From e9704248e055f8c4d6dd5a1fbccbd4dfbf1b846e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 May 2026 12:16:02 +0200 Subject: [PATCH 1/9] add posture-related client types --- common/client_types.proto | 68 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/common/client_types.proto b/common/client_types.proto index 5cc3b38..c233de4 100644 --- a/common/client_types.proto +++ b/common/client_types.proto @@ -120,6 +120,9 @@ message DeviceConfig { int32 keepalive_interval = 10; optional LocationMfaMode location_mfa_mode = 11; optional ServiceLocationMode service_location_mode = 12; + // True when the location has at least one posture policy assigned. + // Derived at query time; not stored as a column. + optional bool posture_check_required = 13; } enum ClientTrafficPolicy { @@ -185,6 +188,8 @@ message ClientMfaStartRequest { int64 location_id = 1; string pubkey = 2; MfaMethod method = 3; + // Required when the location has posture policies assigned. + optional DevicePostureData posture_data = 4; } message ClientMfaStartResponse { @@ -232,8 +237,69 @@ message CodeMfaSetupFinishResponse { repeated string recovery_codes = 1; } -// OIDC authentication flow +// Device posture types +enum UnavailableReason { + UNAVAILABLE_REASON_UNSPECIFIED = 0; + UNAVAILABLE_REASON_INSUFFICIENT_PERMISSIONS = 1; + UNAVAILABLE_REASON_NOT_APPLICABLE = 2; + UNAVAILABLE_REASON_DETECTION_FAILED = 3; +} + +// Wrapper for a boolean posture signal that may be unavailable. +message BoolCheck { + oneof result { + bool value = 1; + UnavailableReason unavailable = 2; + } +} + +// Wrapper for a string posture signal that may be unavailable. +message StringCheck { + oneof result { + string value = 1; + UnavailableReason unavailable = 2; + } +} + +// Raw posture signals gathered by the client. +message DevicePostureData { + // Full semver string including any pre-release suffix, e.g. "1.6.0-beta1" + string defguard_client_version = 1; + // Normalized OS family, e.g. "windows", "macos", "linux", "ios", "android" + StringCheck os_family = 2; + // Detailed OS name, e.g. "Windows", "Mac OS X", "Ubuntu" + StringCheck os_type = 3; + // OS version string, e.g. "11", "14.5", "22.04" + StringCheck os_version = 4; + BoolCheck disk_encryption = 5; + BoolCheck antivirus_present = 6; + // ISO-8601 date; NotApplicable on Linux, iOS, and Android + StringCheck os_last_update_date = 7; + // NotApplicable on non-Windows platforms + BoolCheck ad_domain_joined = 8; + // NotApplicable on non-Windows platforms + BoolCheck windows_security_update_current = 9; + // NotApplicable on non-Linux platforms + StringCheck kernel_version = 10; + // NotApplicable on non-Android platforms + BoolCheck android_device_integrity = 11; +} + +message DevicePostureCheckRequest { + int64 location_id = 1; + string pubkey = 2; + DevicePostureData device_posture_data = 3; +} + +message DevicePostureCheckResponse { + string preshared_key = 1; +} + +message DevicePostureRejection { + repeated string failed_posture_checks = 1; +} +// External OIDC authentication flow enum AuthFlowType { AUTH_FLOW_TYPE_UNSPECIFIED = 0; AUTH_FLOW_TYPE_ENROLLMENT = 1; From 94795acd8dbf997d402b06444b4d4941beca870a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 May 2026 12:16:24 +0200 Subject: [PATCH 2/9] update proxy messages for device posture flows --- v2/proxy.proto | 3 +++ 1 file changed, 3 insertions(+) diff --git a/v2/proxy.proto b/v2/proxy.proto index ba4bf51..56b389a 100644 --- a/v2/proxy.proto +++ b/v2/proxy.proto @@ -109,6 +109,8 @@ message CoreResponse { AwaitRemoteMfaFinishResponse await_remote_mfa_finish = 16; HttpsCerts https_certs = 17; google.protobuf.Empty clear_https_certs = 18; + defguard.client_types.DevicePostureCheckResponse device_posture_check = 19; + defguard.client_types.DevicePostureRejection