Device Policies define how desktop and mobile
devices access cloud and on-premise applications in your Ivanti
Neurons for Zero Trust Access (nZTA) deployment.
You create a device policy and then create / associate the device rules to form a complete Device Policy,
suitable for adding to a Secure Access Policy. Device
policies encompass a set of rules that define the minimum standard a
device must meet to be considered compliant with the applications and
services served by your Secure Access Policies.
nZTA provides a number of built-in default device policies,
each containing a set of appropriate built-in device rules. You cannot modify / delete these built-in default device policies. These
policies and rules are suitable for general use. In addition,
nZTA allows the definition of custom policies and rules to fit
an organization's specific requirements.
To view the list of all default and custom device policies or rules
defined on the Controller:
Log into the Controller as a Tenant Admin.
From the nZTA menu, select the Secure Access icon, then select Manage Devices > Device Policies.
The Device Policies page appears. This page lists all current device policies.
The Device Policies page
Built-in default policies are indicated by a tick in the
Default column. Custom policies are not ticked.
Sort the list by a selected column in ascending or descending order.
Switch between normal and denser data views.
Creating Device Policies
You can create Device policies and then create / associate
one or more Device Rules as required.
To create a device policy:
Log into the Controller as a Tenant Admin.
From the nZTA menu, select the Secure
Access, then select Manage Devices > Device
Policies.
The Device Policies page appears. This page lists all
current device policies.
Click Create
Device Policy.
A form appears to enable you to create the device policy.
Create a new Device Policy
At any point during this process, you can reset the form data by
selecting Reset Fields.
Enter a Name for the device policy.
Add a Description for the device
policy.
Select each of the listed Rules that are
required for the device policy, or select Create Device Rule to use the in-line rule creation form. To learn more about
this process, see Creating Device Policy Rules
.
(Optional) In the Rule Requirement section: Specify for
each end-user device Platform how you want to enforce
your policy rules by choosing one of the following Rule
Requirement options:
All of the above rules: The end-user device must
comply with all rules defined in the policy.
Any of the above rules: The end-user device must
comply with at least one of the defined rules in the policy.
Custom: The end-user device must comply with the
conditions specified in a custom expression. Use the Custom
Expression field to define an expression for the rules defined
in this policy and how they should be evaluated. You can use the Boolean
operators AND, OR and NOT, and also use parentheses to group or nest
conditions.
The following is a list of sample custom expressions:
customExpr
(customExpr)
NOT customExpr
customExpr OR customExpr
customExpr AND customExpr
As an example, where a policy has associated with it the rules
"Rule1", "Rule2", and "Rule3", the following expression is valid:
Rule1 AND (NOT Rule2 OR (NOT Rule3))
When using custom expressions, consider the following points:
Using NOT: When using "NOT expr", the negated expression
evaluates to true if the outcome of expr is false and evaluates
to false if the outcome of expr is true.
AND, OR, NOT precedence: These operators are evaluated from
highest to lowest precedence in this order: NOT (from right), AND (from
left), OR (from left).
A combination of any device rule is allowed in an expression,
except location, time of day, and network rules. For example, the
following expressions are not allowed:
Windows_Process AND Locationrule
Windows_Process AND Networkrule
Windows_Process AND Time-of-Day_Rule
After you have set a platform and rule requirement, select
Apply to add the entry. Then, repeat this procedure if
you want to add any rule requirements for other device platforms.
If you intend to add multiple rules of varying types to a device
policy, be aware that individual rules might not by themselves guarantee
allowed or denied access to an application depending on the outcome of
other evaluated rules in a device policy, and the rule requirements
settings configured here.
(Optional) In the Remediation section: To provide custom
remediation instructions for the policy, tick Enable Custom
Instruction and enter your remediation text into Custom
Instruction. This option also requires selection of a target
Platform.
These instructions are presented through Ivanti Secure Access
Client when a device compliance check fails based on this
policy.
- This feature is applicable to Windows, Mac, and Linux device policies only.
- Also note that custom instructions are restricted to a 500 byte limit and can contain only plain text or an HTML document with HREF links.
