How to create a user-based access policy

This document guides you through creating a user-based access policy in EPM macOS, allowing you to apply rules for executing applications to specific accounts.

Access path

1. On Segura® Platform, in the navigation bar, hover over the Product menu and select EPM.
2. In the side menu, select Policies > macOS > Access Policies.
3. Click Add to start a new policy.

Segregation screen

1. On the Segregation screen, select the Users option.
2. Click Continue.

General tab

1. Fill in the following fields:
   • Category*: select Applications.
   • Name*: enter a representative name for the policy.
   • Status*: check Enabled to apply it immediately.
   • Action*: select the main action of the policy:
     • Allowlist: allows only the defined applications.
     • Denylist: blocks the defined applications.
2. Click Continue to proceed.

Applications tab

On this tab, define the policy rules and enable session recording if necessary.

1. To record user activities during application usage, enable the Record session for these applications option.
2. In Strategy, select how the criteria will be evaluated:
   • Match any: the policy is applied if any criterion is met.
   • Match all: the policy is applied only if all criteria are met.
3. In the New table, add rows and configure:
   • CRITERIA (left column) and RULE (right column).
   • Click Add to insert a new rule.
4. Add rules using the following criteria:
   • Application Name: The name of the application you want to allow or block.
   • Bundle Identifier: The unique identifier of the application package.
   • Code Signature: The digital signature of the application, used to verify authenticity and integrity.
   • Path (Installation Path): The full path in the file system to the application’s executable.
   • Developer Identity: The developer or organization that signed the application.
   • Version: The specific version of the application you want to allow or block.
   • Sha256 Executable Hash: SHA-256 hash of the executable, used to verify file integrity.
   • SHA512 Executable Hash: SHA-512 hash of the executable, used to verify file integrity.
   • Executable Name: The name of the executable file; may optionally include arguments to target specific executions.
   • Application Category: The category/type of the app (e.g., Productivity, Games, Entertainment).
   • Username (User): The local account under which the application runs.
   • Arguments: Command-line parameters required or expected during the app execution.

5. Click Continue.

Workflow tab

The Workflow tab will only be displayed if you have selected Allowlist as the main action of the policy.

Elevation settings

1. Check Require justification to elevate applications to require the user to provide a reason for the request.
2. Check Require approval to elevate applications if you want the elevation to depend on approval.

If approval is enabled, also configure:

3. Approvals required: minimum number of approvals to release execution.
4. Rejections required to cancel: number of rejections that will end the request.
5. Approval in levels: enables chained approval logic with multiple levels.

Access request settings

1. Check Require governance code when justifying? if you want to require this field.
2. Check Always add the user’s manager to the approvers? to automatically include the requester’s manager in the flow.
3. Click Continue to proceed to the next step.

Users tab

1. The Users tab displays a table with registered accounts.
2. Click Add.
3. In the displayed window, check the desired users.
4. Use the search field to locate by name, domain, or ID.
5. Click Add in the lower corner of the window.
6. The selected users will be listed in the table.
7. Click Continue to proceed.

Review tab

1. Review all policy information.
2. If everything is correct, click Save to complete the registration.