How to create a device-based access policy

Prev Next

This document guides you through creating an access policy in EPM macOS with device-based segregation, allowing you to apply application and command execution rules to specific machines.

Access path

  1. In Segura, on the navigation bar, hover over the Product Menu and select EPM.
  2. In the side menu, select Policies > macOS > Access Policies.
  3. Click Add to start a new policy.

Segregation screen

  1. On the Segregation screen, select the Device option.
  2. Click Continue.

General tab

  1. Fill in the following fields:
    • Category: select Applications
    • Name: define a representative name for the policy
    • Status: check Enabled to activate immediately
    • Action: select the default action of the policy:
      • Allowlist: only the defined applications are allowed
      • Denylist: the defined applications are blocked
  2. Click Continue to proceed to the next step.

4. Applications tab

On this tab, define the policy rules and, if necessary, enable session recording.

  1. To record user activity while using applications, enable the Record session for these applications option.
  2. Enable the Segura Intelligence Suggestions to allow administrators to gain insights from Segura AI regarding the accuracy and effectiveness of this policy.
  3. Choose how the criteria will be evaluated:
    • Match any: the policy will be applied if any of the criteria are met
    • Match all: the policy will be applied only if all the criteria are met
  4. Add rules based on attributes such as:
    • Application Name
    • Bundle Identifier
    • Code Signature
    • Path
    • Developer Identity
    • Version
    • SHA256
    • SHA512
    • Executable Name
    • Application Category
    • User
    • Arguments
  5. Use the Add button to register each criterion.
  6. Click Continue.

5. Workflow tab

The Workflow tab will only be displayed if Allowlist is selected as the main action of the policy.
Define Just-in-Time (JIT) privilege elevation rules based on configurable approval flows.

Elevation settings

  1. Check User can elevate applications to allow the user to start the elevation process.
  2. Check Require reason to elevate applications to require the user to provide a justification.
  3. Check Require approval to elevate applications if you want elevation to depend on approval.

If approval is enabled, also configure:

  1. Approvals required: minimum number of approvals to allow execution.
  2. Disapprovals required to cancel: number of rejections that end the request.
  3. Approval in levels: activates chained approval logic with multiple levels.

Access request settings

  1. Check Governance ID required when justifying? if you want to require this field.
  2. Check Always add user manager to approvers? to automatically include the requester’s manager in the approval flow.
  3. Click Continue to proceed to the next step.

Select devices

  1. On the Devices tab, you will see a list of registered workstations.
  2. Click the Add button.
  3. In the displayed window, check the desired devices.
  4. Use the search field if necessary to locate devices by name, IP, domain, or operating system.
  5. Click Add in the bottom right corner of the window.
  6. The selected devices will be listed in the tab's table.
  7. Click Continue to proceed.

Review tab

  1. Review all the policy information.
  2. If everything is correct, click Save to complete the registration.