Select Create Device Policy.
The new device policy appears in the list of Device
Policies.
Repeat steps 3-7 to create all required device policies.
After you have created all required device policies, you can move to
the next stage of nZTA configuration, which is Creating/Editing Secure Access Policies.
Editing / Deleting Custom Device Policy
Built-in default device policies are indicated with a tick mark in the Devices column, and they cannot be edited or deleted.
To edit a custom device policy:
In the Device Policies page, select the check box next to the custom device policy that you want to edit.
Select Actions > Edit.
Make the necessary changes, such as change the policy description, or create / edit / delete rules. You are not allowed to change the policy name.
Click Update Device Policy.
To delete custom device policy:
In the Device Policies page, select one or more check boxes next to the custom device policies that you want to delete.
Select Actions > Delete.
In the delete confirmation window, click Yes, Delete.
Configuring Default Device Policy for Users
As part of configuring an application, we can associate a device
policy, which may have one or more same or different type of device
rules configured. When a user tries to login, AAA evaluate these
policies, log failures and allows sign in. When a user tries to access
applications, device policies are evaluated and enforced. If a device
policy evaluation fails, application access is denied.
With Default device policy for users, Admins can configure policies
that get enforced even before device authentication, that is during the
user enrollment or user authentication.
- For default enrollment policy, User Group will always be added. - For a new multi-sign-in policy of type enroll, always add User Group first with the new enroll policy. - Visibility/analytics in the form of charts are not available, but logs are available in Insight >logs. - Risksense policy when enforced on enrollment sign-in policy is not supported with web/browser based enrollment, but is supported when Ivanti Secure Access Client is already installed. - Time of day rule type is not supported for default device policy. - Time of day and OS check rules are not supported on the enrollment sign in url when trying to enroll from iOS endpoint.
You can use the existing default polices or can create new policy and
use the default device policy.
To configure default Device Policy for users:
Log into the Controller as a Tenant Admin.
From the nZTA menu, select Secure Access and then select Manage Users > User Policies.
Click Create User Policy.
Manage User Policy
Enter the Policy Name, Login
URL using the format */login/<path>.
Select the User Type: Enrollment Users/
Users/Administrators.
Select the Device Policy from the drop-down
menu. For example, Deny_Location.
There are a few exceptions while creating User Policies when user Type is Administrator. The following device policies are not applicable to Administrator user. - Any device policy having Risk Sense rule. - Any device policy having Time of Day rule. - Any device policy having combination of Location and Network rules.
Continuous Device Posture Assessment (CARTA) is not supported for Admin Access. However, the Device Posture Assessment will occur during the administrator login process, if configured.
Select the Auth Server.
Click Create User Policy.
Create User Policy
Click Create User Policy.
Users can also edit the existing Default policy to include the
Device policy during the enrollment sign-in/user authentication.
Edit User Policy
Creating Device Policy Rules
Before you begin, decide what kind of rule you want to create. For
each rule type, make sure you have the supporting parameters. For
example, if you are creating a Network rule, make sure you know
the IP address and netmask range you want to apply.
To create a device rule:
In the Create Device Policy page, click Create
Device Rule.
The Create Device Rule form appears.
Create Device Rule
Select Rule Type and select one of the following
options:
Antispyware: Checks compliance to designated anti-spyware
requirements.
Antivirus: Checks compliance to designated anti-virus
requirements.
CVE check: Checks for protection against a list of publicly
disclosed Common Vulnerability and Exposure (CVE) notices (Windows
client devices only).
Command: Runs a command on the client device to check
against an expected value (macOS client devices only).
File: Checks for the existence of a known file on the
client.
Firewall: Checks compliance to designated firewall
requirements.
Hard Disk Encryption: If encryption software is installed
on the client device, this rule type checks the device's hard disks for
applied encryption.
Location: Checks the client device's geographic location
matches, or avoids, a list of defined locations.
Mac Address: Checks the client device's MAC address.
Netbios: Checks the client device's Netbios domain
name.
