This document guides you through creating a general access policy in EPM macOS, applicable to all devices that have the EPM macOS agent installed.
Access path
- In Segura, on the navigation bar, hover over the Product Menu and select EPM.
- In the side menu, select Policies > macOS > Access Policies.
- Click Add to create a new policy.
Segregation screen
- On the Segregation screen, select the General option.
This option ensures that the policy will be applied to all devices with the EPM macOS agent active.
- Click Continue.
General tab
- Fill in the following fields:
- Category: select Applications
- Name: Define a representative name for the policy
- Status: check Enabled to activate immediately
- Action: select the default action of the policy:
- Allowlist: only the defined applications are allowed
- Denylist: the defined applications are blocked
- Click Continue to proceed to the next step.
Applications tab
On this tab, you define the rules for the policy and, if necessary, activate session recording.
- To record user activity during application use, enable the Record session for these applications option.
- Enable the Segura Intelligence Suggestions to allow administrators to gain insights from Segura AI regarding the accuracy and effectiveness of this policy.
- In Strategy, choose how the criteria will be evaluated:
- Match any: the policy will be applied if any of the criteria are met
- Match all: the policy will be applied only if all the criteria are met
- Add rules based on the following attributes:
- Application Name
- Bundle Identifier
- Code Signature
- Path
- Developer Identity
- Version
- SHA256
- SHA512
- Executable Name
- Application Category
- User
- Arguments
- Use the Add button to register each criterion individually.
- Click Continue.
Workflow tab
The Workflow tab will only be displayed if Allowlist is selected as the main action of the policy.
In this step, you define Just-in-Time (JIT) privilege elevation rules based on configurable approval flows.
Elevation settings
- Check User can elevate applications to allow the user to start the elevation process.
- Check Require reason to elevate applications to require the user to provide a justification.
- Check Require approval to elevate applications if you want elevation to depend on approval.
If approval is enabled, also configure:
- Approvals required: minimum number of approvals to allow execution.
- Disapprovals required to cancel: number of rejections that end the request.
- Approval in levels: activates chained approval logic with multiple levels.
Access request settings
- Check Governance ID required when justifying? if you want to require this field.
- Check Always add user manager to approvers? to automatically include the requester’s manager in the approval flow.
- Click Continue to proceed to the next step.
Review tab
- Review all policy information.
- If everything is correct, click Save to complete the registration.