device_posture_rejected = 20; } } @@ -199,6 +201,7 @@ message CoreRequest { defguard.client_types.CodeMfaSetupFinishRequest code_mfa_setup_finish = 19; AwaitRemoteMfaFinishRequest await_remote_mfa_finish = 20; AcmeCertificate acme_certificate = 21; + defguard.client_types.DevicePostureCheckRequest device_posture_check = 22; } } From 78bee9f1f9f3ea5b7d37afefb97cff4194c9e46b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 May 2026 12:19:59 +0200 Subject: [PATCH 3/9] formatting --- common/client_types.proto | 38 ++++++++++++++++++-------------------- v2/proxy.proto | 4 ++-- 2 files changed, 20 insertions(+), 22 deletions(-) diff --git a/common/client_types.proto b/common/client_types.proto index c233de4..273dd68 100644 --- a/common/client_types.proto +++ b/common/client_types.proto @@ -120,8 +120,6 @@ message DeviceConfig { int32 keepalive_interval = 10; optional LocationMfaMode location_mfa_mode = 11; optional ServiceLocationMode service_location_mode = 12; - // True when the location has at least one posture policy assigned. - // Derived at query time; not stored as a column. optional bool posture_check_required = 13; } @@ -239,16 +237,16 @@ message CodeMfaSetupFinishResponse { // Device posture types enum UnavailableReason { - UNAVAILABLE_REASON_UNSPECIFIED = 0; + UNAVAILABLE_REASON_UNSPECIFIED = 0; UNAVAILABLE_REASON_INSUFFICIENT_PERMISSIONS = 1; - UNAVAILABLE_REASON_NOT_APPLICABLE = 2; - UNAVAILABLE_REASON_DETECTION_FAILED = 3; + UNAVAILABLE_REASON_NOT_APPLICABLE = 2; + UNAVAILABLE_REASON_DETECTION_FAILED = 3; } // Wrapper for a boolean posture signal that may be unavailable. message BoolCheck { oneof result { - bool value = 1; + bool value = 1; UnavailableReason unavailable = 2; } } @@ -256,7 +254,7 @@ message BoolCheck { // Wrapper for a string posture signal that may be unavailable. message StringCheck { oneof result { - string value = 1; + string value = 1; UnavailableReason unavailable = 2; } } @@ -264,30 +262,30 @@ message StringCheck { // Raw posture signals gathered by the client. message DevicePostureData { // Full semver string including any pre-release suffix, e.g. "1.6.0-beta1" - string defguard_client_version = 1; + string defguard_client_version = 1; // Normalized OS family, e.g. "windows", "macos", "linux", "ios", "android" - StringCheck os_family = 2; + StringCheck os_family = 2; // Detailed OS name, e.g. "Windows", "Mac OS X", "Ubuntu" - StringCheck os_type = 3; + StringCheck os_type = 3; // OS version string, e.g. "11", "14.5", "22.04" - StringCheck os_version = 4; - BoolCheck disk_encryption = 5; - BoolCheck antivirus_present = 6; + StringCheck os_version = 4; + BoolCheck disk_encryption = 5; + BoolCheck antivirus_present = 6; // ISO-8601 date; NotApplicable on Linux, iOS, and Android - StringCheck os_last_update_date = 7; + StringCheck os_last_update_date = 7; // NotApplicable on non-Windows platforms - BoolCheck ad_domain_joined = 8; + BoolCheck ad_domain_joined = 8; // NotApplicable on non-Windows platforms - BoolCheck windows_security_update_current = 9; + BoolCheck windows_security_update_current = 9; // NotApplicable on non-Linux platforms - StringCheck kernel_version = 10; + StringCheck kernel_version = 10; // NotApplicable on non-Android platforms - BoolCheck android_device_integrity = 11; + BoolCheck android_device_integrity = 11; } message DevicePostureCheckRequest { - int64 location_id = 1; - string pubkey = 2; + int64 location_id = 1; + string pubkey = 2; DevicePostureData device_posture_data = 3; } diff --git a/v2/proxy.proto b/v2/proxy.proto index 56b389a..55b026e 100644 --- a/v2/proxy.proto +++ b/v2/proxy.proto @@ -109,8 +109,8 @@ message CoreResponse { AwaitRemoteMfaFinishResponse await_remote_mfa_finish = 16; HttpsCerts https_certs = 