none
How to troubleshoot 'Your device does not meet access policy requirements for this site.' events?

    Question

  • Can someone help me with a silly question:

    I've looked everywhere for logging for 'Your device does not meet access policy requirements for this site.' events but I cannot find them anywhere.

    I can see errors reported in the Application event log for users that fail to authenticate (event id 14), but I do not see any error event generated when users do not meeting minimum access policy requirements.

    This access policy is at login so users do not even have the chance to enter their credentials so it is hard to review previous events to tie them up to a particular user.

    I am troubleshooting a user who has valid AV and my Default Session Access is only Any_Anti_Virus and I am trying to work out why it didn't work.

    Thanks

    Monday, July 09, 2012 3:28 PM

Answers

  • Hi,

    This can be a pain to figure out but I will try and explain how to find out why!

    When the user logs into the UAG portal and is shown the error.  At this point (before the user logs out), if you open the Web Monitor and click 'Active Sessions' (menu on the left) you will see a session with the lead user matching your end user's username.  Click on that session ID and you will get a new windows open with 4 tabs across the top.  If you click on the 'Parameters' tab it will list every check which the UAG has carried out against the endpoint, based on your above post you need to look for the value 'Any_Anti_Virus' and it will probably say 'false'.  Now if it does then in all likelihood the AV which your user is running is not being detected by UAG.  If you scan the rest of the parameters tab you may notice that it does detect the AV but just doesn't set the global 'Any_Anti_Virus' flag.  If this is the case then you would just need to alter your access expression or create an EndPoint Policy.

    Regards,

    Sean.


    Sean Seaman IT Security Consultant Sapphire

    • Marked as answer by glloyd78 Monday, July 16, 2012 9:28 AM
    Monday, July 09, 2012 8:50 PM

All replies

  • Hi,

    This can be a pain to figure out but I will try and explain how to find out why!

    When the user logs into the UAG portal and is shown the error.  At this point (before the user logs out), if you open the Web Monitor and click 'Active Sessions' (menu on the left) you will see a session with the lead user matching your end user's username.  Click on that session ID and you will get a new windows open with 4 tabs across the top.  If you click on the 'Parameters' tab it will list every check which the UAG has carried out against the endpoint, based on your above post you need to look for the value 'Any_Anti_Virus' and it will probably say 'false'.  Now if it does then in all likelihood the AV which your user is running is not being detected by UAG.  If you scan the rest of the parameters tab you may notice that it does detect the AV but just doesn't set the global 'Any_Anti_Virus' flag.  If this is the case then you would just need to alter your access expression or create an EndPoint Policy.

    Regards,

    Sean.


    Sean Seaman IT Security Consultant Sapphire

    • Marked as answer by glloyd78 Monday, July 16, 2012 9:28 AM
    Monday, July 09, 2012 8:50 PM
  • Hi Sean,

    Thanks for the feedback. My worst fears confirmed!

    Logging failed endpoint compliance is an area that definitely needs some refinement. Its not always possible to monitor users in realtime when they are in a different time zone.

    Alas I have found the endpoint compliance checker too unreliable and have had to set my default access policy to True.

    It just doesn't seem to be worth the hassle with third parties and the like. Generates too many calls for me!

    Cheers,


    Gareth

    Monday, July 16, 2012 9:28 AM
  • Hi

    I have the same problem

    It was working fine but now it dosn't

    I have update the UAG to SP3

    I hace create a windows policy creating as script (False) to (true)

    It gives the same error

    How can i Know where ies the problem ? 

    Monday, November 04, 2013 9:43 PM
  • hi there,

    I'm sure you've figured out this problem by now but I wanted to add my experience with the forefront UAG, and the fix in my case.

    Basically my work website uses forefront UAG for login, and it keeps giving the "Your device does not meet access policy requirements for this site" error on every browser.

    Eventually I found it was because forefront only supports a few versions of internet explorer only. So I downgraded my internet explorer from 11 to 10 (http://social.technet.microsoft.com/Forums/windows/en-US/bde89cbf-f926-47b6-8e85-c76196747ba9/downgrade-ie9-to-ie8-windows-7).

    If that doesn't work, continue to downgrade internet explorer. I think internet explorer 8 is the only one that is supported by every version of forefront 2010.

    Also be sure to use the 32 bit version of IE, 64 bit doesn't work for me.

    I think this will help everyone who's UAG used to work on IE, but doesn't anymore.

    Wednesday, July 30, 2014 4:21 PM
  • Hi There - SP4 has support for IE11 which will save you some pain of downgrading - http://technet.microsoft.com/en-us/library/dn511691.aspx

    Kr


    John Davies

    • Proposed as answer by Icon8000 Wednesday, July 30, 2014 5:22 PM
    Wednesday, July 30, 2014 5:03 PM