Creating Device Policies and Device Policy Rules

Introduction

Viewing Device Policies and Rules

Creating Device Policies

Configuring Default Device Policy for Users

Creating Device Policy Rules

Setting Global Device Preferences

Introduction

Device Policies define how desktop and mobile devices access cloud and on-premise applications in your Ivanti Neurons for Zero Trust Access (nZTA) deployment.

Device policies act as one of the four dimensions of a Secure Access Policy, see Creating/Editing Secure Access Policies.

You create a device policy and then create / associate the device rules to form a complete Device Policy, suitable for adding to a Secure Access Policy. Device policies encompass a set of rules that define the minimum standard a device must meet to be considered compliant with the applications and services served by your Secure Access Policies.

To learn more about Device Policies and Rules, see Viewing Device Policies and Rules.

Viewing Device Policies and Rules

nZTA provides a number of built-in default device policies, each containing a set of appropriate built-in device rules. You cannot modify / delete these built-in default device policies. These policies and rules are suitable for general use. In addition, nZTA allows the definition of custom policies and rules to fit an organization's specific requirements.

To view the list of all default and custom device policies or rules defined on the Controller:

  1. Log into the Controller as a Tenant Admin.
  2. From the nZTA menu, select the Secure Access icon, then select Manage Devices > Device Policies.

    The Device Policies page appears. This page lists all current device policies.

    The Device Policies page

Built-in default policies are indicated by a tick in the Default column. Custom policies are not ticked.

On this page, you can:

You can also:

  • Sort the list by a selected column in ascending or descending order.
  • Switch between normal and denser data views.

Creating Device Policies

You can create Device policies and then create / associate one or more Device Rules as required.

To create a device policy:

  1. Log into the Controller as a Tenant Admin.

  2. From the nZTA menu, select the Secure Access, then select Manage Devices > Device Policies.

    The Device Policies page appears. This page lists all current device policies.

  3. Click Create Device Policy.

    A form appears to enable you to create the device policy.

    Add a new Device Policy

    At any point during this process, you can reset the form data by selecting Reset Fields.

  4. Enter a Name for the device policy.

  5. Add a Description for the device policy.

  6. Select each of the listed Rules that are required for the device policy, or select Create Device Rule to use the in-line rule creation form. To learn more about this process, see Creating Device Policy Rules .

  7. (Optional) In the Rule Requirement section: Specify for each end-user device Platform how you want to enforce your policy rules by choosing one of the following Rule Requirement options:

    • All of the above rules: The end-user device must comply with all rules defined in the policy.

    • Any of the above rules: The end-user device must comply with at least one of the defined rules in the policy.

    • Custom: The end-user device must comply with the conditions specified in a custom expression. Use the Custom Expression field to define an expression for the rules defined in this policy and how they should be evaluated. You can use the Boolean operators AND, OR and NOT, and also use parentheses to group or nest conditions.

      The following is a list of sample custom expressions:

      • customExpr
      • (customExpr)
      • NOT customExpr
      • customExpr OR customExpr
      • customExpr AND customExpr

      As an example, where a policy has associated with it the rules "Rule1", "Rule2", and "Rule3", the following expression is valid: Rule1 AND (NOT Rule2 OR (NOT Rule3))

      When using custom expressions, consider the following points:

      • Using NOT: When using "NOT expr", the negated expression evaluates to true if the outcome of expr is false and evaluates to false if the outcome of expr is true.

      • AND, OR, NOT precedence: These operators are evaluated from highest to lowest precedence in this order: NOT (from right), AND (from left), OR (from left).

      • A combination of any device rule is allowed in an expression, except location, time of day, and network rules. For example, the following expressions are not allowed:

        • Windows_Process AND Locationrule
        • Windows_Process AND Networkrule
        • Windows_Process AND Time-of-Day_Rule

    After you have set a platform and rule requirement, select Apply to add the entry. Then, repeat this procedure if you want to add any rule requirements for other device platforms.

