Device Containment
Device Containment
Device containment lets security teams lock managed endpoints (MDM) and network-isolate hosts (EDR) during account takeover or endpoint compromise investigations. Challenge orchestrates actions across configured connectors, records per-device outcomes (including unlock PINs when applicable), and exposes the capability through the Responder, MCP, and a signed webhook API.
Device containment complements session revocation, which addresses IdP and SaaS sessions, by targeting endpoint state.
Overview
When you trigger a containment action, Challenge:
- Resolves target device(s) using a lookup descriptor (email, hostname, or serial number).
- For EDR connectors without email mapping, optionally enriches lookups via enabled MDM connectors.
- Calls each provider’s lock or isolation API per matched device.
- Stores a device containment request with per-connector, per-device results.
- Reports the event on the Dashboard and (for completed requests) toward metered billing.
Supported connectors
| Connector | Integration key | Family | Lookup formats | Setup guide |
|---|---|---|---|---|
| Jamf Pro | jamf | MDM | email, hostname, serial, provider ID | Jamf |
| Kandji / Iru | kandji | MDM | email, hostname, serial, provider ID | Kandji / Iru |
| CrowdStrike Falcon | crowdstrike | EDR | hostname, serial, provider ID | CrowdStrike |
| Phorion | phorion | EDR | hostname, serial, provider ID | Phorion |
MDM + EDR together
EDR platforms often lack reliable user-email-to-device mapping. Configure both MDM and EDR connectors so Challenge can resolve a user’s devices from MDM, then run containment on matching hosts in CrowdStrike or Phorion. If you request containment by email against EDR only (no MDM enabled), Challenge returns an error asking for hostname or serial_number.
Prerequisites
- Owner, Admin, or Analyst role to run actions from Responder (Viewer is read-only). Owner or Admin configures connectors under Integrations.
- An active payment method on the tenant.
- Device containment enabled at the tenant level.
Enable device containment
- Log in at challenge.veraproof.io.
- Open Integrations → Device Containment.
- Click Enable Device Containment and confirm.
- Set When multiple devices match (
failorexecute all) and Max devices per request as needed. - Configure connector credentials and enable each integration tile.
Optional entry points
| Setting | Description |
|---|---|
| Allow containment via MCP integration | Requires devices:contain scope. See MCP Integration. |
| Allow containment via Webhook integration | Signed POST to the device-containment webhook. |
Webhook signing secret
When webhook integration is enabled, Challenge generates a signing secret (prefix dc_) and shows it once. Store it immediately in your SOAR secrets manager.
POST /api/v1/device-containment/webhookX-Device-Containment-Signature: sha256=<hex-digest>Example payload:
{ "tenant_id": "your-tenant-uuid", "action": "network_contain", "lookup": { "lookup_type": "hostname", "value": "alice-mac.corp.example" }, "reason": "SOAR containment", "integration_targets": ["crowdstrike"], "dry_run": false}Poll status: GET /api/v1/device-containment/requests/{request_id}?tenant_id=...
Actions
| Action | Family | Description |
|---|---|---|
lock_device | MDM | Remotely lock device; unlock using PIN returned in results (where applicable). |
network_contain | EDR | Isolate host from network (contain). |
release_containment | EDR | Lift network isolation. |
Containment outcomes
| Outcome | Meaning |
|---|---|
locked | MDM lock command accepted |
contained | EDR isolation initiated |
released | Containment lifted |
device_not_found | Lookup returned zero devices |
ambiguous | Multiple matches; policy blocked action (fail mode) |
dry_run | Resolve-only; no action taken |
failed | HTTP, auth, or configuration error |
Lock PINs appear in per-device result_metadata when the provider returns or requires them. Unlock devices using the PIN at the physical device; Challenge does not perform MDM unlock.
Test with Responder
See Responder — Device containment for step-by-step testing.
Billing
Completed device containment requests (excluding dry runs and failed requests) count as one metered usage event each, combined with challenges and session revocations toward your tier limit. Your Billing page shows a breakdown including Device Containment.
Dry-run requests resolve targets without taking action and are not billed. See Upgrading Pricing Tiers for tier limits and overage behavior.
Troubleshooting
| Symptom | Check |
|---|---|
mdm_required_for_email_lookup | Enable an MDM connector or pass hostname/serial for EDR |
ambiguous | Narrow lookup to hostname/serial or set policy to execute all (with care) |
device_not_found | Verify device exists in provider inventory |
http_403 | API credentials lack required scopes |
| Missing lock PIN | Check connector guide; Kandji returns PIN in API response, Jamf uses Challenge-generated PIN |
Related guides
- Dashboard & Metrics — Containment statistics and activity
- Responder
- Session Revocation
- MCP Integration
Support
Contact [email protected].