Creating Device Policies and Device Rules

Introduction

Device Policies define the minimum standard a device must meet to be considered compliant with Ivanti Neurons for Zero Trust Access (nZTA). Device Policies are used when defining a nZTA Secure Access Policy for an application.

You create one or more Device Rules and then group them together to form a complete Device Policy.

devpol

FIGURE 78 Grouping device rules to create a device policy

Rules are created as one of the following types:

  • Antispyware: Checks compliance to designated anti-spyware requirements.

  • Antivirus: Checks compliance to designated anti-virus requirements.

  • Command: Runs a command on the client device to check against an expected value (macOS client devices only).

  • CVE check: Checks for protection against a list of publicly disclosed Common Vulnerability and Exposure (CVE) notices (Windows client devices only).

  • File: Checks for the existence of a known file on the client.

  • Firewall: Checks compliance to designated firewall requirements.

  • Hard Disk Encryption: If encryption software is installed on the client device, this rule type checks the device’s hard disks for applied encryption.

  • Location: Checks the client device’s geographic location matches, or avoids, a list of defined locations.

  • Mac Address: Checks the client device’s MAC address.

  • Netbios: Checks the client device’s Netbios domain name.

  • Network: Checks the client device complies with a defined IP address and netmask range.

  • OS: Checks the client device’s Operating System meets a defined minimum standard.

  • Process: Checks for the existence of a known process on the client.

  • Port: Checks the client device’s network interface ports.

  • Patch Management: If patch management software is installed on a client device, this rule type checks for the existence of missing software patches.

  • Registry: Checks for a value in a registry key (Windows client devices only).

  • Risk Sense: Supports Allow access, Block access and Notify based on the risk level.

  • System Integrity: Checks the system integrity of the client device (macOS client devices only).

  • Time of day: Checks resource access requests against compliance with a time-based access schedule.

Note

Restrictions exist for rule type availability on the following Ivanti Secure Access Client platform variants:

  • Android clients are limited to rules based on jail_break_root and OS.

  • iOS clients are limited to rules based on jail_break_root, OS, and Time of day.

  • Linux clients are limited to rules based on File, Port, and Process.

nZTA includes a number of built-in device rules and policies relating to antivirus software, suitable for general use. To learn more, see the Tenant Admin Guide.

Creating Device Rules

Before you begin, decide what kind of rule you want to create. For each rule type, make sure you have the supporting parameters. For example, if you are creating a Network rule, make sure you know the IP address and netmask range you want to apply. To learn more, see Introduction.

To create a device rule:

  1. Log into the Controller as a Tenant Admin.

  2. From the nZTA menu, select the Secure Access icon, then select Manage Devices > Device Rules.

    The Device Rules page appears. This page lists all device rules.

    devicerules

    FIGURE 79 Device Rules Page

  3. Click Create and then select Create Device Rules.

    The Add Device Policy Rules form appears.

    addnewrules

    FIGURE 80 Add a Device Rule

    Note

    At any point during this process, you can reset the form data by selecting Reset Fields. You can also view existing device rules in a pop-up dialog by selecting View Device Rules.

  4. Select Rule Type and select one of the following options:

    • Antispyware

    • Antivirus

    • Command

    • CVE check

    • File

    • Firewall

    • Hard Disk Encryption

    • Location

    • Mac Address

    • Netbios

    • Network

    • OS

    • Process

    • Port

    • Patch Management

    • Registry

    • Risk Sense

    • System Integrity

    • Time of day

  5. Enter a Rule Name for your device rule.

  6. (Optional) Enter a Rule Description for your device rule.

  7. The remaining options are dependent on the Rule Type you selected:

    For Antispyware and Firewall rules, see Options for Antispyware and Firewall Rules.

    For Antivirus rules, see Options for Antivirus Rules.

    For Command rules, see Options for Command Rules.

    For CVE check rules, see Options for CVE Check Rules.

    For File rules, see Options for File Rules.

    For Hard Disk Encryption rules, see Options for Hard Disk Encryption Rules.

    For Location rules, see Options for Location Rules.

    For Mac Address rules, see Options for MAC Address Rules.

    For Netbios rules, see Options for Netbios Rules.

    For Network rules, see Options for Network Rules.

