This document guides you through creating a user-based access policy in EPM macOS, allowing you to apply rules for executing applications and commands to specific accounts.
Access path
- In Segura, on the navigation bar, hover over the Product Menu and select EPM.
- In the side menu, select Policies > macOS > Access Policies.
- Click Add to start a new policy.
Segregation screen
- On the Segregation screen, select the Users option.
- Click Continue.
General tab
- Fill in the following fields:
- Category: select Applications
- Name: enter a representative name for the policy
- Status: check Enabled to apply it immediately
- Action: select the main action of the policy:
- Allowlist: allows only the defined applications
- Denylist: blocks the defined applications
- Click Continue to proceed.
Applications tab
On this tab, define the policy rules and enable session recording if necessary.
- To record user activities during application usage, enable the Record session for these applications option.
- Enable the Segura Intelligence Suggestions to allow administrators to gain insights from Segura AI regarding the accuracy and effectiveness of this policy.
- In Strategy, select how the criteria will be evaluated:
- Match any: the policy is applied if any criterion is met
- Match all: the policy is applied only if all criteria are met
- Use the Add button to include rules based on:
- Application Name
- Bundle Identifier
- Code Signature
- Installation Path
- Developer Identity
- Version
- SHA256 / SHA512
- Executable Name
- Application Category
- User
- Arguments
- Click Continue.
Workflow tab
The Workflow tab will only be displayed if you have selected Allowlist as the main action of the policy.
In this step, define Just-in-Time (JIT) privilege elevation rules based on configurable approval flows.
Elevation settings
- Check User can elevate applications to allow the user to initiate the elevation process.
- Check Require justification to elevate applications to require the user to provide a reason for the request.
- Check Require approval to elevate applications if you want the elevation to depend on approval.
If approval is enabled, also configure:
- Approvals required: minimum number of approvals to release execution.
- Rejections required to cancel: number of rejections that will end the request.
- Approval in levels: enables chained approval logic with multiple levels.
Access request settings
- Check Require governance code when justifying? if you want to require this field.
- Check Always add the user’s manager to the approvers? to automatically include the requester’s manager in the flow.
- Click Continue to proceed to the next step.
Users tab
- The Users tab displays a table with registered accounts.
- Click Add.
- In the displayed window, check the desired users.
- Use the search field to locate by name, domain, or ID.
- Click Add in the lower corner of the window.
- The selected users will be listed in the table.
- Click Continue to proceed.
Review tab
- Review all policy information.
- If everything is correct, click Save to complete the registration.