How to configure application access policies for EPM Windows

  • 2 minute(s) read
Prev Next

This document explains how to configure application access policies on Segura® Platform EPM Windows clients. You’ll learn how to set up general segregation policies to allow or deny access to applications across all workstations, using a variety of criteria to increase security and control.

Requirements

  • You must be at least an EPM Administrator.
  • Have information about the applications according to the selected criteria (e.g., certificate, file hash, directory, etc.).

Configure application access policies

  1. On Segura® Platform, in the navigation bar, hover over the Products menu and select EPM > Policies > Windows > Access policies.
  2. Click on the Add button.
  3. In the Segregation screen, select General, Device, or Organizational unit.
  4. In the General tab, fill in the following fields:
    1. Category*: select Applications.
    2. Name*: set a name for this policy.
    3. Status*: set as Enabled or Disabled.
    4. Action*: choose between Allowlist to allow or Denylist to block.
  5. In the Applications tab, fill in the following fields:
    1. Record session for these applications*: set as Enabled or Disabled.
    2. Control parent process*:
      • If Enabled, all child processes created by the parent will follow the access policy permissions.
      • If Disabled, all processes are evaluated individually by the access policy.
    3. Control child process*:
      • If Enabled, the access policy is applied to all processes originating from the child process.
      • If Disabled, all processes are evaluated individually.
    4. New: add one or more criteria. More information in Applications Criteria List EPM Windows.
  6. If using Device or Organizational unit segregation, additional tabs will appear to complete the following steps:
    1. For Device segregation, select one or more registered workstations in the Devices tab.
    2. For Organizational unit segregation, add a new organizational unit (OU) and enter the name in the OU field in the Organizational units tab. Note: enter only the OU name (e.g., MyOUName), not the full distinguished name (e.g., ou=myOUName, DC=mydomain, DC=local).
  7. In the Workflow tab, complete the following:
    1. In the Elevation settings options, select as needed:
      • User can elevate applications.
      • Require reason to elevate applications.
      • Require approval to elevate applications.
      Info

      Enabling the requirement for approval or justification in the access policy will cause EPM to intercept the execution of corresponding applications when initiated by users outside of EPM. The execution will remain blocked until the workflow is completed.

      • Approvals required: number of approvals necessary for privilege elevation.
      • Disapprovals required to cancel: number of actions to cancel elevation.
      • Approval in levels: requires approvers defined in the approval workflow.
      • Allow emergency access.
    2. If Require approval to elevate applications is checked, set the number of times for each specific action.
    3. Answer Yes or No to the following Access request settings:
      • Governance ID required when justifying?*.
      • Always add user manager to approvers?*.
  8. Go to the Review tab and check if everything is correct.
  9. Click Save to apply the access policy configuration.