    For OS rules, see Options for OS Rules.

    For Process rules, see Options for Process Rules.

    For Port rules, see Options for Port Rules.

    For Patch Management rules, see Options for Patch Management Rules.

    For Registry rules, see Options for Registry Rules.

    For Risk Sense rules, see Options for Risk Sense Rules.

    For System Integrity rules, see Options for System Integrity Rules.

    For Time of day rules, see Options for Time of Day Rules.

  8. Select Add to create the device rule.

    The new rule is added to the list of device rules.

Individual device rules cannot be referenced by a secure access policy. After you have created all required rules, you must organize them into device policies, see Creating Device Policies.

Options for Antispyware and Firewall Rules

  1. Select Platform and select one of the following options:

    • windows

    • mac

    Using the selected platform, nZTA populates the lists of Vendors and Products that can be selected for this rule.

  2. (Optional) Select Select Vendors and use the drop-down list to select or deselect one or more product vendors. When done, select anywhere outside of the list.

    Each selected vendor is added to the panel below the drop-down list. To remove a selection, select the corresponding X indicator.

  3. (Optional) Select Select Products and use the drop-down list to select or deselect one or more products. When done, select anywhere outside of the list.

    Each selected product is added to the panel below the drop-down list. To remove a selection, select the corresponding X indicator.

    Note

    While both Vendor and Product fields are optional, you must select at least one vendor or product for your rule.

  4. (Optional) To set advanced options for this rule, select Advanced Configuration.

    The following options are provided:

    • Enable monitoring of this rule in Ivanti Secure Access Client.

Options for Antivirus Rules

  1. Select Platform and select one of the following options:

    • windows

    • mac

    Using the selected platform, nZTA populates the lists of Vendors and Products that can be selected for this rule.

  2. (Optional) Select Select Vendors and use the drop-down list to select or deselect one or more product vendors. When done, select anywhere outside of the list.

    Each selected vendor is added to the panel below the drop-down list. To remove a selection, select the corresponding X indicator.

  3. (Optional) Select Select Products and use the drop-down list to select or deselect one or more products. When done, select anywhere outside of the list.

    Each selected product is added to the panel below the drop-down list. To remove a selection, select the corresponding X indicator.

    Note

    While both Vendor and Product fields are optional, you must select at least one vendor or product for your rule.

  4. Select Enforcement Level and select one of the following options:

    • high

    • moderate

    • low

  5. (Optional) To set advanced options for this rule, select Advanced Configuration.

    The following options are provided:

    • Add a maximum allowed time limit since the last successful system scan, in days.

    • Add a maximum allowed age limit for the most recent virus definition file update, either by number of available updates or by number of days.

    • Enable monitoring of this rule in Ivanti Secure Access Client.

Options for CVE Check Rules

Note

This rule type is applicable to Windows devices only.

  1. Select one of the following options:

    • To check all supported CVEs, select Require all supported CVE checks.

    • To check a list of specific CVEs, select Check for specific CVE, then use the Select CVE Checks drop-down control to select or deselect CVEs to be included.

      Note

      To remove a selected CVE from the list, select the “X” button adjacent to the CVE tag.

Options for Command Rules

Note

This rule type is applicable to macOS devices only.

In this release, Command Type is limited to “Defaults Read Command” only. This runs the /usr/bin/defaults read command on the client device.

  1. Enter a value in Argument1 to represent the path of the Property List file to read. For example, /Applications/Utilities/Terminal.app/Contents/Info.plist.

  2. Enter a value in Argument2 to represent the property key name. For example, CFBundleShortVersionString.

  3. Enter one or more Expected Values to be returned by the command, as a comma-separated list. “*” (wildcard) values are also accepted.

Options for File Rules

Note

This rule type is applicable to Windows and macOS devices only.

  1. Select Platform and select one of the following options:

    • windows

    • mac

    • linux

  2. Enter a full file name and path in File Name. For example, “c:test.txt” or “/Users/exampleuser/Downloads/test.txt”.

  3. Select Checksum Type and select one of the following options:

    • md5

    • sha256

  4. Enter the Checksum value for the file.

  5. Select Mode and select one of the following options:

    • allow. Select this to allow access where the file exists and is valid.

