Device Containment — Phorion
Challenge isolates and releases Phorion-managed macOS endpoints using your tenant-specific Phorion API. Phorion does not support email-based lookup — use hostname or serial_number, or enable an MDM connector for email enrichment.
Credentials
- In Phorion, create an API key with
read:devices and create:tasks permissions.
- Copy your tenant API server URL (for example,
https://api.veraproof.phorion.io).
- In Challenge, open Integrations → Device Containment → Phorion.
- Set Tenant API URL and API key.
- Enable the integration and save.
Authentication uses Authorization: phorion_{api_key}.
API calls Challenge makes
| Step | Method | Endpoint | Expected status |
|---|
| List/search | GET | /devices | 200 |
| Isolate | POST | /devices/{serial_number}/isolation body true | 200 |
| Release | POST | /devices/{serial_number}/isolation body false | 200 |
List responses include items[] with hostname, serial_number, and pagination via pagination_token.
Least-privilege guidance
| Permission | Purpose |
|---|
read:devices | Device lookup |
create:tasks | Isolate / release actions |
| Lookup type | Supported |
|---|
hostname | Yes (search/filter) |
serial_number | Yes |
provider_device_id | Serial number |
user_email | No (use MDM enrichment or hostname/serial) |
Email enrichment
Configure Jamf or Kandji alongside Phorion so Challenge can resolve email → hostname/serial before calling Phorion.
Actions
| Challenge action | Phorion isolation body |
|---|
network_contain | true |
release_containment | false |
Troubleshooting
| Symptom | Check |
|---|
mdm_required_for_email_lookup | Enable MDM or pass serial/hostname |
http_404 | Serial not enrolled in Phorion |
http_422 | Invalid filter or request body |