Network: Checks the client device complies with a defined
IP address and netmask range.
OS: Checks the client device’s Operating System meets a
defined minimum standard.
Process: Checks for the existence of a known process on the
client.
Port: Checks the client device's network interface
ports.
Patch Management: If patch management software is installed
on a client device, this rule type checks for the existence of missing
software patches.
Registry: Checks for a value in a registry key (Windows
client devices only).
Risk Sense: Supports Allow access, Block access and Notify
based on the risk level.
System Integrity: Checks the system integrity of the client
device (macOS client devices only).
Time of day: Checks resource access requests against
compliance with a time-based access schedule.
Restrictions exist for rule type availability on the following
Ivanti Secure Access Client platform variants: - Android clients are limited to rules based on
jail_break_root and OS. - iOS clients are limited to rules based on jail_break_root,
OS, and Time of day. - Linux clients are limited to rules based on File,
Port, and Process.
Enter a Rule Name for your device rule.
(Optional) Enter a Rule Description for your
device rule.
The remaining options are dependent on the Rule
Type you selected:
The new rule is added to the list of device rules.
Individual device policies cannot be referenced by a secure access
policy. After you have created all required device policies, you must
organize them into device policy groups, see Creating Device Policy.
Editing / Deleting a Custom Device Policy Rule
To edit a device policy rule:
In the Device Policies page, under the Rules column, click the rule link that you want to modify.
To delete a rule, click the delete icon next to the rule that you want to delete.
To delete more than one rule, select the check boxes next to the rules that you want to delete, and then click Delete.
Options for Antispyware and Firewall Rules
Select Platform and select one of the following
options:
windows
mac
Using the selected platform, nZTA populates the lists of
Vendors and Products that can be selected for this
rule.
(Optional) Select Select Vendors and use the
drop-down list to select or deselect one or more product vendors. When
done, select anywhere outside of the list.
Each selected vendor is added to the panel below the drop-down list.
To remove a selection, select the corresponding X
indicator.
(Optional) Select Select Products and use the
drop-down list to select or deselect one or more products. When done,
select anywhere outside of the list.
Each selected product is added to the panel below the drop-down list.
To remove a selection, select the corresponding X
indicator.
While both Vendor and Product fields are optional,
you must select at least one vendor or product for your rule.
(Optional) To set advanced options for this rule, select
Advanced Configuration.
The following options are provided:
Enable monitoring of this rule in Ivanti Secure Access
Client.
Options for Antivirus Rules
Select Platform and select one of the following
options:
windows
mac
Using the selected platform, nZTA populates the lists of
Vendors and Products that can be selected for this
rule.
(Optional) Select Select Vendors and use the
drop-down list to select or deselect one or more product vendors. When
done, select anywhere outside of the list.
Each selected vendor is added to the panel below the drop-down list.
To remove a selection, select the corresponding X
indicator.
(Optional) Select Select Products and use the
drop-down list to select or deselect one or more products. When done,
select anywhere outside of the list.
Each selected product is added to the panel below the drop-down list.
To remove a selection, select the corresponding X
indicator.
While both Vendor and Product fields are optional,
you must select at least one vendor or product for your rule.
Select Enforcement Level and select one of the
following options:
high
moderate
low
(Optional) To set advanced options for this rule, select
Advanced Configuration.
The following options are provided:
Add a maximum allowed time limit since the last successful system
scan, in days.
Add a maximum allowed age limit for the most recent virus definition
file update, either by number of available updates or by number of
days.
Enable monitoring of this rule in Ivanti Secure Access
Client.
Options for CVE Check Rules
This rule type is applicable to Windows devices only.
1.Select one of the following options:
To check all supported CVEs, select Require all supported
CVE checks.
To check a list of specific CVEs, select Check for specific
CVE, then use the Select CVE Checks drop-down
control to select or deselect CVEs to be included.
To remove a selected CVE from the list, select the "X" button
adjacent to the CVE tag.
Options for Command Rules
This rule type is applicable to macOS devices only.
In this release, Command Type is limited to "Defaults Read Command"
only. This runs the /usr/bin/defaults read command on the
client device.
