How to create a general access policy

  • 2 minute(s) read
Prev Next

This document guides you through creating a general access policy in EPM macOS, applicable to all devices that have the EPM macOS agent installed.

Access path

  1. In Segura, on the navigation bar, hover over the Product Menu and select EPM.
  2. In the side menu, select Policies > macOS > Access Policies.
  3. Click Add to create a new policy.

Segregation screen

  1. On the Segregation screen, select the General option.

This option ensures that the policy will be applied to all devices with the EPM macOS agent active.

  1. Click Continue.

General tab

  1. Fill in the following fields:
    • Category: select Applications
    • Name: Define a representative name for the policy
    • Status: check Enabled to activate immediately
    • Action: select the default action of the policy:
      • Allowlist: only the defined applications are allowed
      • Denylist: the defined applications are blocked
  2. Click Continue to proceed to the next step.

Applications tab

On this tab, you define the rules for the policy and, if necessary, activate session recording.

  1. To record user activity during application use, enable the Record session for these applications option.
  2. Enable the Segura Intelligence Suggestions to allow administrators to gain insights from Segura AI regarding the accuracy and effectiveness of this policy.
  3. In Strategy, choose how the criteria will be evaluated:
    • Match any: the policy will be applied if any of the criteria are met
    • Match all: the policy will be applied only if all the criteria are met
  4. Add rules based on the following attributes:
    • Application Name
    • Bundle Identifier
    • Code Signature
    • Path
    • Developer Identity
    • Version
    • SHA256
    • SHA512
    • Executable Name
    • Application Category
    • User
    • Arguments
  5. Use the Add button to register each criterion individually.
  6. Click Continue.

Workflow tab

The Workflow tab will only be displayed if Allowlist is selected as the main action of the policy.
In this step, you define Just-in-Time (JIT) privilege elevation rules based on configurable approval flows.

Elevation settings

  1. Check User can elevate applications to allow the user to start the elevation process.
  2. Check Require reason to elevate applications to require the user to provide a justification.
  3. Check Require approval to elevate applications if you want elevation to depend on approval.

If approval is enabled, also configure:

  1. Approvals required: minimum number of approvals to allow execution.
  2. Disapprovals required to cancel: number of rejections that end the request.
  3. Approval in levels: activates chained approval logic with multiple levels.

Access request settings

  1. Check Governance ID required when justifying? if you want to require this field.
  2. Check Always add user manager to approvers? to automatically include the requester’s manager in the approval flow.
  3. Click Continue to proceed to the next step.

Review tab

  1. Review all policy information.
  2. If everything is correct, click Save to complete the registration.