This step tells MetaAccess (formerly MEM) if you want to enforce device posture check for every request which is forwarded from an IdP when a user accesses to a cloud application. If you have not enabled Access Control, MetaAccess just simply forwards the SAML authentication from IdP to the specified application (service provider) in the request.
To enable Access Control,
Log into the MetaAccess console as an administrator
Navigate to Access Control and then Configurations
Check on the box "Enable access control". While enabling this feature, endpoints on your account will be enforced into running the cross-domain API on local at the configured port. You MUST to pick a port which no applications on endpoints is running. The cross-domain API setting here is same as the cross-domain API settings under Settings > Integrations. You couldn't disable this setting until you disable Access Control.
In addition, MetaAccess uniquely addresses the complex BYOD ownership problem by showing the user identity such like application username with each device they use when accessing cloud applications, increasing unmanaged device control without requiring any IT infrastructure changes, network traffic manipulation, or mobile device management (MDM). To do that, administrators can turn on an option to allow MetaAccess record users who are using devices to access cloud applications. By default, MetaAccess will not record any user information.