    • deny. Select this to deny access if the file does not exist or is invalid.

Options for Location Rules

  1. Select Mode and select one of the following options:

    • allow. Select this to enable access for devices identified as being present at one of the set locations in the rule.

    • deny. Select this to disallow access for devices identified as being present at one of the set locations in the rule.

  2. Use the “Add a location” section to define one or more geographic locations to which the current Mode applies:

    • Select a Country, State (optional), and City (optional).

    • To add the location, select Add.

  3. Repeat the above steps for each location you want to add to the rule. Multiple “allow” and “deny” locations are possible in a single rule, with each added location identified by a green (allow) or red (deny) tag in the list.

    Note

    To remove a location, select the “X” button adjacent to the location tag.

Options for Hard Disk Encryption Rules

Note

This rule type is applicable to Windows and macOS devices only.

  1. Select the device Platform to which this rule applies.

  2. Select the Vendors and associated encryption Products you want this rule to check.

  3. Choose which hard drives you want the rule to check:

    • To check all drives detected on the client device, select All Drives.

    • To check specific drives on the client device, select Specific Drives, then enter the drive identifiers required.

  4. Select Advanced Configuration to provide additional rule configuration:

    • (Specific drives only) To ensure the rule does not trigger a failure where one or more of the specified drives are not detected, select Consider policy as passed if the drives are not detected.

    • To ensure the rule does not trigger a failure where detected drives are currently undergoing encryption, but are not yet fully encrypted, select Consider policy as passed if the drive encryption is in progress.

Options for MAC Address Rules

  1. Select Platform and select one of the following platform options:

    • windows

    • mac

  2. Enter the MAC address as a comma-separated list (without spaces) of MAC addresses in the form HH:HH:HH:HH:HH:HH where the HH is a two-digit hexadecimal number. Duplicate MAC addresses are not supported.

  3. Select Mode and select one of the following options:

    • allow. Select this to enable access from a listed MAC address.

    • deny. Select this to disallow access from a listed MAC address.

Options for Netbios Rules

  1. Select Platform and select one of the following platform options:

    • windows

    • mac

  2. Enter the Netbios domain Names as a comma-separated list (without spaces) of domain names. Each name can be 15 characters. Duplicate names are not supported.

  3. Select Mode and select one of the following options:

    • allow. Select this to enable access from a listed Netbios domain name.

    • deny. Select this to disallow access from a listed Netbios domain name.

Options for Network Rules

  1. Enter the IP Address and Netmask from which you want to either allow or deny access.

  2. Select Mode and select one of the following options:

    • allow. Select this to enable access for the given IP address and netmask.

    • deny. Select this to disallow access for the given IP address and netmask.

Options for OS Rules

  1. Select Platform and select one of the following options:

    • windows

    • mac

    • ios

    • android

  2. The remaining fields are dependent on your choice of Platform:

    • Where you selected a platform of windows or mac, select OS Name and select an Operating System edition. For example, “Windows 2008” or “macOS Mojave”.

      Then, select OS Version and select the version number or service pack associated with that edition of the Operating System. For example, “SP2” or “10.14.3”. To not enforce the version number, select “Ignore”.

    • Where you selected a platform of ios or android, select Equality and select one of the following options pertaining to how you want to enforce Operating System versions numbers:

      • above

      • below

      • equal

      Then, select OS Version and select the version number you want to check against.

Options for Process Rules

Note

This rule type is applicable to Windows and macOS devices only.

  1. Select Platform and select one of the following options:

    • windows

    • mac

    • linux

  2. Enter a Process Name. For example, “explorer.exe”.

  3. Select Checksum Type and select one of the following options:

    • md5

    • sha256

  4. Enter the Checksum value for the process executable.

  5. Select Mode and select one of the following options:

    • allow. Select this to allow access where the process exists and is valid.

    • deny. Select this to deny access if the process does not exist or is invalid.

Options for Port Rules

  1. Select Platform and select one of the following platform options:

    • windows

    • mac

    • linux

  2. Enter the Ports as a comma-separated list (without spaces) of ports. Port ranges are supported. Duplicate ports are not supported.

  3. Select Mode and select one of the following options:

    • allow. Select this to enable access from a listed port.