17; google.protobuf.Empty clear_https_certs = 18; - defguard.client_types.DevicePostureCheckResponse device_posture_check = 19; - defguard.client_types.DevicePostureRejection device_posture_rejected = 20; + defguard.client_types.DevicePostureCheckResponse device_posture_check = 19; + defguard.client_types.DevicePostureRejection device_posture_rejected = 20; } } From 7419c0160703b741479bce569f40e8975814422a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 May 2026 12:22:52 +0200 Subject: [PATCH 4/9] add version comment for reference --- common/client_types.proto | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/common/client_types.proto b/common/client_types.proto index 273dd68..44a41fa 100644 --- a/common/client_types.proto +++ b/common/client_types.proto @@ -120,6 +120,7 @@ message DeviceConfig { int32 keepalive_interval = 10; optional LocationMfaMode location_mfa_mode = 11; optional ServiceLocationMode service_location_mode = 12; + // added for 2.1 optional bool posture_check_required = 13; } @@ -186,7 +187,7 @@ message ClientMfaStartRequest { int64 location_id = 1; string pubkey = 2; MfaMethod method = 3; - // Required when the location has posture policies assigned. + // [2.1] Required when the location has posture policies assigned. optional DevicePostureData posture_data = 4; } From 640665977570d0b98a47a4436b8938bb1a3fbbdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 May 2026 12:24:46 +0200 Subject: [PATCH 5/9] clarify --- common/client_types.proto | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/common/client_types.proto b/common/client_types.proto index 44a41fa..a127d55 100644 --- a/common/client_types.proto +++ b/common/client_types.proto @@ -272,15 +272,13 @@ message DevicePostureData { StringCheck os_version = 4; BoolCheck disk_encryption = 5; BoolCheck antivirus_present = 6; - // ISO-8601 date; NotApplicable on Linux, iOS, and Android StringCheck os_last_update_date = 7; - // NotApplicable on non-Windows platforms + // Windows only BoolCheck ad_domain_joined = 8; - // NotApplicable on non-Windows platforms BoolCheck windows_security_update_current = 9; - // NotApplicable on non-Linux platforms + // Linux only StringCheck kernel_version = 10; - // NotApplicable on non-Android platforms + // Android only BoolCheck android_device_integrity = 11; } From e9aa5e670ec5cd9cb48005830ecca2c997e6d44c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 May 2026 12:26:44 +0200 Subject: [PATCH 6/9] namespace platform-specific checks --- common/client_types.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/client_types.proto b/common/client_types.proto index a127d55..c1d40de 100644 --- a/common/client_types.proto +++ b/common/client_types.proto @@ -274,10 +274,10 @@ message DevicePostureData { BoolCheck antivirus_present = 6; StringCheck os_last_update_date = 7; // Windows only - BoolCheck ad_domain_joined = 8; + BoolCheck windows_ad_domain_joined = 8; BoolCheck windows_security_update_current = 9; // Linux only - StringCheck kernel_version = 10; + StringCheck linux_kernel_version = 10; // Android only BoolCheck android_device_integrity = 11; } From 50b6af666bcdcf218c01a9fbc0df2436321f3a8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 May 2026 12:47:24 +0200 Subject: [PATCH 7/9] update fields --- common/client_types.proto | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/common/client_types.proto b/common/client_types.proto index c1d40de..560d36c 100644 --- a/common/client_types.proto +++ b/common/client_types.proto @@ -272,14 +272,13 @@ message DevicePostureData { StringCheck os_version = 4; BoolCheck disk_encryption = 5; BoolCheck antivirus_present = 6; - StringCheck os_last_update_date = 7; // Windows only - BoolCheck windows_ad_domain_joined = 8; - BoolCheck