ºÚÁϺ£½Ç91Èë¿Ú

Configure a Conditional Access Policy

You can configure conditional access policies that relax or secure access to resources based on conditions like a user's identity and the network and the device they’re on. Read this article to learn how to create, disable, and delete a conditional access policy.

Tip:

For general information on Conditional Access Policies, including a list of supported browsers, see Get Started: Conditional Access Policies.

If you’re not sure what to create for your first conditional access policy, use one or more of the following policy ideas to relax or restrict user access to resources. 

Policies to get you started:

  • Relax user access to resources with a policy that doesn’t require MFA when a user is on a ºÚÁϺ£½Ç91Èë¿Ú managed device. 
  • Allow access to the User Portal without MFA, but require MFA to access specific applications. 
  • Increase security on user groups with a policy that requires MFA to access the User Portal.
  • Lock down access to resources with a policy that denies access when a user isn’t in the office or on a VPN.

Note:

Users need to meet the conditions of a policy for it to apply. For example, let's say you create a policy for all your users that requires them to use MFA when they log in to the User Portal from a selected network. When your users aren’t on the selected network and they log in to the User Portal, the Default Access Policy applies instead. Learn more: Set a Default Access Policy.

Configuring a New Access Policy

  1. Log in to the .
  2. Go to SECURITY MANAGEMENT > Conditional Policies.
  3. From the list view, click ( + ), then select the Resource (User Portal, SSO Applications, or ºÚÁϺ£½Ç91Èë¿Ú LDAP).
  4. The new policy panel is where you create and enable an access policy. There are four main sections to complete: General Info, Assignments, Conditions, and Action.

General Info

Give a policy a name and a description (optional) in this section. New policies are enabled by default, but if you want to create the policy now, and enable later, use the toggle to the left of this section.

Assignments

The type of resource you’re configuring the policy for is listed under Resources. When you’re configuring an application policy, you can choose if the policy applies to specific applications or all of your applications. For all policies, you also choose if the policy applies to all of your users or specific user groups.

  • If there are User Groups you want to exclude from the policy, search for and select those user groups in the Excluded User Groups field.

Note:

If a user is in a group that's included and in another group that's excluded, they will be excluded from the policy.  

Conditions (Optional)

An access policy becomes a conditional access policy by adding a condition. Adding a condition is a Premium feature and is part of our Platform Prime plan. You can decide if any or all of the conditions need to be met for the policy to apply. 

Note:

At most, you can add one of each type of Condition in a policy. 

  • For details on the various conditions which can be set, see the Conditions section below.

Action

  • If you don’t want to require MFA, set Access to Allowed and set Authentication to Password
  • If you want to require MFA, set Access to Allowed and set Authentication to Password + MFA
  • If you want to deny access, set Access to Denied

Note:

Enrollment periods aren’t honored by conditional access policies. When you configure and enable a conditional access policy that requires MFA, users who don't have MFA set up are required to enroll in MFA the first time they log in to the resource.

Removing a Policy

To disable or delete an Access Policy:

  • To disable a policy, select the policy from the list view and, in the policy details, toggle the policy status to Disabled.
  • To delete a policy, select the checkbox of the policy from the Conditional Access Policies list view and click Delete in the top right.
    Select a policy from the list, then click Delete to remove the policy

Tip:

Conditional Access Policies work in conjunction with Default Access Policies. If none of the set conditional policies apply to a user, the Default Access Policies are enforced as fallback policies.

Understanding Conditions

An access policy created for the User Portal or SSO Applications becomes a conditional access policy when you add a condition. Adding a Condition is a Premium feature and is part of our Platform Prime plan.

​​​​​​​Device Management Condition

  • Select Device Management as the Condition.
  • For this condition, Value is not editable and will remain ºÚÁϺ£½Ç91Èë¿Ú Managed.
  • Select the Operator as Is if you want the conditional access policy to apply to users who are on a device that’s managed by ºÚÁϺ£½Ç91Èë¿Ú.
  • Select the Operator as Is Not if you want the conditional access policy to apply to users who are on a device that isn’t managed by ºÚÁϺ£½Ç91Èë¿Ú.

Note:

ºÚÁϺ£½Ç91Èë¿Ú uses device certificates to determine the device management status of desktop devices and mobile device trust to determine the device management status of mobile devices. To learn more:

Tip:

Here's a guided simulation:

Disk Encryption Condition

  • Select Disk Encryption as the Condition.
    • For this condition, Value is not editable and will remain Enabled on Device.
  • Select the Operator as Is if you want this policy to apply to devices with disk encryption enabled.
    • This will not be allowed if the device condition is also set to Unmanaged, as it is not possible to detect disk encryption status on an unmanaged device.
  • Select the Operator as Is Not if you want this policy to apply to devices which do not have disk encryption enabled.

Note:
  • Qualification for encryption is BitLocker-enabled (Windows), FileVault policy applied (macOS), or root disk is encrypted (Linux).
  • Encryption status is checked at regular intervals, with two hours as a maximum interval between checks.
  • Action: Use the Action section to decide how the policy affects user authentication to selected resources. You can:
    • Allow authentication into selected resources without MFA.
    • Allow authentication into selected resources with MFA.
    • Deny access to selected resources.

Disk Encryption Example: If you want your users to be denied access when they do not have disk encryption enabled on their device, we recommend that you create a conditional access policy specifically for that (creating one to allow access for devices with disk encryption will not deny access to those without disk encryption enabled).

IP Address Condition

  • Select IP Address as the Condition.
  • Select the Operator as Is On List if you want the policy to apply to users who are on a network that’s part of a selected IP list. 
  • Select the Operator as Is Not On List if you want the policy to apply to users who aren’t on a network that’s part of a selected IP list.
  • For Value, select the IP lists to apply to this policy.

Tip:

Here's a guided simulation:

Location Condition

  • Select Location as the Condition.
  • Select the Operator as Is In Country if you want the policy to apply to users who are in a selected country.
  • Select the Operator as Is Not In Country if you want the policy to apply to users who aren’t in a selected country. 
  • For Value, choose the Countries you want included as part of the policy.

Note:

The Unknown Location option represents IP addresses that aren’t mapped to a country.

Tip:

Here's a guided simulation:

Operating System Condition

  • Select Operating System as the Condition.
  • Select the Operator as Is if you want the policy to apply to users who are on the selected device type(s).
  • Select the Operator as Is Not if you want the policy to apply to users who are not on the selected device type(s).
  • For Value, select the device category you want to apply the policy to.
    • Desktop
      • macOS
      • Windows
      • Linux
    • Mobile
      • iOS/iPadOS
      • Android

Warning:

If users are logging in from non-managed devices, the Operating System information is not guaranteed to be 100% reliable.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case