    If you intend to add multiple rules of varying types to a device policy, be aware that individual rules might not by themselves guarantee allowed or denied access to an application depending on the outcome of other evaluated rules in a device policy, and the rule requirements settings configured here.

  8. (Optional) In the Remediation section: To provide custom remediation instructions for the policy, tick Enable Custom Instruction and enter your remediation text into Custom Instruction. This option also requires selection of a target Platform.

    These instructions are presented through Ivanti Secure Access Client when a device compliance check fails based on this policy.

    - This feature is applicable to Windows, Mac, and Linux device policies only.
    - Also note that custom instructions are restricted to a 500 byte limit and can contain only plain text or an HTML document with HREF links.

  9. Select Create Device Policy.

    The new device policy appears in the list of Device Policies.

  10. Repeat steps 3-7 to create all required device policies.

After you have created all required device policies, you can move to the next stage of nZTA configuration, which is Creating/Editing Secure Access Policies.

Editing / Deleting Custom Device Policy

Built-in default device policies are indicated with a tick mark in the Devices column, and they cannot be edited or deleted.

To edit a custom device policy:

  1. In the Device Policies page, select the check box next to the custom device policy that you want to edit.

  2. Select Actions > Edit.

  3. Make the necessary changes, such as change the policy description, or create / edit / delete rules. You are not allowed to change the policy name.

  4. Click Update Device Policy.

To delete custom device policy:

  1. In the Device Policies page, select one or more check boxes next to the custom device policies that you want to delete.

  2. Select Actions > Delete.

  3. In the delete confirmation window, click Yes, Delete.

Configuring Default Device Policy for Users

As part of configuring an application, we can associate a device policy, which may have one or more same or different type of device rules configured. When a user tries to login, AAA evaluate these policies, log failures and allows sign in. When a user tries to access applications, device policies are evaluated and enforced. If a device policy evaluation fails, application access is denied.

With Default device policy for users, Admins can configure policies that get enforced even before device authentication, that is during the user enrollment or user authentication.

- For default enrollment policy, User Group will always be added.
- For a new multi-sign-in policy of type enroll, always add User Group first with the new enroll policy.
- Visibility/analytics in the form of charts are not available, but logs are available in Insight >logs.
- Risksense policy when enforced on enrollment sign-in policy is not supported with web/browser based enrollment, but is supported when Ivanti Secure Access Client is already installed.
- Time of day rule type is not supported for default device policy.
- Time of day and OS check rules are not supported on the enrollment sign in url when trying to enroll from iOS endpoint.

You can use the existing default polices or can create new policy and use the default device policy.

To configure default Device Policy for users:

  1. Log into the Controller as a Tenant Admin.

  2. From the nZTA menu, select Secure Access and then select Manage Users > User Policies.

  3. Click Create User Policy.

    Manage User Policy
  4. Enter the Policy Name, Login URL using the format */login/<path>.

  5. Select the User Type: Enrollment Users/ Users/Administrators.

  6. Select the Device Policy from the drop-down menu. For example, Deny_Location.

    There are a few exceptions while creating User Policies when user Type is Administrator. The following device policies are not applicable to Administrator user.
    - Any device policy having Risk Sense rule.
    - Any device policy having Time of Day rule.
    - Any device policy having combination of Location and Network rules.

    Continuous Device Posture Assessment (CARTA) is not supported for Admin Access. However, the Device Posture Assessment will occur during the administrator login process, if configured.

  7. Select the Auth Server.

  8. Click Create User Policy.

  9. Click Create User Policy.

  10. Users can also edit the existing Default policy to include the Device policy during the enrollment sign-in/user authentication.

Creating Device Policy Rules

Before you begin, decide what kind of rule you want to create. For each rule type, make sure you have the supporting parameters. For example, if you are creating a Network rule, make sure you know the IP address and netmask range you want to apply.

