Troubleshooting Duo Issues

Available in: Duo Access and Duo Beyond

The operating systems policy settings allow you to control which operating systems and versions are allowed to access your applications when protected by Duo's browser-based authentication prompt, while also encouraging users running older operating systems to update to the latest version.

The default settings allow access, authentication, and enrollment from browsers on all Duo supported operating systems, mobile platforms, and versions with no warnings. You may block all versions of any of the OS platforms listed in the policy editor: Mac OS X (macOS), Windows, iOS, Android, Linux, Chrome OS, BlackBerry,and Windows Phone. Duo offers more granular blocking options for the Mac OS X, Windows, iOS, and Android operating systems, like blocking access below a certain version and warning the user that they need to update to an approved version instead of blocking access outright.

Scroll down in the policy editor to see all OS options.

Enable the "Warn users if their version is below ..." option to show a warning notification during authentication or enrollment from an out-of-date operating system. The user may disregard the warning and continue with authentication. For example, you may choose to warn users with Windows versions "below 8.1". A user accessing your application from a Windows 8 PC sees a warning at the bottom of the Duo prompt. Clicking "Let's update it" provides the user with information on how to update the operating system. Users can proceed past the warning by clicking "Skip".

Enabling any operating system restrictions block users from completing authentication or new user enrollment from that disallowed OS (or OS version). To continue the previous example, choosing to block (instead of warn) users with Windows versions "below 8.1" prevents authentication or enrollment for any user trying to access your application from a Windows 8 computer. Users can't proceed past the out-of-date software notification.

If you select "Block all versions" for "Windows" in the policy editor, then users accessing your application from any version of Windows are blocked.

The Android and iOS mobile platforms can also be restricted to a minimum allowed version or blocked entirely. Blocking any version of a mobile OS platform, e.g. iOS or Android, not only restricts access to resources from browsers on those OS platforms or versions, but also prevents use of Duo Mobile to Duo Push requests or generate usable passcodes on devices running the restricted OS. If you were to block iOS versions "below 9.0" then any users with Apple devices running iOS 8.0 or lower can no longer use Duo Push or app generated passcodes. If a user has other additional activated devices running a different mobile platform, the functionality of the other devices is not affected.

When a mobile device operating system or version is restricted users see a message in the browser-based Duo Prompt.

Duo Mobile also notifies the user that the mobile platform or version is not allowed when attempting to approve the Duo Push request.

Passcodes from a hardware token or received via SMS are allowed, as are phone call authentications, but entering a passcode generated by Duo Mobile on any device running the restricted platform results in an error stating that platform is not permitted.

As an example scenario, if you select "Block all versions" for the "Windows Phone" platform then your iOS, Android, and BlackBerry users continue to receive and approve Duo Push requests, and can also authenticate with SMS passcodes, application passcodes, hardware tokens, or over the phone. Your Windows Phone users can only use SMS passcodes to authenticate, approve a login via phone call, or use a hardware token passcode. If you wanted to completely prevent any use of Windows Phone to approve authentications, you'd also need to disable the "Phone callback" and "SMS passcodes" options in the Authentication Methods policy setting. Keep in mind that disabling phone and SMS authentication affects authentication for all users, no matter what mobile OS they use.