Enter a value in Argument1 to represent the path of
the Property List file to read. For example,
/Applications/Utilities/Terminal.app/Contents/Info.plist.
Enter a value in Argument2 to represent the
property key name. For example,
CFBundleShortVersionString.
Enter one or more Expected Values to be returned by
the command, as a comma-separated list. "*" (wildcard) values are also
accepted.
Options for File Rules
This rule type is applicable to Windows and macOS devices only.
Select Platform and select one of the following
options:
windows
mac
linux
Enter a full file name and path in File Name. For
example, "c:test.txt" or "/Users/exampleuser/Downloads/test.txt".
Select Checksum Type and select one of the
following options:
md5
sha256
Enter the Checksum value for the file.
Select Mode and select one of the following
options:
allow. Select this to allow access where the file exists
and is valid.
deny. Select this to deny access if the file does not exist
or is invalid.
Options for Hard Disk Encryption Rules
This rule type is applicable to Windows and macOS devices only.
Select the device Platform to which this rule
applies.
Select the Vendors and associated encryption
Products you want this rule to check.
Choose which hard drives you want the rule to check:
To check all drives detected on the client device, select
All Drives.
To check specific drives on the client device, select
Specific Drives, then enter the drive identifiers
required.
Select Advanced Configuration to provide additional
rule configuration:
(Specific drives only) To ensure the rule does not trigger
a failure where one or more of the specified drives are not detected,
select Consider policy as passed if the drives are not
detected.
To ensure the rule does not trigger a failure where detected drives
are currently undergoing encryption, but are not yet fully encrypted,
select Consider policy as passed if the drive encryption is in
progress.
Options for Location Rules
Select Mode and select one of the following
options:
allow. Select this to enable access for devices identified
as being present at one of the set locations in the rule.
deny. Select this to disallow access for devices identified
as being present at one of the set locations in the rule.
Use the "Add a location" section to define one or more geographic
locations to which the current Mode applies:
Select a Country, State
(optional), and City (optional).
To add the location, select Add.
Repeat the above steps for each location you want to add to the
rule. Multiple "allow" and "deny" locations are possible in a single
rule, with each added location identified by a green (allow) or red
(deny) tag in the list.
To remove a location, select the "X" button adjacent to the location
tag.
Options for MAC Address
Rules
Select Platform and select one of the following
platform options:
windows
mac
Enter the MAC address as a comma-separated list
(without spaces) of MAC addresses in the form HH:HH:HH:HH:HH:HH where
the HH is a two-digit hexadecimal number. Duplicate MAC addresses are
not supported.
Select Mode and select one of the following
options:
allow. Select this to enable access from a listed MAC
address.
deny. Select this to disallow access from a listed MAC
address.
Options for Netbios Rules
Select Platform and select one of the following
platform options:
windows
mac
Enter the Netbios domain Names as a comma-separated
list (without spaces) of domain names. Each name can be 15 characters.
Duplicate names are not supported.
Select Mode and select one of the following
options:
allow. Select this to enable access from a listed Netbios
domain name.
deny. Select this to disallow access from a listed Netbios
domain name.
Options for Network Rules
Enter the IP Address and Netmask
from which you want to either allow or deny access.
Select Mode and select one of the following
options:
allow. Select this to enable access for the given IP
address and netmask.
deny. Select this to disallow access for the given IP
address and netmask.
Options for OS Rules
Select Platform and select one of the following
options:
windows
mac
ios
android
The remaining fields are dependent on your choice of
Platform:
Where you selected a platform of windows or
mac, select OS Name and select an Operating
System edition. For example, "Windows 2008" or "macOS Mojave".
Then, select OS Version and select the version
number or service pack associated with that edition of the Operating
System. For example, "SP2" or "10.14.3". To not enforce the version
number, select "Ignore".
Where you selected a platform of ios or
android, select Equality and select one of the
following options pertaining to how you want to enforce Operating System
versions numbers:
above
below
equal
Then, select OS Version and select the version
number you want to check against.