To create a device rule:

  1. In the Create Device Policy page, click Create Device Rule.

    The Create Device Rule form appears.

    Add a Device Rule
  2. Select Rule Type and select one of the following options:

    • Antispyware: Checks compliance to designated anti-spyware requirements.
    • Antivirus: Checks compliance to designated anti-virus requirements.
    • CVE check: Checks for protection against a list of publicly disclosed Common Vulnerability and Exposure (CVE) notices (Windows client devices only).
    • Command: Runs a command on the client device to check against an expected value (macOS client devices only).
    • File: Checks for the existence of a known file on the client.
    • Firewall: Checks compliance to designated firewall requirements.
    • Hard Disk Encryption: If encryption software is installed on the client device, this rule type checks the device's hard disks for applied encryption.
    • Location: Checks the client device's geographic location matches, or avoids, a list of defined locations.
    • Mac Address: Checks the client device's MAC address.
    • Netbios: Checks the client device's Netbios domain name.
    • Network: Checks the client device complies with a defined IP address and netmask range.
    • OS: Checks the client device’s Operating System meets a defined minimum standard.
    • Process: Checks for the existence of a known process on the client.
    • Port: Checks the client device's network interface ports.
    • Patch Management: If patch management software is installed on a client device, this rule type checks for the existence of missing software patches.
    • Registry: Checks for a value in a registry key (Windows client devices only).
    • Risk Sense: Supports Allow access, Block access and Notify based on the risk level.
    • System Integrity: Checks the system integrity of the client device (macOS client devices only).
    • Time of day: Checks resource access requests against compliance with a time-based access schedule.

    Restrictions exist for rule type availability on the following Ivanti Secure Access Client platform variants:
    - Android clients are limited to rules based on jail_break_root and OS.
    - iOS clients are limited to rules based on jail_break_root, OS, and Time of day.
    - Linux clients are limited to rules based on File, Port, and Process.

  3. Enter a Rule Name for your device rule.

  4. (Optional) Enter a Rule Description for your device rule.

  5. The remaining options are dependent on the Rule Type you selected:

    For Antispyware and Firewall rules, see Options for Antispyware and Firewall Rules.

    For Antivirus rules, see Options for Antivirus Rules.

    For CVE check rules, see Options for CVE Check Rules.

    For Command rules, see Options for Command Rules.

    For File rules, see Options for File Rules.

    For Hard Disk Encryption rules, see Options for Hard Disk Encryption Rules.

    For Location rules, see Options for Location Rules.

    For Mac Address rules, see Options for MAC Address Rules.

    For Netbios rules, see Options for Netbios Rules.

    For Network rules, see Options for Network Rules.

    For OS rules, see Options for OS Rules.

    For Process rules, see Options for Process Rules.

    For Port rules, see Options for Port Rules.

    For Patch Management rules, see Options for Patch Management Rules.

    For Registry rules, see Options for Registry Rules.

    For Risk Sense rules, see Options for Risk Sense Rules.

    For System Integrity rules, see Options for System Integrity Rules.

    For Time of day rules, see Options for Time of Day Rules.

  6. Select Create Rule to create the device rule.

The new rule is added to the list of device rules.

Individual device policies cannot be referenced by a secure access policy. After you have created all required device policies, you must organize them into device policy groups, see Creating Device Policy.

Editing / Deleting a Custom Device Policy Rule

To edit a device policy rule:

  1. In the Device Policies page, under the Rules column, click the rule link that you want to modify.

    Add a Device Rule
  2. In the side-panel that is displayed:

    • To add more rules, click Add Rule. To learn more, see Creating Device Policy Rules.

    • To delete a rule, click the delete icon next to the rule that you want to delete.

    • To delete more than one rule, select the check boxes next to the rules that you want to delete, and then click Delete.

