Configure access policies for the applications
Access policies allow you to enable or disable access to the apps based on the user or user groups. In addition, you can enable restricted access to the apps (HTTP/HTTPS and TCP/UDP) by adding the security restrictions.
- In the admin console, click Access Policies.
- Click Create Policy.
-
In the Create Access Policy page, select one of the following:
- Users/User groups
- Machines/Machine groups
Application access rules are enforced based on a user’s or machine’s context, based on the selection in the access policy.
You can select Machine/Machine groups to enable Always On connectivity. For Always On connectivity, you must have the device certificates enrolled. For details see Device certificate enrollment configuration.
For more information on the machine tunnel, see Always On VPN before Windows Logon.
-
- In Policy name, enter a name for the policy.
- In Applications, select the apps for which you want to enforce the access policies.
-
In Users conditions – Select the conditions and users or user groups based on which app access must be allowed or denied.
- Matches any of: Only the users or groups that match any of the names listed in the field are allowed access.
- Does not match any: All users or groups except those listed in the field are allowed access.
You can search for users by display name, email ID, or user principal name. This search option allows admins to accurately identify and grant access to the correct user, even if they have multiple accounts.
-
Click Add condition to add another condition based on contextual tags. These tags are derived from the NetScaler Gateway.
-
You can further refine access control by adding conditions based on contextual tags and Device Posture tags for more granular access control.
- Contextual tags - Click Add condition and select Contextual tags. Select the logical expression from the drop-down menu and the contextual tag based on which the app access must be allowed or denied.
-
Device Posture check - Click Add condition. Select Device Posture check and the logical expression from the drop-down menu. Enter one of the following values in the custom tags:
- Compliant - For compliant devices
- Non-Compliant - For non-compliant devices
-
In Actions, select one of the following actions that must be enforced on the app based on the condition evaluation.
- Allow access
- Allow access with restriction
- Deny access
Note:
- The action Allow access with restriction is not applicable for the TCP/UDP apps.
- When you select Allow access with restrictions, you must click Add restrictions to select the restrictions. For more information on each restriction, see Available access restrictions.
- Select the restrictions and then click Done.
- Select Enable policy on save. If you do not select this option, the policy is only created and not enforced on the applications. Alternatively, you can also enable the policy from the Access Policies page by using the toggle switch.
Access policy priority
After an access policy is created, a priority number is assigned to the access policy, by default. You can view the priority on the Access Policies home page.
A priority with a lower value has the highest preference and is evaluated first. If this policy does not match the conditions defined, the next policy with the lower priority number is evaluated and so on.
You can change the priority order by moving the policies up or down by using the up-down icon in the Priority column.
Next steps
- Validate your configuration from the client machines (Windows and macOS).
- For the TCP/UDP apps, validate your configuration from the client machines (Windows and macOS) by logging into the Citrix Secure Access client.