Options for Process Rules
This rule type is applicable to desktop devices only.
Select Platform and select one of the following
options:
windows
mac
linux
Enter a Process Name. For example,
"explorer.exe".
Select Checksum Type and select one of the
following options:
md5
sha256
Enter the Checksum value for the process
executable.
Select Mode and select one of the following
options:
allow. Select this to allow access where the process exists
and is valid.
deny. Select this to deny access if the process does not
exist or is invalid.
Options for Port Rules
Select Mode and select one of the following
options:
Enter the Ports as a comma-separated list (without
spaces) of ports. Port ranges are supported. Duplicate ports are not
supported.
windows
mac
linux
Select Platform and select one of the following
platform options:
allow. Select this to enable access from a listed
port.
deny. Select this to disallow access from a listed
port.
Options for Patch Management
Rules
This rule type is applicable to Windows and macOS devices only.
Select the device Platform to which this rule
applies.
Select the Vendors and associated patch
management Products you want this rule to check the
presence of.
(Optional) Select Advanced Configuration to view
more options:
Choose the Severity levels of missing patches you
want to check in this rule:
Critical
Important
Moderate
Low
Unspecified/Unknown
For some products, the patch severity level might not be detectable.
In this case, select Unspecified/Unknown to detect missing
patches.
Choose the Category types of missing patches you
want to check in this rule:
Security Update
Rollup Update
Critical Update
Regular Update
Driver Update
Service Pack Update
Unknown
For some products, the patch category might not be detectable. In
this case, select Unknown to detect missing patches.
Options for Registry Rules
This rule type is applicable to Windows devices only.
Select Rootkey and select one of the following
options:
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
Enter a Subkey for the registry path.
Select Key Type and select one of the following key
types:
string
dword
binary
Enter a Key name.
Enter a Value for the registry key.
Tick the 64-bit check box to use the 64-bit registry
store. Leave this check box unticked to use the 32-bit registry
store.
The following example values would create a rule to ensure the client
device contained a registry key
HKEY_LOCAL_MACHINE\SOFTWARE\pzta with a value
123:
Field
Value
Rootkey
HKEY_LOCAL_MACHINE
Subkey
SOFTWARE
Key Type
string
Key
zta
Value
123
64-bit
ticked
Options for Risk Sense Rules
RiskSense provides vulnerability management and prioritization to
measure and control cybersecurity risk. The cloud-based RiskSense
platform uses a foundation of risk-based scoring, analytics to identify
critical security weaknesses with corresponding remediation action
plans, dramatically improving security and IT team efficiency and
effectiveness.
Integrating RiskSense's Vulnerability Risk Rating (VRR) scores with
nZTA provides an additional layer of security by isolating and
preventing vulnerable devices from connecting to the nZTA network thereby
protecting enterprise resources.
This rule type is applicable to Windows only.
Enter the Rule Name.
Enter the Rule Details.
Select Risk Level and select one of the
following options:
Low
Medium
High
Critical
Select Action and select one of the following
options:
Allow: Select this to allow access when the risk level is low or
medium.
Block: Select this to block the access based on the risk level.
Notify: Select this to notify the user about the risk
identified.
- RiskSense Alert will not be generated if the RiskSense device policy
is enforced on the enrollment sign-in URL. - RiskSense device policy should always be enforced on the
authentication login URL.
This rule type is applicable to macOS devices only.
To enable this rule type, select Enable.
Options for Time of Day
Rules
This rule type applies a resource restriction (allow or deny access)
based upon a specified period frequency within a defined date and time
range. Enter the following parameters:
Select the frequency with which you want the rule to apply inside
the date range you specify:
Custom: Apply the rule for the whole period
continuously between the start date/time and end date/time.
Daily: Apply the rule for the specified days in
each month. Enter a comma-separated list of numerical days (1-31), for
example: "1,5,19,28".
Weekly: Apply the rule for the specified days of
each week. For Select Days, select the checkbox for
each day on which you want the rule to apply.
Monthly: Apply the rule for all days in the
specified months. For Month, select one or more months
from the drop-down list.