Options for Antispyware and Firewall Rules

  1. Select Platform and select one of the following options:

    • windows
    • mac

    Using the selected platform, nZTA populates the lists of Vendors and Products that can be selected for this rule.

  2. (Optional) Select Select Vendors and use the drop-down list to select or deselect one or more product vendors. When done, select anywhere outside of the list.

    Each selected vendor is added to the panel below the drop-down list. To remove a selection, select the corresponding X indicator.

  3. (Optional) Select Select Products and use the drop-down list to select or deselect one or more products. When done, select anywhere outside of the list.

    Each selected product is added to the panel below the drop-down list. To remove a selection, select the corresponding X indicator.

    While both Vendor and Product fields are optional, you must select at least one vendor or product for your rule.

  4. (Optional) To set advanced options for this rule, select Advanced Configuration.

    The following options are provided:

    • Enable monitoring of this rule in Ivanti Secure Access Client.

Options for Antivirus Rules

  1. Select Platform and select one of the following options:

    • windows
    • mac

    Using the selected platform, nZTA populates the lists of Vendors and Products that can be selected for this rule.

  2. (Optional) Select Select Vendors and use the drop-down list to select or deselect one or more product vendors. When done, select anywhere outside of the list.

    Each selected vendor is added to the panel below the drop-down list. To remove a selection, select the corresponding X indicator.

  3. (Optional) Select Select Products and use the drop-down list to select or deselect one or more products. When done, select anywhere outside of the list.

    Each selected product is added to the panel below the drop-down list. To remove a selection, select the corresponding X indicator.

    While both Vendor and Product fields are optional, you must select at least one vendor or product for your rule.

  4. Select Enforcement Level and select one of the following options:

    • high
    • moderate
    • low
  5. (Optional) To set advanced options for this rule, select Advanced Configuration.

    The following options are provided:

    • Add a maximum allowed time limit since the last successful system scan, in days.
    • Add a maximum allowed age limit for the most recent virus definition file update, either by number of available updates or by number of days.
    • Enable monitoring of this rule in Ivanti Secure Access Client.

Options for CVE Check Rules

This rule type is applicable to Windows devices only.

1.Select one of the following options:

  • To check all supported CVEs, select Require all supported CVE checks.
  • To check a list of specific CVEs, select Check for specific CVE, then use the Select CVE Checks drop-down control to select or deselect CVEs to be included.

To remove a selected CVE from the list, select the "X" button adjacent to the CVE tag.

Options for Command Rules

This rule type is applicable to macOS devices only.

In this release, Command Type is limited to "Defaults Read Command" only. This runs the /usr/bin/defaults read command on the client device.

  1. Enter a value in Argument1 to represent the path of the Property List file to read. For example, /Applications/Utilities/Terminal.app/Contents/Info.plist.
  2. Enter a value in Argument2 to represent the property key name. For example, CFBundleShortVersionString.
  3. Enter one or more Expected Values to be returned by the command, as a comma-separated list. "*" (wildcard) values are also accepted.

Options for File Rules

This rule type is applicable to Windows and macOS devices only.

  1. Select Platform and select one of the following options:
    • windows
    • mac
    • linux
  2. Enter a full file name and path in File Name. For example, "c:test.txt" or "/Users/exampleuser/Downloads/test.txt".
  3. Select Checksum Type and select one of the following options:
    • md5
    • sha256
  4. Enter the Checksum value for the file.
  5. Select Mode and select one of the following options:

  • allow. Select this to allow access where the file exists and is valid.
  • deny. Select this to deny access if the file does not exist or is invalid.

Options for Hard Disk Encryption Rules

This rule type is applicable to Windows and macOS devices only.

