Endpoint Posture Requirements Checklist (2026)

1Tell us where to send it
Your name and work email — nothing more.
2Check your inbox
Your checklist arrives in seconds, not days.
3Use it with your team
Editable and ready to share — make it your own.

A peek inside

See exactly what you're getting

Free PDF

Spotsaas · 2026

Endpoint Posture Requirements Checklist

✓ How to use this checklist

✓ Baseline device integrity (required for all)

✓ Posture requirements by device class

✓ Wire posture into access decisions

Get the checklist →

What it is

The Endpoint Posture Requirements Checklist defines the device-health bar every endpoint must clear before it's allowed to connect remotely — the posture policy that sits between an unmanaged, out-of-date, possibly-compromised laptop and your production environment. It hands you a concrete baseline (supported, patched OS within SLA; full-disk encryption verified; screen lock enforced; EDR installed, running, and healthy; host firewall on; MDM-enrolled and compliant; no active malware or high-severity detections; not jailbroken/rooted), a device-class matrix that sets required vs. recommended signals for managed devices, BYOD, and vendor machines, an implementation sequence for wiring those signals into your ZTNA or conditional-access engine, and a set of decisions to fill in (patch SLA, no-exception targets, remediation path, residual privilege for partially-compliant devices, policy owner).

The core principle is that a remote session is only as trustworthy as the endpoint it originates from. The checklist makes that operational: collect the signals (connect MDM, EDR, and IdP device-compliance feeds to your access engine, each mapped to an authoritative source so nothing is self-reported), define the policy per device class, decide the failure path (block-and-remediate for hard failures like no encryption or EOL OS, quarantine for fixable gaps, step-up or reduced privilege for soft signals), and make it continuous (re-evaluate posture during long sessions, terminate or downgrade when posture degrades mid-connection, and log every decision as audit evidence).

The device-class matrix is what makes it practical. Managed devices are held to the full bar; BYOD gets work-profile MDM, managed-app EDR, and required encryption; vendor machines that can't be postured are routed through a VDI or jump host rather than trusted directly. The checklist is the device-trust domain of zero trust made concrete — it's the detailed companion to the posture line items in the zero-trust security checklist, and the policy your ZTNA migration will enforce.

What it's used for

Posture is the control that stops a valid credential on a compromised laptop from becoming the door into production. Teams use this checklist to define and enforce what 'healthy enough to connect' means:

✓ Writing a device-posture policy that specifies the exact health signals — encryption, patch SLA, EDR health, MDM compliance, no jailbreak — an endpoint must satisfy before any remote session starts.
✓ Setting different bars for managed devices, BYOD, and vendor machines using the device-class matrix, so each population gets a realistic but enforced standard.
✓ Wiring posture signals into a ZTNA or conditional-access engine from authoritative sources (MDM, EDR, IdP) so nothing is self-attested by the user.
✓ Deciding the failure path for every signal — block-and-remediate, quarantine to a remediation network, or step-up authentication — so a failed check never quietly becomes 'allow anyway.'
✓ Making posture continuous: re-evaluating during long sessions and terminating or downgrading a connection when a device falls out of compliance mid-session.
✓ Routing unmanaged vendor or contractor devices through a VDI or jump host instead of trusting them directly, because you can't posture-check a device you don't control.
✓ Logging every posture decision as evidence for access reviews and audits, turning device trust into something you can demonstrate rather than assert.

Who uses it

Posture sits between endpoint management and network access, so it's owned and consumed across both. The checklist gives each team its piece.

Endpoint / device-management adminsThey run the MDM, EDR, and patch tooling that produce the posture signals, and they own remediation for devices that fail — the authoritative sources the checklist depends on.

Security engineers and zero-trust architectsThey design the posture policy, decide the failure paths, and wire signals into the access engine so device trust becomes a real access condition rather than a one-time checkbox.

Identity / conditional-access administratorsThey translate the posture policy into conditional-access rules — require compliant device, block on posture failure — in the IdP and access broker.

IT operations and help-desk teamsThey handle the remediation path for quarantined devices and field the 'why can't I connect?' tickets, so the checklist's remediation-network decision matters directly to them.

Compliance and audit teamsThey use the logged posture decisions as evidence that device trust is enforced, and the device-class matrix as the documented standard auditors test against.

Vendor and third-party access managersThey apply the vendor column — routing unmanageable external devices through VDI or jump hosts — so partners reach what they need without you trusting their endpoints.

Context & good to know

Posture closes the gap that MFA leaves open. MFA proves who is connecting; posture proves what they're connecting from. A perfectly valid credential and a passing MFA prompt mean nothing if the laptop behind them is unpatched, unencrypted, or already compromised — the attacker inherits the session along with the legitimate user's access. Device posture is the control that makes the endpoint a condition of access, not an afterthought, which is why it's a core pillar of any real zero-trust deployment.