    • deny. Select this to disallow access from a listed port.

Options for Patch Management Rules

Note

This rule type is applicable to Windows and macOS devices only.

  1. Select the device Platform to which this rule applies.

  2. Select the Vendors and associated patch management Products you want this rule to check the presence of.

  3. (Optional) Select Advanced Configuration to view more options:

    • Choose the Severity levels of missing patches you want to check in this rule:

      • Critical

      • Important

      • Moderate

      • Low

      • Unspecified/Unknown

    Note

    For some products, the patch severity level might not be detectable. In this case, select Unspecified/Unknown to detect missing patches.

    • Choose the Category types of missing patches you want to check in this rule:

      • Security Update

      • Rollup Update

      • Critical Update

      • Regular Update

      • Driver Update

      • Service Pack Update

      • Unknown

    Note

    For some products, the patch category might not be detectable. In this case, select Unknown to detect missing patches.

Options for Registry Rules

Note

This rule type is applicable to Windows devices only.

  1. Select Rootkey and select one of the following options:

    • HKEY_LOCAL_MACHINE

    • HKEY_USERS

    • HKEY_CURRENT_USER

    • HKEY_CURRENT_CONFIG

    • HKEY_CLASSES_ROOT

  2. Enter a Subkey for the registry path.

  3. Select Key Type and select one of the following key types:

    • string

    • dword

    • binary

  4. Enter a Key name.

  5. Enter a Value for the registry key.

  6. Tick the 64-bit checkbox to use the 64-bit registry store. Leave this checkbox unticked to use the 32-bit registry store.

The following example values would create a rule to ensure the client device contained a registry key HKEY_LOCAL_MACHINE\SOFTWARE\pzta with a value 123:

Field

Value

Rootkey

HKEY_LOCAL_MACHINE

Subkey

SOFTWARE

Key Type

string

Key

zta

Value

123

64-bit

ticked

Options for Risk Sense Rules

RiskSense provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk based scoring, analytics to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness.

Integrating RiskSense’s Vulnerability Risk Rating (VRR) scores with nZTA provides an additional layer of security by isolating and preventing vulnerable devices from connecting to the ZTA network thereby protecting enterprise resources.

Note

This rule type is applicable to Windows only.

  1. Enter the Rule Name.

  2. Enter the Rule Details.

  3. Select Risk Level and select one of the following options:

    • Low

    • Medium

    • High

    • Critical

  4. Select Action and select one of the following options:

    • Allow: Select this to allow access when the risk level is low or medium.

    • Block: Select this to block the access based on the risk level.

    • Notify: Select this to notify the user about the risk identified.

Options for System Integrity Rules

Note

This rule type is applicable to macOS devices only.

  1. To enable this rule type, select Enable.

Options for Time of Day Rules

This rule type applies a resource restriction (allow or deny access) based upon a specified period frequency within a defined date and time range. Enter the following parameters:

  1. Select the frequency with which you want the rule to apply inside the date range you specify:

    • Custom: Apply the rule for the whole period continuously between the start date/time and end date/time.

    • Daily: Apply the rule for the specified days in each month. Enter a comma-separated list of numerical days (1-31), for example: “1,5,19,28”.

    • Weekly: Apply the rule for the specified days of each week. For Select Days, select the checkbox for each day on which you want the rule to apply.

    • Monthly: Apply the rule for all days in the specified months. For Month, select one or more months from the drop-down list.

  2. Enter the Start Date and End Date to apply to the selected period frequency. For custom rules, the date range entered here is continuous. For daily, weekly, and monthly rules, each day in the range is executed individually according to the selected times and frequency.

    Note

    Start and end date values are optional for Daily, Weekly, and Monthly frequencies. If not specified, the rule applies indefinitely.

  3. Enter the Start Time and End Time to apply to the selected period frequency. For custom rules, the times are applied with the corresponding start and end date to provide a continuous period within which the rule applies. For daily, weekly, and monthly rules, the times are applied for each day in the schedule.

    Note

    All times are applied as UTC timezone values. Your ZTA Gateways must also use UTC time for the rule schedule to apply.

