Access policies in EPM macOS control which applications users are allowed to execute on their devices, based on criteria defined by the administrator. These policies are composed of access lists (Allowlist/Denylist) and can include additional rules such as approval requests and session recording.
Registering policies
Policies can be registered using the following segregation levels:
- General: policies applied to all devices with EPM macOS active.
- Devices: policies applied to specific devices.
- Users: policies applied to specific users.
Segregation defines the scope of the policy and can be combined with different rules and actions.
Order of precedence of policies
When multiple access policies apply to the same execution scenario, EPM macOS adopts an order of precedence based on the type of segregation. Policies configured by device take priority over general policies.
This approach ensures that more specific rules prevail over global ones, allowing for more granular and secure control over access. If the same application is present in different lists, the policy associated with the device will be considered first by the system.
Available actions
Access policies allow the following actions to be configured for each item in the list:
- Allow with approval workflow
- Request approval
- Allow with session recording
- Deny with alert
Example use case
An access policy can be used to:
- Allow only the corporate browser.
- Block utilities such as Terminal.app.
- Require approval before launching code editors.
- Record sessions for sensitive applications.