  1. Select the device Platform to which this rule applies.
  2. Select the Vendors and associated encryption Products you want this rule to check.
  3. Choose which hard drives you want the rule to check:
    • To check all drives detected on the client device, select All Drives.
    • To check specific drives on the client device, select Specific Drives, then enter the drive identifiers required.
  4. Select Advanced Configuration to provide additional rule configuration:
    • (Specific drives only) To ensure the rule does not trigger a failure where one or more of the specified drives are not detected, select Consider policy as passed if the drives are not detected.
    • To ensure the rule does not trigger a failure where detected drives are currently undergoing encryption, but are not yet fully encrypted, select Consider policy as passed if the drive encryption is in progress.

Options for Location Rules

  1. Select Mode and select one of the following options:
    • allow. Select this to enable access for devices identified as being present at one of the set locations in the rule.
    • deny. Select this to disallow access for devices identified as being present at one of the set locations in the rule.
  2. Use the "Add a location" section to define one or more geographic locations to which the current Mode applies:
    • Select a Country, State (optional), and City (optional).
    • To add the location, select Add.
  3. Repeat the above steps for each location you want to add to the rule. Multiple "allow" and "deny" locations are possible in a single rule, with each added location identified by a green (allow) or red (deny) tag in the list.

To remove a location, select the "X" button adjacent to the location tag.

Options for MAC Address Rules

  1. Select Platform and select one of the following platform options:
    • windows
    • mac
  2. Enter the MAC address as a comma-separated list (without spaces) of MAC addresses in the form HH:HH:HH:HH:HH:HH where the HH is a two-digit hexadecimal number. Duplicate MAC addresses are not supported.
  3. Select Mode and select one of the following options:
    • allow. Select this to enable access from a listed MAC address.
    • deny. Select this to disallow access from a listed MAC address.

Options for Netbios Rules

  1. Select Platform and select one of the following platform options:
    • windows
    • mac
  2. Enter the Netbios domain Names as a comma-separated list (without spaces) of domain names. Each name can be 15 characters. Duplicate names are not supported.
  3. Select Mode and select one of the following options:
    • allow. Select this to enable access from a listed Netbios domain name.
    • deny. Select this to disallow access from a listed Netbios domain name.

Options for Network Rules

  1. Enter the IP Address and Netmask from which you want to either allow or deny access.

    Multiple IP addresses are not supported.

  2. Select Mode and select one of the following options:
    • allow. Select this to enable access for the given IP address and netmask.
    • deny. Select this to disallow access for the given IP address and netmask.

Options for OS Rules

  1. Select Platform and select one of the following options:
    • windows
    • mac
    • ios
    • android
  2. The remaining fields are dependent on your choice of Platform:
    • Where you selected a platform of windows or mac, select OS Name and select an Operating System edition. For example, "Windows 2008" or "macOS Mojave".

      Then, select OS Version and select the version number or service pack associated with that edition of the Operating System. For example, "SP2" or "10.14.3". To not enforce the version number, select "Ignore".

    • Where you selected a platform of ios or android, select Equality and select one of the following options pertaining to how you want to enforce Operating System versions numbers:

      • above
      • below
      • equal

Then, select OS Version and select the version number you want to check against.

Options for Process Rules

This rule type is applicable to desktop devices only.

  1. Select Platform and select one of the following options:
    • windows
    • mac
    • linux
  2. Enter a Process Name. For example, "explorer.exe".
  3. Select Checksum Type and select one of the following options:
    • md5
    • sha256
  4. Enter the Checksum value for the process executable.
  5. Select Mode and select one of the following options:
    • allow. Select this to allow access where the process exists and is valid.
    • deny. Select this to deny access if the process does not exist or is invalid.

Options for Port Rules

  1. Select Mode and select one of the following options:
  2. Enter the Ports as a comma-separated list (without spaces) of ports. Port ranges are supported. Duplicate ports are not supported.
    • windows
    • mac
    • linux
  3. Select Platform and select one of the following platform options:
  • allow. Select this to enable access from a listed port.
  • deny. Select this to disallow access from a listed port.

Options for Patch Management Rules

This rule type is applicable to Windows and macOS devices only.

