This document guides you through creating an access policy in EPM macOS with device-based segregation, allowing you to apply application and command execution rules to specific machines.
Access path
- In Segura, on the navigation bar, hover over the Product Menu and select EPM.
- In the side menu, select Policies > macOS > Access Policies.
- Click Add to start a new policy.
Segregation screen
- On the Segregation screen, select the Device option.
- Click Continue.
General tab
- Fill in the following fields:
- Category: select Applications
- Name: define a representative name for the policy
- Status: check Enabled to activate immediately
- Action: select the default action of the policy:
- Allowlist: only the defined applications are allowed
- Denylist: the defined applications are blocked
- Click Continue to proceed to the next step.
4. Applications tab
On this tab, define the policy rules and, if necessary, enable session recording.
- To record user activity while using applications, enable the Record session for these applications option.
- Enable the Segura Intelligence Suggestions to allow administrators to gain insights from Segura AI regarding the accuracy and effectiveness of this policy.
- Choose how the criteria will be evaluated:
- Match any: the policy will be applied if any of the criteria are met
- Match all: the policy will be applied only if all the criteria are met
- Add rules based on attributes such as:
- Application Name
- Bundle Identifier
- Code Signature
- Path
- Developer Identity
- Version
- SHA256
- SHA512
- Executable Name
- Application Category
- User
- Arguments
- Use the Add button to register each criterion.
- Click Continue.
5. Workflow tab
The Workflow tab will only be displayed if Allowlist is selected as the main action of the policy.
Define Just-in-Time (JIT) privilege elevation rules based on configurable approval flows.
Elevation settings
- Check User can elevate applications to allow the user to start the elevation process.
- Check Require reason to elevate applications to require the user to provide a justification.
- Check Require approval to elevate applications if you want elevation to depend on approval.
If approval is enabled, also configure:
- Approvals required: minimum number of approvals to allow execution.
- Disapprovals required to cancel: number of rejections that end the request.
- Approval in levels: activates chained approval logic with multiple levels.
Access request settings
- Check Governance ID required when justifying? if you want to require this field.
- Check Always add user manager to approvers? to automatically include the requester’s manager in the approval flow.
- Click Continue to proceed to the next step.
Select devices
- On the Devices tab, you will see a list of registered workstations.
- Click the Add button.
- In the displayed window, check the desired devices.
- Use the search field if necessary to locate devices by name, IP, domain, or operating system.
- Click Add in the bottom right corner of the window.
- The selected devices will be listed in the tab's table.
- Click Continue to proceed.
Review tab
- Review all the policy information.
- If everything is correct, click Save to complete the registration.