Skip to content
cfdemo.link

Clientless Zero Trust: Solving for Unmanaged Devices

The “Aura Pay” contractors present the hardest problem in our M&A scenario: how do you trust a device you don’t own?

We solved this with Context-Aware Access Policies and Remote Browser Isolation (RBI).

1. The Policy Engine

Section titled “1. The Policy Engine”

In Cloudflare Access, we defined a policy specifically for the Aura Pay group.

  • Who: Users with email domain @aurapy.io
  • Authentication: One-Time Pin (OTP) sent to email.
  • Device Posture: “Unmanaged” (No WARP client detected).

If a user matches this policy, they are granted access, but with a catch: they are routed through Remote Browser Isolation (RBI).

2. Browser Isolation (The “Air Gap”)

Section titled “2. Browser Isolation (The “Air Gap”)”

For unmanaged devices, the internal application doesn’t load in the user’s local browser. Instead, it renders in a headless Chromium instance running on Cloudflare’s edge. Rather than streaming raw pixels (which would be bandwidth-heavy and laggy), Cloudflare uses Network Vector Rendering (NVR)—a proprietary technology that intercepts the browser’s Skia draw commands, tokenises and compresses them, then transmits these lightweight vector instructions to the user’s local browser for reconstruction. The result is a near-native browsing experience with a fraction of the bandwidth.

This creates a practical air gap.

  • No Data Exfiltration: Copy/Paste, Printing, and File Downloads are disabled via policy. A contractor can view data but cannot copy it to their personal clipboard.
  • No Malware Upload: Even if the contractor’s personal laptop is compromised, untrusted code never executes on the application origin—NVR ensures only draw commands, not web content, cross the boundary.

3. Managed Devices (The “Fast Lane”)

Section titled “3. Managed Devices (The “Fast Lane”)”

For Vera’s own staff (Sarah), who have managed laptops, the policy detects the Cloudflare WARP client. This client reports device health (Disk Encryption: ON, Firewall: ON).

  • If Healthy: Direct access (no isolation needed).
  • If Unhealthy: Immediate block, with instructions to enable encryption.

This dynamic evaluation happens on every request, not just at login. If Sarah disables her firewall mid-session, her access is revoked instantly.