Skip to content

Device Containment

Device Containment

Device containment lets security teams lock managed endpoints (MDM) and network-isolate hosts (EDR) during account takeover or endpoint compromise investigations. Challenge orchestrates actions across configured connectors, records per-device outcomes (including unlock PINs when applicable), and exposes the capability through the Responder, MCP, and a signed webhook API.

Device containment complements session revocation, which addresses IdP and SaaS sessions, by targeting endpoint state.

Overview

When you trigger a containment action, Challenge:

  1. Resolves target device(s) using a lookup descriptor (email, hostname, or serial number).
  2. For EDR connectors without email mapping, optionally enriches lookups via enabled MDM connectors.
  3. Calls each provider’s lock or isolation API per matched device.
  4. Stores a device containment request with per-connector, per-device results.
  5. Reports the event on the Dashboard and (for completed requests) toward metered billing.

Supported connectors

ConnectorIntegration keyFamilyLookup formatsSetup guide
Jamf ProjamfMDMemail, hostname, serial, provider IDJamf
Kandji / IrukandjiMDMemail, hostname, serial, provider IDKandji / Iru
CrowdStrike FalconcrowdstrikeEDRhostname, serial, provider IDCrowdStrike
PhorionphorionEDRhostname, serial, provider IDPhorion

MDM + EDR together

EDR platforms often lack reliable user-email-to-device mapping. Configure both MDM and EDR connectors so Challenge can resolve a user’s devices from MDM, then run containment on matching hosts in CrowdStrike or Phorion. If you request containment by email against EDR only (no MDM enabled), Challenge returns an error asking for hostname or serial_number.

Prerequisites

  • Owner, Admin, or Analyst role to run actions from Responder (Viewer is read-only). Owner or Admin configures connectors under Integrations.
  • An active payment method on the tenant.
  • Device containment enabled at the tenant level.

Enable device containment

  1. Log in at challenge.veraproof.io.
  2. Open IntegrationsDevice Containment.
  3. Click Enable Device Containment and confirm.
  4. Set When multiple devices match (fail or execute all) and Max devices per request as needed.
  5. Configure connector credentials and enable each integration tile.

Optional entry points

SettingDescription
Allow containment via MCP integrationRequires devices:contain scope. See MCP Integration.
Allow containment via Webhook integrationSigned POST to the device-containment webhook.

Webhook signing secret

When webhook integration is enabled, Challenge generates a signing secret (prefix dc_) and shows it once. Store it immediately in your SOAR secrets manager.

POST /api/v1/device-containment/webhook
X-Device-Containment-Signature: sha256=<hex-digest>

Example payload:

{
"tenant_id": "your-tenant-uuid",
"action": "network_contain",
"lookup": { "lookup_type": "hostname", "value": "alice-mac.corp.example" },
"reason": "SOAR containment",
"integration_targets": ["crowdstrike"],
"dry_run": false
}

Poll status: GET /api/v1/device-containment/requests/{request_id}?tenant_id=...

Actions

ActionFamilyDescription
lock_deviceMDMRemotely lock device; unlock using PIN returned in results (where applicable).
network_containEDRIsolate host from network (contain).
release_containmentEDRLift network isolation.

Containment outcomes

OutcomeMeaning
lockedMDM lock command accepted
containedEDR isolation initiated
releasedContainment lifted
device_not_foundLookup returned zero devices
ambiguousMultiple matches; policy blocked action (fail mode)
dry_runResolve-only; no action taken
failedHTTP, auth, or configuration error

Lock PINs appear in per-device result_metadata when the provider returns or requires them. Unlock devices using the PIN at the physical device; Challenge does not perform MDM unlock.

Test with Responder

See Responder — Device containment for step-by-step testing.

Billing

Completed device containment requests (excluding dry runs and failed requests) count as one metered usage event each, combined with challenges and session revocations toward your tier limit. Your Billing page shows a breakdown including Device Containment.

Dry-run requests resolve targets without taking action and are not billed. See Upgrading Pricing Tiers for tier limits and overage behavior.

Troubleshooting

SymptomCheck
mdm_required_for_email_lookupEnable an MDM connector or pass hostname/serial for EDR
ambiguousNarrow lookup to hostname/serial or set policy to execute all (with care)
device_not_foundVerify device exists in provider inventory
http_403API credentials lack required scopes
Missing lock PINCheck connector guide; Kandji returns PIN in API response, Jamf uses Challenge-generated PIN

Support

Contact [email protected].