Device Rules

Device rules allow security control rules to be matched with specific devices. Device rules can apply the rule settings either to the device hosting the Application Control Agent and configuration, or to connecting devices.

For example, a configuration rule can allow certain applications to run on a server but prohibit others from running when launched from a device listed in the rule.

Device rules also provide the ability to perform per-device license management in a server-based computing environment.

  • To add a device rule, click Add Rule on the Rules ribbon and select Device Rule.
  • To remove a device rule, select a rule and click Remove Rule on the Rules ribbon. A confirmation message displays, click Yes to confirm the removal.

You can also add items to the Allowed Items, Denied Items, Trusted Vendors, User Privileges, and Browser Control nodes in each device rule node.

Device Rule Validation

Type Rule
Host Name or IP Address Use this device client rule to apply Allowed Items, Denied Items, Trusted Vendors, and User Privileges rules to a third party device when a user attempts to access their endpoint from a specific Host Name or IP Address. If the Host Name or IP Address is matched to the third party device, Application Control rules specific to the device are applied.
Computer Group Membership Use this device client rule to apply Allowed, Denied, Trusted Vendors, and User Privileges rules to a third party device that is a member of a specific security group. Application Control checks to see if the computer is a member of the specified security group before applying the rules.

If entering the Computer Group Membership details manually, you must use the fully qualified name.
For example, CN=ComputerGroup, OU=Department, OU=Corporation, DC=CoreDomain.

OU Membership

Use this device client rule to apply Allowed, Denied, Trusted Vendors and User Privileges rules to a third party device that is a member of a specified Organizational Unit (OU).

Active Directory (AD) based client conditions convert the NetBIOS name of the client, obtained from Windows Terminal Server (or Citrix equivalent), to a FQDN used to query AD. The FDQN cannot be resolved if the terminal server is in the parent domain and is trying to resolve the FQDN of a connecting device in a child domain. This impacts Device and Custom rules, with Active Directory based client conditions, that are applied to terminal servers and VDIs in a root domain.

The terminal server must be configured with the DNS suffix of all child domains. The search list must be configured on all terminal servers wanting to resolve names for connecting in child domains.

For example, for the parent domain.local, the child domains, childa.domain.local and childb.domain.local, must be configured on the terminal server in order for AD based conditions to evaluate correctly.

For information about configuring domain suffix search lists, see: https://support.microsoft.com/en-gb/kb/275553