Enterprises often deploy applications to user client devices such as smartphones. Client devices can be managed by a management service that provides the ability to remotely manage or administer client devices that are enrolled with the management service as a managed device. For example, devices that are running a variant of the Android™ operating system can be enrolled with a remotely executed management service using application programming interfaces (APIs) or other capabilities that are embedded within the operating system of the device. A management component can also be installed on a client device so the device can be locally managed by the management component and remotely managed by the management service. An administrator can define policies or profiles that are associated with a particular client device through the management service, which can transmit the policies or profiles to the client device. The management component on the client device can install or enforce the policies or profiles on the client device. Additionally, the management service can issue commands to the management component to take certain actions on the client device.
An administrator can also deploy applications to a client device enrolled as a managed device through the management service. In one example, the management service can instruct the management component to install a particular application that an enterprise might wish to deploy. Applications can include third party applications such as productivity applications, messaging applications or other applications that might require authentication with one or more servers or services associated with the application. For example, a productivity application might require a subscription that requires a login or authentication process to be performed. The authentication process might be federated by the application service provider to the directory service or identity management service of the enterprise.
Accordingly, to complete the authentication process, an applications service can receive an authentication request from an application executed on the client device and redirect the request to an identity management service of the enterprise. The identity management service of the enterprise can authenticate the user and provide an authentication assertion or token to the application, which can be presented to the application service to authenticate a user's identity. Providing single sign-on capabilities allows the user to log on without having to provide his or her credentials to authenticate his or her access to the application.
However, a single sign-on process through an identity provider does not allow a way to check whether the device is in compliance with enterprise rules. That is, although single sign-in authenticates a user, the device itself may still be compromised. As a result, there remains a problem with a posture assessment of the device on which the application is running at the time of user authentication to ensure that the device is enrolled as a managed device and in compliance with one or more device compliance policies of the enterprise.