  1. Select the device Platform to which this rule applies.

  2. Select the Vendors and associated patch management Products you want this rule to check the presence of.

  3. (Optional) Select Advanced Configuration to view more options:

    • Choose the Severity levels of missing patches you want to check in this rule:
      • Critical
      • Important
      • Moderate
      • Low
      • Unspecified/Unknown

    For some products, the patch severity level might not be detectable. In this case, select Unspecified/Unknown to detect missing patches.

    • Choose the Category types of missing patches you want to check in this rule:
      • Security Update
      • Rollup Update
      • Critical Update
      • Regular Update
      • Driver Update
      • Service Pack Update
      • Unknown

    For some products, the patch category might not be detectable. In this case, select Unknown to detect missing patches.

Options for Registry Rules

This rule type is applicable to Windows devices only.

  1. Select Rootkey and select one of the following options:
    • HKEY_LOCAL_MACHINE
    • HKEY_USERS
    • HKEY_CURRENT_USER
    • HKEY_CURRENT_CONFIG
    • HKEY_CLASSES_ROOT
  2. Enter a Subkey for the registry path: System\\CurrentControlSet\\Services\\Tcpip\\Parameters
  3. Select Key Type and select one of the following key types:
    • string
    • dword
    • binary
  4. Enter a Key name.
  5. Enter a Value for the registry key.
  6. Tick the 64-bit check box to use the 64-bit registry store. Leave this check box unticked to use the 32-bit registry store.

The following example values would create a rule to ensure the client device contained a registry key HKEY_LOCAL_MACHINE\SOFTWARE\zta with a value 123:

Field Value
Rootkey HKEY_LOCAL_MACHINE
Subkey SOFTWARE
Key Type string
Key zta
Value 123
64-bit ticked

Options for Risk Sense Rules

RiskSense provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness.

Integrating RiskSense's Vulnerability Risk Rating (VRR) scores with nZTA provides an additional layer of security by isolating and preventing vulnerable devices from connecting to the nZTA network thereby protecting enterprise resources.

This rule type is applicable to Windows only.

  1. Enter the Rule Name.

  2. Enter the Rule Details.

  3. Select Risk Level and select one of the following options:

    • Low
    • Medium
    • High
    • Critical
  4. Select Action and select one of the following options:

    • Allow: Select this to allow access when the risk level is low or medium.
    • Block: Select this to block the access based on the risk level.
    • Notify: Select this to notify the user about the risk identified.

    - RiskSense Alert will not be generated if the RiskSense device policy is enforced on the enrollment sign-in URL.
    - RiskSense device policy should always be enforced on the authentication login URL.

To view Top Risky Applications, see the Reviewing User Activity section in Using the Insights Menu to Monitor User Activity and Service Usage.

Options for System Integrity Rules

This rule type is applicable to macOS devices only.

  1. To enable this rule type, select Enable.

Options for Time of Day Rules

This rule type applies a resource restriction (allow or deny access) based upon a specified period frequency within a defined date and time range. Enter the following parameters:

  1. Select the frequency with which you want the rule to apply inside the date range you specify:

    • Custom: Apply the rule for the whole period continuously between the start date/time and end date/time.
    • Daily: Apply the rule for the specified days in each month. Enter a comma-separated list of numerical days (1-31), for example: "1,5,19,28".
    • Weekly: Apply the rule for the specified days of each week. For Select Days, select the checkbox for each day on which you want the rule to apply.
    • Monthly: Apply the rule for all days in the specified months. For Month, select one or more months from the drop-down list.
  2. Enter the Start Date and End Date to apply to the selected period frequency. For custom rules, the date range entered here is continuous. For daily, weekly, and monthly rules, each day in the range is executed individually according to the selected times and frequency.

    Start and end date values are optional for Daily, Weekly, and Monthly frequencies. If not specified, the rule applies indefinitely.

