Step 3. Configure Access Rules

MetaAccess supports you configure conditions to block/allow a device from accessing specific applications or any applications based on device posture status and groups. You can configure multiple access rules like you do with access control list on Firewall. MetaAccess processes access rules in order to make decision on granting an access.

  1. Log into the MetaAccess console

  2. Navigate to Access Control and then Configurations

  3. Enable access control, on the Access Rules tab, click "ADD NEW RULE" to add a new access rule

  4. With a new access rule, you need to specify how you would like to block/allow a device from accessing your applications

    1. Rule name: a rule name, for example Block non-compliant devices

    2. Action: Block or Allow a device from accessing applications. You are able to apply the rule to any applications or specific applications on your account.

      1. To apply the rule to specific applications, you need to select "specific" option on the rule and use Add application button to add a specific application which you imported on the Identity Providers tab.

        • If you add a new application, you need to update this rule if you would like to apply to the application.

        • If you delete applications, they will be removed from the list automatically. In case, there is no applications in the list, the rule is considered as in-valid and never been processed. This situation can be happened when you delete all applications you configured.

          images/download/attachments/36834369/image2018-3-2_11-42-14.png
    3. Configure conditions to do the action.

      1. Agent status: MetaAccess checks agent status and related sub-conditions.

        • Agent is not installed: there is no OPSWAT MetaAccess agent installed on the device which connecting to your account. In this case, MetaAccess couldn't verify the device is compliance with your account's security policy.

        • Agent is installed: there is an OPSWAT MetaAccess agent installed

          • Device status: if it's checked. MetaAccess checks device status for this rule.

          • Device is in groups: if unchecked, MetaAccess doesn't care what group a device is assigned to. Otherwise, it depends on which option you select

            • any: device is in any groups, it's same as you don't check this condition.

            • specific: only apply to devices in specific listed groups. If you don't specify any group here, it's considered as any groups. You can use "Add group" link to add a specific group you have on your account. Note that if you add a new group to your account, you need to update this rule if you would like to apply to the group.

              images/download/attachments/36834369/image2018-3-2_11-43-21.png
  5. Click ADD RULE

  6. Click SAVE

As 07/31/2018, MetaAccess supports device compliance check before granting a device to access cloud applications on Windows, macOS, iOS, and Android. For other operating systems, you can decide always block/allow them to access services by updating the Operating System access rule. If you don't configure an operating system MetaAccess has not supported device compliance check enforcement in operating system rule or you disable this rule, "no agent installed" rule or default rule will be applied.

images/download/attachments/36834369/image2018-7-31_15-10-33.png

Example rules.

  1. Block all unknown devices which have no MetaAccess agent installed to access all applications

    images/download/attachments/36834369/image2018-3-2_11-44-27.png

  2. Block all non-compliant devices

    images/download/attachments/36834369/image2018-3-2_11-45-28.png

  3. Allow only compliant/exempted devices in group Accounting to access Salesforce application

    images/download/attachments/36834369/image2018-3-2_11-46-22.png

  4. Block all devices in the group Black-list to access to all applications

    images/download/attachments/36834369/image2018-3-2_11-47-11.png