windows_security_update_current = 9; + BoolCheck windows_ad_domain_joined = 7; + BoolCheck windows_security_update_current = 8; // Linux only - StringCheck linux_kernel_version = 10; - // Android only - BoolCheck android_device_integrity = 11; + StringCheck linux_kernel_version = 9; + // Android & macOS only + BoolCheck device_integrity = 10; } message DevicePostureCheckRequest { From 9b79da4667ec4ef66357269c4b1bf2d28c1f15a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Sun, 10 May 2026 20:07:02 +0200 Subject: [PATCH 8/9] move posture types to enterpise directory --- common/client_types.proto | 63 ++--------------------------- enterprise/v2/posture/posture.proto | 60 +++++++++++++++++++++++++++ v2/proxy.proto | 7 ++-- 3 files changed, 67 insertions(+), 63 deletions(-) create mode 100644 enterprise/v2/posture/posture.proto diff --git a/common/client_types.proto b/common/client_types.proto index 560d36c..e713259 100644 --- a/common/client_types.proto +++ b/common/client_types.proto @@ -1,6 +1,8 @@ syntax = "proto3"; package defguard.client_types; +import "enterprise/v2/posture/posture.proto"; + /* * Shared message and enum definitions used by Defguard desktop clients (desktop app and CLI). * @@ -188,7 +190,7 @@ message ClientMfaStartRequest { string pubkey = 2; MfaMethod method = 3; // [2.1] Required when the location has posture policies assigned. - optional DevicePostureData posture_data = 4; + optional defguard.enterprise.posture.v2.DevicePostureData posture_data = 4; } message ClientMfaStartResponse { @@ -236,65 +238,6 @@ message CodeMfaSetupFinishResponse { repeated string recovery_codes = 1; } -// Device posture types -enum UnavailableReason { - UNAVAILABLE_REASON_UNSPECIFIED = 0; - UNAVAILABLE_REASON_INSUFFICIENT_PERMISSIONS = 1; - UNAVAILABLE_REASON_NOT_APPLICABLE = 2; - UNAVAILABLE_REASON_DETECTION_FAILED = 3; -} - -// Wrapper for a boolean posture signal that may be unavailable. -message BoolCheck { - oneof result { - bool value = 1; - UnavailableReason unavailable = 2; - } -} - -// Wrapper for a string posture signal that may be unavailable. -message StringCheck { - oneof result { - string value = 1; - UnavailableReason unavailable = 2; - } -} - -// Raw posture signals gathered by the client. -message DevicePostureData { - // Full semver string including any pre-release suffix, e.g. "1.6.0-beta1" - string defguard_client_version = 1; - // Normalized OS family, e.g. "windows", "macos", "linux", "ios", "android" - StringCheck os_family = 2; - // Detailed OS name, e.g. "Windows", "Mac OS X", "Ubuntu" - StringCheck os_type = 3; - // OS version string, e.g. "11", "14.5", "22.04" - StringCheck os_version = 4; - BoolCheck disk_encryption = 5; - BoolCheck antivirus_present = 6; - // Windows only - BoolCheck windows_ad_domain_joined = 7; - BoolCheck windows_security_update_current = 8; - // Linux only - StringCheck linux_kernel_version = 9; - // Android & macOS only - BoolCheck device_integrity = 10; -} - -message DevicePostureCheckRequest { - int64 location_id = 1; - string pubkey = 2; - DevicePostureData device_posture_data = 3; -} - -message DevicePostureCheckResponse { - string preshared_key = 1; -} - -message DevicePostureRejection { - repeated string failed_posture_checks = 1; -} - // External OIDC authentication flow enum AuthFlowType { AUTH_FLOW_TYPE_UNSPECIFIED = 0; diff --git a/enterprise/v2/posture/posture.proto b/enterprise/v2/posture/posture.proto new file mode 100644 index 0000000..f8460c5 --- /dev/null +++ b/enterprise/v2/posture/posture.proto @@ -0,0 +1,60 @@ +syntax = "proto3"; +package defguard.enterprise.posture.v2; + +enum UnavailableReason { + UNAVAILABLE_REASON_UNSPECIFIED = 0; + UNAVAILABLE_REASON_INSUFFICIENT_PERMISSIONS = 1; + UNAVAILABLE_REASON_NOT_APPLICABLE = 