Device Fingerprinting for Zero Trust Access
The Versa Networks Secure Access solution provides comprehensive device fingerprinting as part of its zero-trust network access (ZTNA) framework. Every endpoint connecting to the network is uniquely identified using a rich set of hardware, software, and identity attributes. The attributes are collected from the Versa SASE client, mobile device management (MDM) and unified endpoint management (UEM) platforms, and gateway-level telemetry to enable identity-aware, posture-based access decisions.
Device fingerprint data is captured during both user registration and connection events, providing continuous visibility into endpoint identity, ownership, compliance state, and security posture across the entire session lifecycle.
Functionality
- The Versa SASE client collects device-level attributes during registration and tunnel establishment. These attributes include the device hostname, MAC address, operating system, OS version, serial number, hardware manufacturer, client software version, and a globally unique identifier (GUID). The GUID is derived from the system hardware GUID when available, or is auto-generated by the SASE client to ensure each device has a persistent unique identity.
- MDM/UEM integration with Microsoft Intune and Ivanti Neurons enriches the device fingerprint with compliance and management data. When a managed device connects, Versa queries the MDM platform, for example, using the Graph API for Microsoft Intune, to retrieve the full device record. The retrieved data includes compliance state, device ownership (corporate or personal BYOD), encryption status, enrollment type, Azure AD registration, jailbreak detection, international mobile equipment identity (IMEI), and threat posture reported by security partners. This data is cached for performance and passed to the policy engine for real-time enforcement.
- Gateway telemetry adds network-level context, including source IP address, assigned tunnel IP, tunnel protocol type, VPN and authentication profiles, session uptime, matched access policy, and geolocation coordinates. Together, these three data sources form a complete device fingerprint.
- Versa Analytics indexes all fingerprint data to support user-to-device mapping, compliance dashboards, ownership reporting, and forensic audit trails used for investigation and auditing purposes.
Device Fingerprint Attributes
The following attributes are collected and reported for each connecting endpoint:
| Attribute | Description | Source |
|---|---|---|
| User ID | Authenticated user identity (username, email address, display name) | SASE client, MDM |
| OS type | Operating system (Windows, macOS, iOS, Android, Linux, ChromeOS) | SASE client, MDM |
| OS version | Full operating system version and patch level | SASE client, MDM |
| Device model | Hardware model and manufacturer (for example, Lenovo ThinkPad, Apple MacBook Pro) | SASE client, MDM |
| Device ID | Unique device identifier used for MDM compliance queries | MDM (Intune) |
| UDID | Unique device Identifier for Apple endpoints (macOS, iOS, iPadOS) | MDM (Intune) |
| GUID | Globally unique identifier, derived from the system GUID or auto-generated by the SASE client | SASE client |
| Machine hostname | Endpoint device name or hostname | SASE client |
| MAC address | Network interface MAC address (Wi-Fi and Ethernet) | SASE client, MDM |
| Serial number | Hardware serial number | SASE client, MDM |
| IMEI | International mobile equipment identifier for cellular devices | MDM (Intune) |
| Agent version | Versa SASE client software version | SASE client |
| Device owner | Device ownership classification: Corporate or Personal (BYOD) | MDM (Intune) |
| Compliance state | MDM compliance status: Compliant, Noncompliant, or Unknown | MDM (Intune, Ivanti) |
| Device state | Management state: Managed or Unmanaged | MDM (Intune, Ivanti) |
| Encryption status | Disk encryption state of the endpoint | MDM (Intune) |
| Jailbreak or root detection | Indicates whether the device is jailbroken or rooted | MDM (Intune) |
| Threat state | Partner-reported threat posture: Secured, Unknown, or Compromised | MDM (Intune) |
| Secure access profile | Name of the applied secure access policy profile | Gateway |
| Azure AD device ID | Azure Active Directory device registration identifier | MDM (Intune) |
| Geolocation | Latitude and longitude of the connecting endpoint | SASE client |
MDM and UEM Platform Support
Versa integrates with leading MDM and UEM platforms to retrieve comprehensive device information:
- Microsoft Intune—Provides full integration through the Microsoft Graph API. Supports Windows, macOS, iOS, iPadOS, and Android endpoints. Retrieves more than 25 device attributes, including compliance state, device ownership, encryption status, Azure AD device ID, IMEI, serial number, jailbreak detection, and partner-reported threat state.
- Ivanti Neurons—Provides MDM integration to verify device enrollment and compliance state for MDM.
For managed devices, the MDM query triggers automatically when the device connects to the Versa SASE gateway. The gateway caches the response locally to optimize performance for subsequent connections within the cache window.
Supported Endpoint Platforms
The Versa SASE client is available for Windows, macOS, Linux, ChromeOS, iOS, and Android. Device fingerprint collection is supported on all platforms.
For devices managed by Microsoft Intune or Ivanti Neurons, Versa Networks retrieves MDM-enriched attributes as part of the device fingerprint. For unmanaged endpoints, the SASE client provides core fingerprint attributes, including device name, MAC address, operating system details, serial number, agent version, and a client-generated GUID. The GUID ensures unique device identification regardless of the MDM enrollment status.