  3. Enter the Start Time and End Time to apply to the selected period frequency. For custom rules, the times are applied with the corresponding start and end date to provide a continuous period within which the rule applies. For daily, weekly, and monthly rules, the times are applied for each day in the schedule.

    All times are applied as UTC timezone values. Your nZTA Gateways must also use UTC time for the rule schedule to apply.

    Time periods for daily, weekly, and monthly rule frequencies are restricted to the 24 hours in a single day, such that you cannot enter an end time that is earlier than the start time. Therefore, in cases where you want to apply a rule allowing access for a time period that spans across midnight into the next day, add separate rules for each day in the range covering the time period for that day only. For example, to allow access during the period 21:00 Monday until 12:00 Tuesday, configure the following rules:
    Rule 1: Period: weekly, Days: Monday, Start Time: 21:00, End Time: 23:59, Mode: allow Rule 2: Period: weekly, Days: Tuesday, Start Time: 00:00, End Time: 11:59, Mode: allow

  4. Choose the Mode that should apply during the specified times:

    • allow: Devices accessing resources to which this policy is applied are authorized only during the selected days and times.
    • deny: Devices accessing resources to which this policy is applied are not authorized during the selected days and times.

Setting Global Device Preferences

nZTA enables a system administrator to configure settings that control and restrict the functionality available in Ivanti Secure Access Client when a user enrolls their device with the Controller. Using the settings provided, you can control if your users are able to perform functions inside the Ivanti Secure Access Client application such as adding or removing connections, disconnecting from the Controller, or exiting the application completely.

Changes are replicated out to your end user devices at the point they next connect to the Controller.

To take advantage of the restriction settings described in this section, your users must be running the Ivanti Secure Access Client version applicable to nZTA 20.12 or later. To learn more about supported software versions, see the Release Notes.

These setting affect Windows and macOS desktop clients only. Ivanti Secure Access Client Linux variants are currently not supported.

To configure Ivanti Secure Access Client settings for your user's devices:

  1. Log into the Tenant Admin Portal.
  2. Click Secure Access > Manage Devices.
  3. Click the Global Device Preferences tab.

Configuring Global Device Preferences

Through this page, you can configure the following settings for Ivanti Secure Access Client on your end-user devices:

Ivanti Secure Access Client Settings

Setting Category Default Value Description
Enrollment URL Enrollment None A tenant-specific end-user enrollment URL. This setting is read-only, and can be used to inform your users of the correct nZTA enrollment URL.
Override Classic VPN (PCS/PPS) Settings Enrollment No If your users use Ivanti Secure Access Client to simultaneously connect to classic VPN products from Ivanti, such as PCS or PPS, enable this setting to allow nZTA settings on this page to take precedence over any equivalent settings configured by the classic VPN. If you disable this option, Ivanti Secure Access Client functionality is determined by the classic VPN product you are connected to.
Restrict Settings for Non-Admin Users Only Enrollment No By default, Application Control and Connection Control settings are enforced for all users. Enable this setting to apply the restrictions on this page to non-admin client device users only. Admin users are unaffected. For example, with this setting enabled, if Allow DISCONNECT connection is set to "No", a non-admin user is not allowed to disconnect a nZTA connection in the Ivanti Secure Access Client application whereas an admin user retains this capability.
Start With Splash Screen Application Control Yes Display the splash screen when launching the Ivanti Secure Access Client application.
Disallow Pulse Application Exit Application Control No Prevent the end user from exiting the Ivanti Secure Access Client application.
Enable Embedded Browser Application Control Yes This enables PSAL to follow browser extension path. Chrome/Edge browser to install and launch Ivanti Secure Access Client.

Suppress EUP Auto Launch

Application Control

No

Prevent the end user portal auto launch.

