Key Considerations for Using the Device Posture and Domain Joined Check

The Domain Joined posture check allows administrators to check if the computer is part of a domain. When you use this feature, the device's server domain must be joined to the Active Directory domain that was configured in the Device Posture. The posture check allows the AD to communicate with the endpoint to validate that it is part of the domain.

By default, Atmos ZTNA blocks traffic unless it is explicitly allowed. If a rule is not set to allow the user to join the domain, the endpoint will not be able to validate that it is part of the domain.

If you have created a new rule to use device trust that requires a user to join the domain, a common misconfiguration issue is to place the Domain Joined check before the user has joined the domain. The reason you need to insert the posture check after the AD directory rule is to allow the endpoint to communicate with the domain controller to validate its domain membership. Otherwise, this posture check will fail.

The following policy shows the correct sequence to perform a domain join check.