The two failures that make posture theater are self-attestation and an undefined failure path. If posture signals come from the user ticking a box rather than from MDM and EDR feeds, the check proves nothing — a compromised device will happily attest that it's healthy. And if no one decided what happens when a managed device fails a check, the default is silent: it gets allowed anyway. The checklist forces both decisions — every signal mapped to an authoritative source, and every signal assigned a concrete action (block, quarantine, or reduce privilege).

Continuous evaluation is what upgrades posture from a one-time gate to a genuine zero-trust control. A device can pass at connect time and be compromised minutes later; if posture is only checked at login, that window is wide open. Re-evaluating during long sessions — and terminating or downgrading when EDR fires or compliance drops — is what 'never trust, always verify' actually means at the endpoint. It's also where tooling differs: not every remote-access or ZTNA stack supports mid-session posture re-evaluation, which is a real selection criterion when comparing platforms.

The device-class matrix reflects an unavoidable reality: you control managed devices, partially control BYOD, and don't control vendor machines at all. The honest answer for unmanaged devices isn't a weaker posture check — it's not trusting them, and routing them through a managed surface (VDI or jump host) where the posture you can enforce lives on the broker side. Getting this matrix right is what lets you say yes to BYOD and vendor access without quietly importing their risk into production. It's the same logic the vendor access request form applies at grant time and the ZTNA migration plan enforces at the network layer.

✓ Independent · vendors can't pay to rank

Built on verified data, not vendor spin

Every Spotsaas resource draws on the Spotsaas Score — a blend of verified review ratings, review volume, and feature depth across 57 remote access software tools. Refreshed regularly; data as of June 2026.

FAQ

Questions, answered

What is device posture in remote access?

Device posture is the set of health signals an endpoint must satisfy before it's allowed to connect — typically a supported and patched OS, full-disk encryption, a healthy EDR agent, MDM compliance, host firewall on, and no active malware or jailbreak. Posture answers 'is this device healthy enough to be trusted with this session?', complementing MFA, which answers 'is this the right person?'

How is posture different from MFA?

MFA verifies the identity — who is connecting. Posture verifies the device — what they're connecting from. Both can be valid and the session still be dangerous: a legitimate user authenticating from a compromised, unpatched laptop hands an attacker the same access. Strong remote access requires both, which is why the zero-trust checklist treats them as separate, equally necessary domains.

Which posture signals should I require?

At minimum: supported OS within your patch SLA, verified full-disk encryption, enforced screen lock, a healthy and reporting EDR agent, host firewall on, MDM enrollment showing compliant, no active high-severity detections, and not jailbroken/rooted. The checklist's matrix then splits these into required vs. recommended per device class, since managed, BYOD, and vendor devices can realistically meet different bars.

What should happen when a device fails a posture check?

Never 'allow anyway' by default. Hard failures (no encryption, end-of-life OS, EDR down) should block-and-remediate. Fixable gaps (a missing patch, a stale agent) should quarantine the device to a remediation network where it can self-heal. Soft signals can trigger step-up authentication or reduced privilege. The point is that every signal has a decided action, so a failure is never silent.

Should posture be checked only at login or throughout the session?

Throughout. A device can pass at connect time and be compromised minutes later, so login-only checking leaves the rest of the session unprotected. Continuous evaluation — re-checking posture during long sessions and terminating or downgrading the connection when a device falls out of compliance — is what makes posture a true zero-trust control rather than a one-time gate.

How do unmanaged vendor devices fit a posture policy?

You can't posture-check a device you don't control, so the answer isn't a weaker check — it's not trusting the device at all. Route unmanaged vendor or contractor machines through a managed VDI or jump host, where the posture you can enforce lives on the broker side. The checklist's vendor column makes this explicit: managed surface, not direct access from an unmanaged endpoint.

Why can't users just self-report their device health?

Because self-attestation isn't a control — a compromised device will happily report itself healthy, and an honest user can't see whether their EDR is actually running. Posture signals must come from authoritative tooling (MDM, EDR, the IdP's device-compliance feed), each mapped to its source. If the signal is self-reported, the posture check is theater that proves nothing.

Does posture enforcement require ZTNA?

It's most powerful with ZTNA or a modern conditional-access engine, because those can make posture a per-request access condition and re-evaluate it continuously. But you can enforce a baseline through MDM-backed conditional access in an identity platform too. The checklist's implementation steps assume you're feeding signals into whatever access engine you have; ZTNA simply gives you the richest enforcement, including mid-session re-evaluation.

What patch SLA should I set?

There's no universal number — the checklist asks you to define and enforce one (for example, critical patches within a set number of days) so 'patched' isn't left to interpretation. The right SLA balances your risk tolerance against operational reality, but it must be written, enforced as a posture signal, and tied to a remediation path for devices that fall out of compliance.

Keep exploring