{ includeApplications = @("All") }
users = @{ includeUsers = @("All") }
signInRiskLevels = @("high", "medium")
devices = @{
deviceFilter = @{
mode = "include"
rule = "device.isCompliant -ne True"
}
}
}
grantControls = @{
operator = "OR"
builtInControls = @("block")
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $riskPolicy
使用 CrowdStrike 态势信号设置 Okta 设备信任策略。
# Okta:配置 CrowdStrike 设备信任集成
# 管理控制台 > 安全 > 设备集成 > 添加集成
# Okta API:创建设备保障策略
curl -X POST "https://company.okta.com/api/v1/device-assurances" \
-H "Authorization: SSWS ${OKTA_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Corporate Device Assurance",
"platform": "WINDOWS",
"osVersion": {
"minimum": "10.0.19045"
},
"diskEncryptionType": {
"include": ["ALL_INTERNAL_VOLUMES"]
},
"screenLockType": {
"include": ["BIOMETRIC", "PASSCODE"]
},
"secureHardwarePresent": true,
"thirdPartySignalProviders": {
"dtc": {
"browserVersion": {
"minimum": "120.0"
},
"builtInDnsClientEnabled": true,
"chromeRemoteDesktopAppBlocked": true,
"crowdStrikeCustomerId": "CS_CUSTOMER_ID",
"crowdStrikeAgentId": "REQUIRED",
"crowdStrikeVerifiedState": {
"include": ["RUNNING"]
}
}
}
}'
# 创建带设备保障的 Okta 认证策略
curl -X POST "https://company.okta.com/api/v1/policies" \
-H "Authorization: SSWS ${OKTA_API_TOKEN}" \
-H "Content-Type: application/json" \
--data '{
"name": "Zero Trust Application Policy",
"type": "ACCESS_POLICY",
"conditions": null,
"rules": [
{
"name": "Managed Device Access",
"conditions": {
"device": {
"assurance": {
"include": ["DEVICE_ASSURANCE_POLICY_ID"]
},
"managed": true,
"registered": true
},
"people": {
"groups": {"include": ["EMPLOYEES_GROUP_ID"]}
}
},
"actions": {
"appSignOn": {
"access": "ALLOW",
"verificationMethod": {
"factorMode": "1FA",
"type": "ASSURANCE"
}
}
}
},
{
"name": "Unmanaged Device - Block",
"conditions": {
"device": { "managed": false }
},
"actions": {
"appSignOn": { "access": "DENY" }
}
}
]
}'
设置实时监控设备合规状态变化。
#!/usr/bin/env python3
"""实时监控设备态势合规漂移。"""
import requests
import time
import json
from datetime import datetime, timezone
CROWDSTRIKE_BASE = "https://api.crowdstrike.com"
INTUNE_BASE = "https://graph.microsoft.com/v1.0"
def get_cs_token(client_id: str, client_secret: str) -> str:
resp = requests.post(f"{CROWDSTRIKE_BASE}/oauth2/token", data={
"client_id": client_id,
"client_secret": client_secret
})
return resp.json()["access_token"]
def get_low_zta_devices(token: str, threshold: int = 50) -> list:
resp = requests.get(
f"{CROWDSTRIKE_BASE}/zero-trust-assessment/queries/assessments/v1",
headers={"Authorization": f"Bearer {token}"},
params={"filter": f"assessment.overall:<{threshold}", "limit": 100}
)
return resp.json().get("resources", [])
def get_intune_noncompliant(token: str) -> list:
resp = requests.get(
f"{INTUNE_BASE}/deviceManagement/managedDevices",
headers={"Authorization": f"Bearer {token}"},
params={
"$filter": "complianceState eq 'noncompliant'",
"$select": "id,deviceName,userPrincipalName,complianceState,lastSyncDateTime,operatingSystem"
}
)
return resp.json().get("value", [])
def check_posture_drift(cs_token: str, intune_token: str):
print(f"\n[{datetime.now(timezone.utc).isoformat()}] 设备态势检查")
print("=" * 60)
low_zta = get_low_zta_devices(cs_token, threshold=50)
print(f"CrowdStrike ZTA < 50:{len(low_zta)} 台设备")
noncompliant = get_intune_noncompliant(intune_token)
print(f"Intune 不合规:{len(noncompliant)} 台设备")
for device in noncompliant[:10]:
print(f" - {device['deviceName']} ({device['userPrincipalName']}): "
f"{device['complianceState']} | 上次同步:{device['lastSyncDateTime']}")
return {"low_zta_count": len(low_zta), "noncompliant_count": len(noncompliant)}
| 术语 | 定义 |
|---|---|
| 设备态势(Device Posture) | 在授予访问权限前评估的端点安全属性集合(操作系统版本、加密、EDR 状态、补丁级别) |
| CrowdStrike ZTA 评分 | CrowdStrike Falcon 根据操作系统信号和传感器配置计算端点安全态势的数值评分(1-100) |
| 设备合规策略 | MDM 定义的规则,指定设备必须满足的最低安全要求(加密、PIN、操作系统版本) |
| 条件访问(Conditional Access) | 在允许访问前评估用户身份、设备合规性、位置和风险的策略引擎(Entra ID、Okta) |
| 设备信任(Device Trust) | 验证端点已托管、已注册且满足安全基线,然后将其视为受信任设备 |
| 态势漂移(Posture Drift) | 设备安全态势随时间退化(补丁过期、加密被禁用),应触发访问撤销 |
场景背景:一家拥有 2000 台端点(70% Windows、30% macOS)的医疗公司必须在允许访问患者数据系统前强制执行符合 HIPAA 的设备态势。设备由 Intune(Windows)和 Jamf(macOS)管理,所有端点均已部署 CrowdStrike Falcon。
方法:
常见陷阱:宽限期必须足够长以便 IT 修复,但又要足够短以限制风险敞口。CrowdStrike ZTA 评分可能随传感器更新而波动;初始阶段避免设置过于激进的阈值。BYOD 设备可能缺乏 MDM 注册;为未托管设备提供功能受限的单独浏览器访问路径。
设备态势评估报告
==================================================
组织:HealthCorp
报告日期:2026-02-23
托管设备总数:2,000
平台合规情况:
Windows(1,400 台设备):
合规: 1,302(93.0%)
不合规: 98(7.0%)
主要问题:缺失补丁(45)、BitLocker 已禁用(23)
macOS(600 台设备):
合规: 567(94.5%)
不合规: 33(5.5%)
主要问题:操作系统过旧(18)、FileVault 已禁用(8)
CROWDSTRIKE ZTA 评分:
平均评分: 78.4
设备 >= 85(关键级): 1,456(72.8%)
设备 >= 70(标准级): 1,812(90.6%)
设备 < 50(已封锁): 34(1.7%)
条件访问影响(过去 7 天):
总登录尝试: 45,678
因态势被封锁: 312(0.7%)
24 小时内已修复: 289(92.6%)
仍不合规: 23
态势漂移告警:
加密已禁用: 5
EDR 传感器已停止: 3
操作系统已降级: 1