8 posts tagged with "Security"

XFA now supports screen lock timeout enforcement in addition to the existing screen lock enable/disable check.

Previously, XFA only verified whether screen lock was enabled on a device. Now, admins can also configure a maximum allowed timeout duration — and XFA will verify that the device's screen lock timeout is within that limit.

What's new:

• Admins can set a maximum screen lock timeout (in minutes) in their organization's policy
• XFA checks both that screen lock is enabled and that the configured timeout does not exceed the maximum
• Supports macOS, Windows, and Linux with platform-specific timeout detection
• The timeout check works alongside the existing enable/disable check — both must pass for the device to be compliant

This gives organizations tighter control over idle device security, ensuring employees cannot set excessively long timeouts that leave devices exposed.

Configure your policies

XFA's unsafe AI mode check now recognises Claude Code's newer persisted permission modes alongside the legacy dangerouslySkipPermissions flag, so administrators get accurate reporting whenever an agent is configured to auto-approve every tool call.

The following values of permissions.defaultMode in ~/.claude/settings.json (or ~/.claude/settings.local.json) are now flagged as unsafe because they auto-approve every tool call, including shell commands and network requests:

• bypassPermissions — persisted equivalent of running with --dangerously-skip-permissions. Treat this as 'agent has full local user privileges'.
• auto — the new Claude Code 'Auto' mode. Same risk class: skips permission prompts via a classifier and is intended for sandboxed CI, not for personal devices.

Both modes are unsafe to run on machines with credentials or production access. Safe values (default, plan, acceptEdits) remain unflagged. Devices configured with either flagged mode are now reported in the Unsafe AI Mode check, and end users see remediation steps in the in-app guide.

Review your AI policies

Two new MDM and compliance checks are now available for the desktop app:

• Microsoft Intune — Verify whether a device is enrolled in Microsoft Intune. Supports both macOS and Windows.
• Vanta — Detect whether the Vanta compliance monitoring agent is installed and running. Supports macOS, Windows, and Linux.

Both checks can be configured in your organization's policy with warning and blocking actions, just like all other security checks.

These checks are currently available on desktop only.

Configure your policies

XFA now integrates with Noru, a GRC platform that makes compliance manageable for modern teams.

Once connected, XFA automatically syncs your device security data to Noru, giving you:

• Automated compliance - Device security checks are continuously exported as security findings, eliminating manual compliance verification.
• Risk mapping - Each security check is linked to a risk in Noru's risk registry, providing a clear overview of your organization's risk posture.
• Real-time visibility - Findings are synced as they happen, so your compliance dashboard always reflects the current state.

XFA exports 23 security checks across endpoint posture, compliance, configuration, and identity & access categories.

To get started, create an API key in Noru with Write Assets and Write Risks scopes, and connect it from the Integrations page in your XFA dashboard.

Read the announcement | Set up the integration

The XFA app now shows only the security checks that your organization requires, instead of displaying all available checks.

Each organization configures its own policy with specific security requirements. The app now dynamically matches these requirements and shows you exactly which checks apply to you:

• Policy-scoped checks — Only checks defined in your organization's policy are evaluated and displayed.
• Clear status per check — Each check shows whether your device passes, needs attention, or is blocked.
• Not required checks — Checks that don't apply to your organization are marked as "Not required" so you always know what matters.

This makes it much easier to understand what your organization expects from your device and how to stay compliant.

Three new AI-related security checks are now available in your policies:

• Secrets in environment — Detect and prevent exposed secrets in environment variables or runtime context to reduce credential leakage risk.
• Autonomous agents — Detect autonomous agents and require approved controls before allowing access.
• Unguarded elevation — Detect and prevent unguarded privilege elevation that can lead to unauthorized high-privilege actions.

Each check can be configured with warning and blocking actions, just like all other policy checks.

Configure your policies

New security check: Device restart verification​

We've introduced a new security feature that verifies if a device has been restarted recently. This check helps ensure that the device is in a clean state and hasn't been compromised.

Why this matters:

• Clear potential malware and exploits
• Complete security updates and patches
• Reset network connections to prevent unauthorized access
• Eliminate memory leaks that could lead to vulnerabilities

You can now enforce users to restart their device if it detects that the device hasn't been restarted for an extended period, helping maintain optimal security conditions. Do you want to know more about why you should enforce this check? Check out our blog post.

🔐 Biometric authentication now mandatory​

To enhance security, XFA now makes it possible to require biometric authentication (fingerprint or face recognition) for all sensitive operations. This ensures that only authorized users can access protected features.

Key changes:

• Enforce biometric authentication for all sensitive operations
• Support for both fingerprint and face recognition
• Seamless integration with device security features

This mandatory biometric authentication adds an extra layer of security to ensure that only the rightful owner of the device can access sensitive information and perform critical operations.

Go to the policies page to enable this feature.