    Note

    Time periods for daily, weekly, and monthly rule frequencies are restricted to the 24 hours in a single day, such that you cannot enter an end time that is earlier than the start time. Therefore, in cases where you want to apply a rule allowing access for a time period that spans across midnight into the next day, add separate rules for each day in the range covering the time period for that day only. For example, to allow access during the period 21:00 Monday until 12:00 Tuesday, configure the following rules:

    Rule 1: Period: weekly, Days: Monday, Start Time: 21:00, End Time: 23:59, Mode: allow Rule 2: Period: weekly, Days: Tuesday, Start Time: 00:00, End Time: 11:59, Mode: allow

  4. Choose the Mode that should apply during the specified times:

    • allow: Devices accessing resources to which this policy is applied are authorized only during the selected days and times.

    • deny: Devices accessing resources to which this policy is applied are not authorized during the selected days and times.

Creating Device Policies

You can create Device policies and attach to them one or more Device Rules as required. To learn more on creating device rules, see Creating Device Rules.

To create a device policy:

  1. Log into the Controller as a Tenant Admin.

  2. From the nZTA menu, select the Secure Access icon, then select Manage Devices > Device Policies.

    The Device Policies page appears. This page lists all current device policies.

    devicepolicies

    FIGURE 81 Add a new Device Policy

  3. Click Create and then select Create Device Policy.

    A form appears to enable you to create the device policy.

    addnewpolicy

    FIGURE 82 Add a new Device Policy

    Note

    At any point during this process, you can reset the form data by selecting Reset Fields. You can also view existing device policies in a pop-up dialog by selecting View Device Policies.

  4. Enter a Name for the device policy.

  5. Add a Description for the device policy.

  6. Select each of the listed Policy Rules that are required in the device policy.

  7. (Optional) In the Rule Requirement section: Specify for each end-user device Platform how you want to enforce your policy rules by choosing one of the following Rule Requirement options:

    • All of the above rules: The end-user device must comply with all rules defined in the policy.

    • Any of the above rules: The end-user device must comply with at least one of the defined rules in the policy.

    • Custom: The end-user device must comply with the conditions specified in a custom expression. Use the Custom Expression field to define an expression for the rules defined in this policy and how they should be evaluated. You can use the Boolean operators AND, OR and NOT, and also use parentheses to group or nest conditions.

      The following is a list of sample custom expressions:

      • customExpr

      • (customExpr)

      • NOT customExpr

      • customExpr OR customExpr

      • customExpr AND customExpr

      As an example, where a policy has associated with it the rules “Rule1”, “Rule2”, and “Rule3”, the following expression is valid: Rule1 AND (NOT Rule2 OR (NOT Rule3))

      When using custom expressions, consider the following points:

      • Using NOT: When using “NOT expr”, the negated expression evaluates to true if the outcome of expr is false and evaluates to false if the outcome of expr is true.

      • AND, OR, NOT precedence: These operators are evaluated from highest to lowest precedence in this order: NOT (from right), AND (from left), OR (from left).

      • A combination of any device rule is allowed in an expression, except location, time of day, and network rules. For example, the following expressions are not allowed:

        • Windows_Process AND Locationrule

        • Windows_Process AND Networkrule

        • Windows_Process AND Time-of-Day_Rule

    After you have set a platform and rule requirement, select Apply to add the entry. Then, repeat this procedure if you want to add any rule requirements for other device platforms.

    Note

    If you intend to add multiple rules of varying types to a device policy, be aware that individual rules might not by themselves guarantee allowed or denied access to an application depending on the outcome of other evaluated rules in a device policy, and the rule requirements settings configured here.

  8. (Optional) To provide custom remediation instructions for the policy, tick Enable Custom Instruction and enter your remediation text into Custom Instruction. This option also requires selection of a target Platform.

    These instructions are presented through Ivanti Secure Access Client when a device compliance check fails based on this policy.

    Note

    This feature is applicable to Windows, Mac, and Linux device policies only. Note also that custom instructions are restricted to a 500 byte limit and can contain only plain text or an HTML document with HREF links.

  9. Select Add.

    The new device policy appears in the list of Device Policies.

  10. Repeat steps 3-7 to create all required device policies.

Next Steps

After you have created your device policies, move on to define your applications. See Creating Applications and Application Groups.