Skip to main content

Overview

Formal’s Mobile Device Management (MDM) integration allows you to enforce device-based security policies on user connections. By integrating with your organization’s MDM solution, you can ensure that only compliant, managed devices can access protected resources through Formal.
MDM-based policies require users to connect through the Formal Desktop App, which collects and reports device information.

How It Works

When users connect through the Formal Desktop App:
  1. The app collects device information (hardware, software, security settings)
  2. This information is sent to the Connector along with the connection request
  3. Policies evaluate device attributes via input.device

Device Information Available

Formal collects comprehensive device metadata that can be used in policies. When MDM integration is enabled, additional compliance data is available through input.device.mdm:

Hardware Information

FieldDescription
model_nameDevice model name (e.g., “MacBook Pro”)
model_identifierModel identifier (e.g., “MacBookPro18,1”)
serial_numberHardware serial number
hardware_uuidUnique hardware identifier
activation_lock_statusActivation lock status (macOS)

Software Information

FieldDescription
system_versionOS version (e.g., “14.2”)
kernel_versionKernel version
computer_nameComputer/hostname
user_nameLocal user account name
system_integrity_protectionSIP status (macOS)
secure_virtual_memoryEncrypted virtual memory status
boot_modeSecure boot status

MDM Information (When Integration Enabled)

FieldDescription
enrolledDevice enrollment status
compliantOverall compliance status
compliance_statusDetailed compliance state
installed_profilesList of installed profiles
configuration_profilesMDM configuration profiles
last_checkinLast MDM check-in timestamp
management_statusDevice management status

MDM Platform Integration

Formal directly integrates with Kandji to automatically sync device compliance data and enforce policies based on real-time device status.

Kandji Integration

Formal’s native Kandji integration automatically syncs device compliance data and makes it available in policies through data.mdm_devices attributes.

Setup

Option 1: UI Setup
  1. Go to MDM Integrations in the Formal dashboard
  2. Click Connect next to Kandji
  3. Enter your Kandji API credentials:
    • API URL: https://your-org.api.kandji.io
    • API Token: Your Kandji API token
  4. Click Save to enable the integration
Option 2: Terraform Setup Use the formal_integration_mdm resource as shown in the Terraform Configuration section above. 
resource "formal_integration_mdm" "kandji" {
  name = "Kandji MDM Integration"
  
  kandji {
    api_key = var.kandji_api_key
    api_url = "https://your-org.api.kandji.io"
  }
}

Example Policies

Require Secure Boot

package formal.v2

import future.keywords.if

session := {
  "action": "block",
  "type": "block_with_formal_message",
  "message": "Device must have secure boot enabled",
  "reason": "Device security policy violation"
} if {
  not input.device.software.boot_mode == "secure"
}

Block Jailbroken/Modified Devices

package formal.v2

import future.keywords.if

session := {
  "action": "block",
  "type": "block_with_formal_message",
  "message": "System Integrity Protection must be enabled",
  "reason": "Device tampering detected"
} if {
  not input.device.software.system_integrity_protection == "enabled"
}

Enforce Activation Lock (macOS)

package formal.v2

import future.keywords.if

session := {
  "action": "block",
  "type": "block_with_formal_message",
  "message": "Activation Lock must be enabled",
  "reason": "Device theft protection required"
} if {
  input.device.hardware.activation_lock_status == "disabled"
}

Require Encrypted Virtual Memory

package formal.v2

import future.keywords.if

session := {
  "action": "block",
  "type": "block_with_formal_message",
  "message": "Encrypted virtual memory required",
  "reason": "Data protection policy"
} if {
  not input.device.software.secure_virtual_memory == "enabled"
}

Allow Only Corporate Devices

package formal.v2

import future.keywords.if

session := {
  "action": "block",
  "type": "block_with_formal_message",
  "message": "Only corporate-issued devices allowed",
  "reason": "Device not in approved list"
} if {
  # Check against list of approved serial numbers (Policy Data Loader)
  approved_serials := data.mdm_devices

  not input.device.hardware.serial_number in approved_serials
}

Conditional Access Based on Device

package formal.v2

import future.keywords.if

# Require MFA if device is not fully compliant
session := {
  "action": "mfa",
  "reason": "MFA required for non-compliant devices"
} if {
  # Check multiple compliance factors
  version_parts := split(input.device.software.system_version, ".")
  major_version := to_number(version_parts[0])

  # Device is "marginally compliant" - allow with MFA
  major_version >= 13
  major_version < 14
  input.device.software.system_integrity_protection == "enabled"
}

# Block if device is completely non-compliant
session := {
  "action": "block",
  "type": "block_with_formal_message",
  "message": "Device does not meet minimum security requirements",
  "reason": "Critical compliance violations"
} if {
  # OS too old OR SIP disabled
  version_parts := split(input.device.software.system_version, ".")
  major_version := to_number(version_parts[0])

  major_version < 13
}

session := {
  "action": "block",
  "type": "block_with_formal_message",
  "message": "Device does not meet minimum security requirements",
  "reason": "Critical compliance violations"
} if {
  not input.device.software.system_integrity_protection == "enabled"
}

Monitoring Device Compliance

View device information in session logs:
  1. Navigate to Sessions
  2. Click on any session
  3. Review device information in session details
  4. Filter sessions by device attributes
This allows you to:
  • Audit which devices are accessing resources
  • Identify non-compliant devices attempting connections
  • Track OS versions and security settings across your fleet

Best Practices

Enforce use of the Formal Desktop App for connections that require device compliance checks. Block direct connections that bypass device verification.
Combine device-based policies with user-based and resource-based policies for defense in depth.
When implementing new device requirements, use dry-run mode first and give users time to update their devices.
Connect your Kandji platform to automatically sync device compliance data and enforce real-time policies.
Review session logs to identify devices that frequently fail compliance checks.

Next Steps

Desktop App

Install the Formal Desktop App

Write Policies

Create device-based policies

Terraform Provider

Configure Kandji integration with Terraform

Kandji Integration

Set up Kandji integration in the dashboard