Posture Checks is a security feature that verifies the compliance status of a device before granting it network access. Only devices that meet the defined requirements are allowed to connect, enforcing Zero Trust principles at the device level.
Available checks
Agent version
Restrict access to peers running a minimum version of the EagleSafe ZTB agent. This ensures all devices connecting to the network use up-to-date, supported client software.
Country and region
Limit network access based on the geographical location of the connecting device. You can configure an Allow list (all other locations are blocked) or a Block list (only the specified locations are blocked, all others are allowed).
Peer network range
Control access based on the IP address of the connecting device. The check evaluates two sources:
- The IP addresses configured on the device's local network interfaces (e.g. office LAN
192.168.1.0/24). - The public IP observed by the management server when the peer connects.
Both IPv4 and IPv6 are supported. Examples:
- Block a single public IP:
203.0.113.10/32 - Allow an office IP range:
1.0.0.0/24 - Block a private subnet:
192.168.1.0/24 - Block an IPv6 prefix:
2001:db8::/48
Note: on iOS and Android, local NIC IP ranges cannot be evaluated — only public IP ranges work on mobile. See Known Limitations below.
Operating system
Restrict access based on the OS version of the connecting device. Requires agent version 0.26.0 or newer. Version reference:
- Windows 10 (22H2):
10.0.19045 - Windows 11 (23H2):
10.0.22631 - macOS 14 Sonoma:
14or14.3.1 - macOS 13 Ventura:
13or13.6.4 - Linux kernel:
6or6.7.5 - iOS 16:
16or16.7.5 - Android 14:
14or14.3
Process
Allow or deny access based on specific applications or processes running on the connecting device. This is useful to enforce that security software (antivirus, endpoint protection agent, firewall) is active before the device is granted network access.
Create a posture check
- Go to Access Control → Posture Checks and click Create Posture Check.
- In the Checks tab, enable and configure the desired checks.
- Go to the Name & Description tab, enter a descriptive name and save.
A newly created posture check is inactive (grey dot) until it is linked to an access control policy.
Apply a posture check to a policy
- Go to Access Control → Policies and create or edit a policy.
- Open the Posture Checks tab within the policy settings.
- Click Browse Checks to select an existing check, or New Posture Check to create one inline.
- Save the policy.
Once linked to an active policy, the posture check becomes active (green dot) and is enforced for all peers subject to that policy.
Multiple posture checks can be added to a single policy.
Known limitations
Peer network range on mobile platforms
iOS and Android do not allow applications to enumerate local network interfaces. As a result, posture checks based on local NIC IP ranges (e.g. office LAN) cannot be evaluated on mobile devices and will not match — potentially blocking access even when the device is on the correct network.
Posture checks based on the public connection IP work correctly on all platforms including mobile.
Recommendations for deployments that include iOS or Android clients:
- Create separate policies for mobile clients that do not include local NIC range checks.
- Use geo-location checks as an alternative to local NIC range checks.
- Apply local NIC range checks only to policies targeting desktop platforms (Windows, macOS, Linux).
