Configuring UniFi Endpoint For Zero-Trust Network Access (ZTNA)

UniFi Endpoint is an app that streamlines how users interact with UniFi services across multiple sites directly from their PC or mobile device. By combining centralized Fabric-level permissions with secure, identity-based authentication, UniFi Endpoint provides seamless access to WiFi, VPN, and Door Access while enforcing zero-trust network policies.

Requirements

Before configuring UniFi Endpoint Services, ensure the following are in place:

• A Fabric with Consolidated People Management enabled. For more information, see Getting Started with UniFi Fabrics.
• (Optional) An integrated Identity Provider (IdP) for secure SAML-based authentication and zero-trust networking. See UniFi Fabrics Identity Provider (IdP) Integration for more information.

What is UniFi Endpoint?

UniFi Endpoint serves as the central location for users to interact with UniFi services across any site they are granted permission to, directly from their PC or mobile device.

When an Identity Provider (IdP) is bound to the Fabric, UniFi Endpoint provides additional security benefits by enforcing SAML-based authentication, including MFA if configured. This ensures access is granted only after identity verification, aligning with zero-trust security principles.

Available UniFi Endpoint Services

• One-Click WiFi for seamless, secure WiFi access across applicable sites using identity-based authentication—eliminating the need for per-site credentials or manual onboarding.
• One-Click VPN which allows users to connect to authorized networks across sites while enforcing centralized, zero-trust access policies.
• Smart Door Access to grant physical access to doors across applicable sites, ensuring consistent access control without maintaining site-specific credentials.

Enabling UniFi Endpoint Services

To enable UniFi Endpoint services:

1. Go to Site Manager.
2. Select a Fabric.
3. Navigate to Settings > Identity.
4. Select the UniFi Endpoint service(s) to enable. See UniFi Endpoint Configuration Options below for more details on available settings.
5. By default, all sites are included. To limit availability, select specific sites.
6. Add people to your Fabric and assign them permissions to use UniFi Endpoint. See Managing UniFi Fabric People, Roles, and Permissions for more information.

UniFi Endpoint Configuration Options

One-Click WiFi

• WiFi Name: Specifies the SSID that will be provisioned across selected sites and authenticated using the Endpoint app.

One-Click VPN

• Split Tunnel Routing: By default, all traffic is routed through the One-Click VPN. Split tunneling allows you to specify which traffic traverses the VPN, reducing load on corporate infrastructure and improving performance for traffic that does not require VPN access.

Smart Door Access

• Credential Types: Select which credential types are available for assignment in the Fabric’s People tab and usable through the Endpoint app.
  • NFC Card
  • Mobile Unlock
  • Face Unlock
  • PIN
  • Hand Wave
  • QR Code
• Remote Unlock: Allows users to unlock doors remotely through the Endpoint app, even when not physically near the door. This option is disabled by default to maintain maximum security.

UniFi Endpoint Email Invite

• Send Automatically To New People: Once a role and/or permission is assigned for an UniFi Endpoint service, an email will automatically be sent to onboard the user.
• Require 2FA Code: The onboarding email will include a 2FA code that must be used when onboarding to the Endpoint app.
• Invite Expiration: Configure the onboarding email expiration time (default 30 days).