Allow Add New Connection Connection control Yes Allow the end user to add new connections in Ivanti Secure Access Client.
Allow Delete Connection Connection control Yes Allow the end user to delete connections in Ivanti Secure Access Client.
Allow Disconnect Connection Connection Control Yes Allow the end user to disconnect a nZTA connection in Ivanti Secure Access Client.
Save User Credentials Connection Control No By default, users cannot save and re-use their username and password credentials with a nZTA connection. Enable this setting to allow credentials to be saved.
Enable Always on Mode Always on and Lock Down Mode No Always-on Mode allows the Ivanti Secure Access Client to establish a connection that is always active. The feature restricts the users to manually connect/disconnect nZTA connection.
Enable Lock Down Mode Always on and Lock Down Mode No If the tunnel is disconnected, for any reason, the machine has limited connectivity (only traffic allowed with exception rules) required to re-establish the tunnel. Always-ON mode with Lockdown mode enabled denies all network traffic until connected via nZTA connection. Exemption rules can be setup to allow network traffic.

Configuring Lock Down Mode

To enable Lock down this connection option, follow the below steps:

  1. Select Secure Access > Manage Devices > Global Device Preferences.

  2. Select Enable Always ON mode and Enable LockDown Mode option.

  3. Click View Exceptions. When Always-on mode feature with Lockdown mode is enabled, Admin can add more exceptions to the Core Access Rules using exception rules. Exceptions already configured in the client are called Core Access Rules. DHCP, DNS, Kerberos, LDAP, SMP and Portmapper are already configured as Core Access Rules in the client. Exception rules can be configured to exempt certain types of traffic.

  4. Click Add to add exception.

    Lock Down configuration
  5. Select the Platform (Windows/Mac).

  6. Enter the exception Name and Description.

  7. Select the type:

    • Program
    • Port
    • Custom
  8. Select the traffic type.

    • Inbound traffic is always directed towards user’s machine.
    • Outbound traffic is always directed towards outside the machine.
    • Select Allow or Deny actions to configure the exception rules.
  9. Click Add Exception.

Downloading Device Preferences for use with an External Service

nZTA provides the facility to download a file containing the device preferences and settings on the Global Device Preferences tab, in JSON format, for use with external Mobile Device Management (MDM) and Mobile Application Management (MAM) services, such as Microsoft Intune or Jamf (for Apple devices). This can be useful in enabling your end-users to receive the Ivanti Secure Access Client package from your MDM/MAM service along with preset configuration representing your specific enrollment details. Thus, your end-users need not perform post-installation configuration of Ivanti Secure Access Client, and can instead connect straight to the nZTA service.

To download the device preferences file, use the Download icon at the top of the page:

Downloading Global Device Preferences as a JSON file

This link activates a download dialog to save the device preferences file, in JSON format, to your local workstation.

To use the device preferences file with Ivanti Secure Access Client, base64-encode the JSON contents. This is necessary to enable the JSON structure to be presented as a singular string input argument to the Ivanti Secure Access Client package. Several freely-available applications such as text editors, or online services, provide this facility.

Then, to specify the configuration as a command-line argument to the Ivanti Secure Access Client package executable, copy and paste the encoded string into the JSONCONFIG argument using the following syntax:

JSONCONFIG="<base64-encoded-config>"

For example:

JSONCONFIG="eyJhcHBsaWNhdGlvbl9jb250cm9sIjp7ImRpc2FsbG93a...ddjsKa435sag"

Browser-based interfaces such as Intune provide command-line argument specifiers as part of the application definition. Enter the complete argument=value string as shown above.

Providing the JSONCONFIG argument as part of the application definition on your end-user devices means that Ivanti Secure Access Client is installed fully-configured with the enrollment details provided by the downloaded device preferences file.

When using this mechanism to update an end-user device that has Ivanti Secure Access Client already installed, the Ivanti Secure Access Client software is upgraded as necessary, but pre-existing nZTA connections remain unaffected.

To learn more about how this facility might be used with your own MDM/MAM service, see your support representative.