implementing-device-posture-assessment-in-zero-trust

# Implementing Device Posture Assessment in Zero Trust ## When to Use - When enforcing device health as a prerequisite for accessing corporate applications - When integrating CrowdStrike ZTA scores, Intune compliance, or Jamf device status into access decisions - When implementing CISA Zero Trust Maturity Model device pillar requirements - When building conditional access policies that adapt based on real-time endpoint security posture - When detecting and blocking access from compromised, unmanaged, or non-compliant devices **Do not use** for IoT or headless devices that cannot run posture agents, as a standalone security control without identity verification, or when real-time posture data is unavailable and stale compliance data would create false trust. ## Prerequisites - Endpoint Detection and Response (EDR): CrowdStrike Falcon with ZTA module, or Microsoft Defender for Endpoint - Mobile Device Management (MDM): Microsoft Intune, Jamf Pro, or VMware Workspace ONE - Identity Provider: Microsoft Entra ID, Okta, or Ping Identity with conditional access capability - ZTNA Platform: Zscaler ZPA, Cloudflare Access, Palo Alto Prisma Access, or cloud-native IAP - API access to EDR/MDM platforms for posture signal ingestion ## Workflow ### Step 1: Define Device Compliance Baselines Establish minimum security requirements for each device category. ```powershell # Microsoft Intune: Create device compliance policy via Graph API Connect-MgGraph -Scopes "DeviceManagementConfig...