OPSWAT MetaAccess – how to verify compliance of devices before network access

One of the most common gaps in security policies goes something like this: the organization has strict rules for endpoint protection – antivirus required, up-to-date systems, disk encryption – but there is no mechanism that actually verifies that these conditions are met before every network connection. A device that passed an audit a year ago may today have antivirus disabled and three months of delayed updates. OPSWAT MetaAccess is a next-generation NAC (Network Access Control) solution that solves this problem by continuously verifying device compliance.

Table of contents

1. What is Network Access Control and why does it matter?
2. How does OPSWAT MetaAccess work?
3. What parameters are verified before access?
4. MetaAccess in BYOD and remote working environments
5. Integration with existing security infrastructure
6. Reports and compliance – what does the administrator see?
7. Key findings
8. FAQ
9. Summary

What is Network Access Control and why does it matter?

Network Access Control (NAC) is a category of solutions that control devices’ access to the corporate network based on their security status. The basic idea is simple: before a device can access network resources, it must prove that it meets defined security requirements. Failure to verify this is a blind trust – and one of the main vectors of entry into the network by attackers.

Classic NAC solutions have focused on identity (who is connecting) and network location (from which segment). OPSWAT MetaAccess extends this verification to include the compliance status of the device – whether it meets all security requirements at the time of connection, not just at initial registration. This Zero Trust approach: “never trust, always verify”. – and verify at every connection, not just the first time.

How does OPSWAT MetaAccess work?

MetaAccess runs through an agent installed on endpoints (Windows, macOS, Linux, iOS, Android) or in agentless mode for devices that cannot host an agent. The agent performs a scan of the device before connecting and reports the results to the MetaAccess server, which makes access decisions based on defined policies.

The access decision can be binary (allow/block) or granular – a device that does not meet the full requirements can be given limited access to the remediation network, where it has the opportunity to automatically repair itself (download updates, run scans). After repair, the agent performs a re-verification and the device gets full access.

Integration with NAC and endpoint security solutions creates a comprehensive access control layer for both local and remote environments.

What parameters are verified before access?

MetaAccess verifies a wide range of endpoint security parameters. In the area of protection: the presence and activity of an antivirus solution (MetaAccess supports more than 4,500 security products by the OPSWAT engine), the timeliness of signatures, the status of the host firewall, the presence of an anti-malware solution.

In the update area: status of operating system updates (Windows Update, macOS Software Update), presence of critical patches, operating system version (blocking obsolete systems such as Windows 7).

In the configuration area: disk encryption (BitLocker, FileVault), lock screen password configuration, presence of unauthorized software (shadow IT), configuration of Bluetooth and other wireless interfaces.

In the identity and device area: device certificate verification, domain membership, MDM agent version, hardware properties.

MetaAccess in BYOD and remote working environments

Remote working and BYOD (Bring Your Own Device) policies dramatically expand the attack surface – employees’ private devices are not subject to central configuration policies and can have any security state. MetaAccess addresses this scenario through agentless mode or a lightweight agent installed through a self-service portal.

Before connecting via VPN or accessing a web application, a user with BYOD goes through a MetaAccess compliance check – either in the browser or via a lightweight application. If the device is not compliant (e.g., no up-to-date antivirusua), the user sees a clear message with information on what to fix and how to do it. The combination with next-generation VPN solutions provides consistent verification for all remote connection scenarios.

Integration with existing security infrastructure

MetaAccess is not an isolated solution – it integrates with existing infrastructure via standard protocols and native connectors. Integration with VPN solutions (Cisco ASA, Palo Alto, Fortinet, Pulse Secure and others) allows enforcement of MetaAccess policies as a condition of VPN connectivity. Integration with 802.1X systems and wireless network controllers enables verification when connecting to a corporate network.

OPSWAT MetaAccess also integrates with popular MDM systems (Microsoft Intune, Jamf, VMware Workspace ONE) – it can import management status from MDM as one of its compliance criteria. Integration with SIEM (Splunk, Microsoft Sentinel) exports verification logs for central security analysis.

Reports and compliance – what does the administrator see?

The MetaAccess administration console gives the administrator full visibility of the compliance status of the entire device fleet. The dashboard shows compliance percentages for specific requirements – for example, “83% of devices have up-to-date antivirus” – with the ability to drill down to a list of non-compliant devices and specific users.

Historical reports show the trend of compliance over time – important for security audits and to show progress on endpoint improvement. Real-time alerts notify you of devices that have lost compliance after access. Reports export to PDF/CSV formats for regulatory compliance (ISO 27001, NIS2, GDPR).

Key findings

• OPSWAT MetaAccess verifies devices’ compliance with security policies before each connection to the network – not just the first time they register.
• Verification includes: antivirus, firewall, OS updates, disk encryption, device certificates and hundreds of other parameters.
• Agentless and lightweight agent mode support BYOD environments without the need for full device management.
• Integration with VPN, 802.1X and MDM allows compliance policies to be enforced with any type of connection.
• The administration console gives visibility into the compliance status of the entire fleet with historical reports for audits.

FAQ

Can MetaAccess block mobile device access? Yes – MetaAccess supports iOS and Android both in agent mode (MetaAccess app) and through integration with MDM (Microsoft Intune, Jamf).

How does MetaAccess support OT/IoT devices without the ability to install an agent? MetaAccess offers an agentless mode based on network scanning and device fingerprinting, which gives agentless status visibility on the device.

How long does a compliance scan take before connecting? A MetaAccess scan usually takes a few seconds – to the user it is virtually unnoticeable with a normal connection.

Does MetaAccess support the NIST Zero Trust Architecture standard? Yes – MetaAccess implements the key Zero Trust pillar of device health verification and is supported as a ZTNA component by major security vendors.

Summary

OPSWAT MetaAccess turns endpoint security policy from a document into a real-world enforced requirement – each device must prove compliance before accessing the network, not just once at configuration. This is a fundamental difference for the security of environments with remote and BYOD work. Contact Ramsdata to learn how OPSWAT can strengthen access control in your organization.