2; + UNAVAILABLE_REASON_DETECTION_FAILED = 3; +} + +// Wrapper for a boolean posture signal that may be unavailable. +message BoolCheck { + oneof result { + bool value = 1; + UnavailableReason unavailable = 2; + } +} + +// Wrapper for a string posture signal that may be unavailable. +message StringCheck { + oneof result { + string value = 1; + UnavailableReason unavailable = 2; + } +} + +// Raw posture signals gathered by the client. +message DevicePostureData { + // Full semver string including any pre-release suffix, e.g. "1.6.0-beta1". + string defguard_client_version = 1; + // Normalized OS family, e.g. "windows", "macos", "linux", "ios", "android". + StringCheck os_family = 2; + // Detailed OS name, e.g. "Windows", "Mac OS X", "Ubuntu". + StringCheck os_type = 3; + // OS version string, e.g. "11", "14.5", "22.04". + StringCheck os_version = 4; + BoolCheck disk_encryption = 5; + BoolCheck antivirus_present = 6; + // Windows only + BoolCheck windows_ad_domain_joined = 8; + BoolCheck windows_security_update_current = 9; + // Linux only + StringCheck linux_kernel_version = 10; + // Android and macOS only + BoolCheck device_integrity = 11; +} + +message DevicePostureCheckRequest { + int64 location_id = 1; + string pubkey = 2; + DevicePostureData device_posture_data = 3; +} + +message DevicePostureCheckResponse { + string preshared_key = 1; +} + +message DevicePostureRejection { + repeated string failed_posture_checks = 1; +} diff --git a/v2/proxy.proto b/v2/proxy.proto index 55b026e..a70f344 100644 --- a/v2/proxy.proto +++ b/v2/proxy.proto @@ -2,6 +2,7 @@ syntax = "proto3"; package defguard.proxy.v2; import "common/client_types.proto"; +import "enterprise/v2/posture/posture.proto"; import "google/protobuf/empty.proto"; import "v2/common.proto"; @@ -109,8 +110,8 @@ message CoreResponse { AwaitRemoteMfaFinishResponse await_remote_mfa_finish = 16; HttpsCerts https_certs = 17; google.protobuf.Empty clear_https_certs = 18; - defguard.client_types.DevicePostureCheckResponse device_posture_check = 19; - defguard.client_types.DevicePostureRejection device_posture_rejected = 20; + defguard.enterprise.posture.v2.DevicePostureCheckResponse device_posture_check = 19; + defguard.enterprise.posture.v2.DevicePostureRejection device_posture_rejected = 20; } } @@ -201,7 +202,7 @@ message CoreRequest { defguard.client_types.CodeMfaSetupFinishRequest code_mfa_setup_finish = 19; AwaitRemoteMfaFinishRequest await_remote_mfa_finish = 20; AcmeCertificate acme_certificate = 21; - defguard.client_types.DevicePostureCheckRequest device_posture_check = 22; + defguard.enterprise.posture.v2.DevicePostureCheckRequest device_posture_check = 22; } } From 84a2bf71b1435d956cae2f7933ab9b7e880292b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= Date: Mon, 11 May 2026 13:26:07 +0200 Subject: [PATCH 9/9] Minor changes --- enterprise/v2/posture/posture.proto | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/enterprise/v2/posture/posture.proto b/enterprise/v2/posture/posture.proto index f8460c5..739449b 100644 --- a/enterprise/v2/posture/posture.proto +++ b/enterprise/v2/posture/posture.proto @@ -28,10 +28,10 @@ message StringCheck { message DevicePostureData { // Full semver string including any pre-release suffix, e.g. "1.6.0-beta1". string defguard_client_version = 1; - // Normalized OS family, e.g. "windows", "macos", "linux", "ios", "android". - StringCheck os_family = 2; - // Detailed OS name, e.g. "Windows", "Mac OS X", "Ubuntu". - StringCheck os_type = 3; + // Normalized OS type, e.g. "Windows", "macOS", "Linux", "iOS", "Android". + string os_type = 2; + // Detailed OS name, e.g. "Windows", "Darwin", "Ubuntu". + StringCheck os_name = 3; // OS version string, e.g. "11", "14.5", "22.04". StringCheck os_version = 4; BoolCheck disk_encryption = 5;