Enter the Start Date and End
Date to apply to the selected period frequency. For custom
rules, the date range entered here is continuous. For daily, weekly, and
monthly rules, each day in the range is executed individually according
to the selected times and frequency.
Start and end date values are optional for Daily,
Weekly, and Monthly frequencies. If
not specified, the rule applies indefinitely.
Enter the Start Time and End
Time to apply to the selected period frequency. For custom
rules, the times are applied with the corresponding start and end date
to provide a continuous period within which the rule applies. For daily,
weekly, and monthly rules, the times are applied for each day in the
schedule.
All times are applied as UTC timezone values. Your nZTA
Gateways must also use UTC time for the rule schedule to apply.
Time periods for daily, weekly, and monthly rule frequencies are
restricted to the 24 hours in a single day, such that you cannot enter
an end time that is earlier than the start time. Therefore, in cases
where you want to apply a rule allowing access for a time period that
spans across midnight into the next day, add separate rules for each day
in the range covering the time period for that day only. For example, to
allow access during the period 21:00 Monday until 12:00 Tuesday,
configure the following rules: Rule 1: Period: weekly,
Days: Monday, Start Time:
21:00, End Time: 23:59,
Mode: allow Rule 2: Period:
weekly, Days: Tuesday, Start
Time: 00:00, End Time:
11:59, Mode: allow
Choose the Mode that should apply during the
specified times:
allow: Devices accessing resources to which this
policy is applied are authorized only during the selected days
and times.
deny: Devices accessing resources to which this
policy is applied are not authorized during the selected days
and times.
Setting Global Device
Preferences
nZTA enables a system administrator to configure settings
that control and restrict the functionality available in Ivanti
Secure Access Client when a user enrolls their device with the
Controller. Using the settings provided, you can control if
your users are able to perform functions inside the Ivanti Secure
Access Client application such as adding or removing connections,
disconnecting from the Controller, or exiting the application
completely.
Changes are replicated out to your end user devices at the point they
next connect to the Controller.
To take advantage of the restriction settings described in this
section, your users must be running the Ivanti Secure Access
Client version applicable to nZTA 20.12 or later. To learn
more about supported software versions, see the Release
Notes.
These setting affect Windows and macOS desktop clients only.
Ivanti Secure Access Client Linux variants are currently not
supported.
To configure Ivanti Secure Access Client settings for your
user's devices:
Log into the Tenant Admin Portal.
Click Secure Access > Manage Devices.
Click the Global Device Preferences tab.
Configuring Global Device Preferences
Through this page, you can configure the following settings for
Ivanti Secure Access Client on your end-user devices:
Ivanti Secure Access Client Settings
Setting
Category
Default Value
Description
Enrollment URL
Enrollment
None
A tenant-specific end-user enrollment URL. This setting is
read-only, and can be used to inform your users of the correct
nZTA enrollment URL.
Override Classic VPN (PCS/PPS) Settings
Enrollment
No
If your users use Ivanti Secure Access Client to
simultaneously connect to classic VPN products from Ivanti,
such as PCS or PPS, enable this setting to allow nZTA settings
on this page to take precedence over any equivalent settings configured
by the classic VPN. If you disable this option, Ivanti Secure Access
Client functionality is determined by the classic VPN product you
are connected to.
Restrict Settings for Non-Admin Users Only
Enrollment
No
By default, Application Control and Connection
Control settings are enforced for all users. Enable this setting to
apply the restrictions on this page to non-admin client device users
only. Admin users are unaffected. For example, with this setting
enabled, if Allow DISCONNECT connection is set to "No",
a non-admin user is not allowed to disconnect a nZTA connection
in the Ivanti Secure Access Client application whereas an admin
user retains this capability.
Start With Splash Screen
Application Control
Yes
Display the splash screen when launching the Ivanti Secure
Access Client application.
Disallow Pulse Application Exit
Application Control
No
Prevent the end user from exiting the Ivanti Secure Access
Client application.
Enable Embedded Browser
Application Control
Yes
This enables PSAL to follow browser extension path. Chrome/Edge
browser to install and launch Ivanti Secure Access
Client.
