Creating Policy with Device Certificate

Policy access with checking device certificate can add addition layer of verification aside from user account credential and MFA that enabled by default. So whenever the account can access the user portal properly an can see the apps, it's not immediately that user can access the app if there's no certificate in his/her device.

To enable that kind of policy, you need to have admin user to create policy, please check these KB down below about Admin access:


  1. login to
  2. Go to Settings tab> ZTNA
  3. In Policies, click on New Policy button
  4. Once clicked, it will expand all the option for policy that can be use for application authorization
  5. You need to input the policy name because it's mandatory and must be unique to other policy
  6. In this article we're focusing on how to enable access policy with device certificate verification, so the only thing you need to ensure is "Required device certificate" option
  7. As for the users groups, applications, categories, and configuration fill/choose with what you want to be mapped. Then click "Save"
  8. It will give you success notification when the policy has been added


To test the policy is successfully implemented or not, you need to ensure these things:

  • User that already created by admin, please refer to here
  • User already enrolled the MFA and can login properly, please refer to here
  • Admin already input the trusted certificate in the configuration, please refer to here
  • Adding your client certificate in your devices
    • Windows, refer to here
    • MacOS, refer to here
    • Linux (Ubuntu), refer to here
  • Your favorite web browser to open User Portal

Once you login to user portal, then you will shown all the application that your user could access

Click on the application that already mapped with device certificate access policy

Then the new browser tab will be open, and asked you which device certificate to use to open the application

If it's correct, then you can access your application normally

If not, then you will get this unauthorized error message on the web page