Suppress EUP Auto Launch
Application Control
No
Prevent the end user portal auto launch.
Allow Add New Connection
Connection control
Yes
Allow the end user to add new connections in Ivanti Secure
Access Client.
Allow Delete Connection
Connection control
Yes
Allow the end user to delete connections in Ivanti Secure Access
Client.
Allow Disconnect Connection
Connection Control
Yes
Allow the end user to disconnect a nZTA connection in
Ivanti Secure Access Client.
Save User Credentials
Connection Control
No
By default, users cannot save and re-use their username and password
credentials with a nZTA connection. Enable this setting to
allow credentials to be saved.
Enable Always on Mode
Always on and Lock Down Mode
No
Always-on Mode allows the Ivanti Secure Access Client to establish a
connection that is always active. The feature restricts the users to
manually connect/disconnect nZTA connection.
Enable Lock Down Mode
Always on and Lock Down Mode
No
If the tunnel is disconnected, for any reason, the machine has
limited connectivity (only traffic allowed with exception rules)
required to re-establish the tunnel. Always-ON mode with Lockdown mode
enabled denies all network traffic until connected via nZTA connection.
Exemption rules can be setup to allow network traffic.
Configuring Lock Down Mode
To enable Lock down this connection option, follow the below
steps:
Select Secure Access > Manage Devices > Global
Device Preferences.
Select Enable Always ON mode and Enable
LockDown Mode option.
Click View Exceptions. When Always-on mode
feature with Lockdown mode is enabled, Admin can add more exceptions to
the Core Access Rules using exception rules. Exceptions already
configured in the client are called Core Access Rules. DHCP, DNS,
Kerberos, LDAP, SMP and Portmapper are already configured as Core Access
Rules in the client. Exception rules can be configured to exempt certain
types of traffic.
Click Add to add exception.
Lock Down configuration
Select the Platform (Windows/Mac).
Enter the exception Name and
Description.
Select the type:
Program
Port
Custom
Select the traffic type.
Inbound traffic is always directed towards user’s machine.
Outbound traffic is always directed towards outside the
machine.
Select Allow or Deny actions to configure the exception rules.
Click Add Exception.
Downloading
Device Preferences for use with an External Service
nZTA provides the facility to download a file containing the
device preferences and settings on the Global Device
Preferences tab, in JSON format, for use with external Mobile
Device Management (MDM) and Mobile Application Management (MAM)
services, such as Microsoft Intune or Jamf (for Apple
devices). This can be useful in enabling your end-users to receive the
Ivanti Secure Access Client package from your MDM/MAM service
along with preset configuration representing your specific enrollment
details. Thus, your end-users need not perform post-installation
configuration of Ivanti Secure Access Client, and can instead
connect straight to the nZTA service.
To download the device preferences file, use the Download
icon at the top of the page:
Downloading Global Device Preferences as a JSON file
This link activates a download dialog to save the device preferences
file, in JSON format, to your local workstation.
To use the device preferences file with Ivanti Secure Access
Client, base64-encode the JSON contents. This is necessary to
enable the JSON structure to be presented as a singular string input
argument to the Ivanti Secure Access Client package. Several
freely-available applications such as text editors, or online services,
provide this facility.
Then, to specify the configuration as a command-line argument to the
Ivanti Secure Access Client package executable, copy and paste
the encoded string into the JSONCONFIG argument using
the following syntax:
Browser-based interfaces such as Intune provide command-line argument
specifiers as part of the application definition. Enter the complete
argument=value string as shown above.
Providing the JSONCONFIG argument as part of the application
definition on your end-user devices means that Ivanti Secure Access
Client is installed fully-configured with the enrollment details
provided by the downloaded device preferences file.
When using this mechanism to update an end-user device that has
Ivanti Secure Access Client already installed, the Ivanti
Secure Access Client software is upgraded as necessary, but
pre-existing nZTA connections remain unaffected.
To learn more about how this facility might be used with your own
MDM/MAM service, see your support representative.
