Skip to main content
Version: Next Gen

Rules

Create a policy rule

  1. Click Policy under Tools.

  2. Click Add rules to your policy to open the Policy Editor page.

    Add rules

  3. Click Add rule.

    Policy page

  4. On the Add rule dialog, select Authentication as the transaction type under For any transaction.

    Add rule dialog

  5. Click Add attribute and select one or more attributes for this rule.

    TypePlatformNameDescriptionSource
    Any userN/Ahas registered device(s)Checks how many devices a user has registered. For example if a user in the Accounting group has more than 5 registered devices, it could indicate a risk. Beyond Identity Cloud
    Any userN/Ais in user groupChecks whether a user is a member of a user group.Beyond Identity Cloud
    Any device platformN/AN/AChecks whether the OS on a device is supported by your organization.Beyond Identity Authenticator
    Any device platformAndroidDevice Root isChecks whether a device has been rooted so you can deny authentication.Queries files and packages that would indicate a root.
    Any device platformAndroidDevice has authenticationChecks whether device authentication is required. If not, you may want to deny authentication because the device can connect to unsecure internet connections.Android KeyguardManager API
    Any device platformAndroidAuthentication method enabledChecks the type of authentication on the device such as
    • Biometric
    • PIN or Password
    Android KeyguardManager API
    Any device platformAndroidAPI LevelChecks the version of the framework API.The SDK version of the software currently running on the device. 
    Any device platformChromeOS with Android PAN/AChecks whether the device is a Chromebook using ChromeOS and the Android authenticator. 
    Any device platformiOSDevice jailbreak isChecks whether a device has been jailbroken so you can deny authentication.Checks for a jailbreak.txt file and whether the device can access cydia or the shell.
    Any device platformiOSDevice has authenticationChecks whether device authentication is required. If not, you may want to deny authentication because the device can connect to unsecure internet connections. Apple canEvaluatePolicy API 
    Any device platformiOSAuthentication method enabledChecks the type of authentication on the device such as 
    • Biometric
    • PIN
    • PIN and Password
    Apple canEvaluatePolicy API 
    Any device platformiOSVersionChecks the major and minor version of the device. Apple operatingSystemVersionString API 
    Any device platformLinuxInstalled Security Software isChecks whether security software, such as CrowdStrike is installed on the device. 
    Any device platformLinuxProcess running containsChecks whether the name of a process is running on the device.osquery
    Any device platformLinuxProcess running does not containChecks to make sure a process is not running on the device.osquery
    Any device platformLinuxSystem disks encrypted isChecks whether the disk is encrypted. Beyond Identity Authenticator
    Any device platformLinuxFile existsChecks whether a file you specify exists on the device. osquery 
    Any device platformLinuxOS versionChecks the OS version on the device. osquery 
    Any device platformLinuxTPM versionChecks whether the authenticating device does not have TEE (Trusted Execution Environment OR TPM/Secure Enclave).osquery 
    Any device platformmacOSAntivirus isChecks whether the authenticating device has antivirus disabled.Queries XProtect plist file 
    Any device platformmacOSFirewall isChecks whether the authenticating device has a disabled firewall.Queries firewall plist file 
    Any device platformmacOSInstalled Security Software is Checks whether security software, such as CrowdStrike is installed on the device.Queries files for specific apps 
    Any device platformmacOSApp installed containsChecks whether an app you specify has a specific version installed. This is useful for locating unsupported versions of apps in your environment.osquery 
    Any device platformmacOSFile existsChecks whether a file you specify exists on the device.osquery 
    Any device platformmacOSPlist key value containsChecks whether the preference file contains a specific value for the:
    • Path
    • Key
    • Subkey
    • Number or String
    • Value
    osquery 
    Any device platformmacOSProcess running contrainsChecks whether the name of a process is running on the device.osquery 
    Any device platformmacOSProcess running does not containChecks to make sure a process is not running on the device.osquery 
    Any device platformmacOSUser FileVault isChecks whether the authenticating device has FileVault disabled.Queries FDE status 
    Any device platformmacOSOS versionChecks the OS version on the device. Apple operatingSystemVersionString API 
    Any device platformWeb AuthenticatorChecks whether the connecting device is using a browser to authenticate. 
    Any device platformWindowsAntivirus isChecks whether the authenticating device has antivirus disabled.Microsoft Windows Security Center API 
    Any device platformWindowsFirewall isChecks whether the authenticating device has a disabled firewall.Microsoft Windows Security Center API 
    Any device platformWindowsInstalled Security Software isChecks whether security software, such as CrowdStrike is installed on the device.Microsoft Windows Security Center API
    Any device platformWindowsDomain Name containsChecks whether the device is on an approved Windows domain.  
    Any device platformWindowsFile existsChecks whether a file you specify exists on the device. osquery 
    Any device platformWindowsApplication installed containsChecks whether an app you specify has a specific version installed. This is useful for locating unsupported versions of apps in your environment.osquery 
    Any device platformWindowsProcessing running containsChecks whether the name of a process is running on the device.osquery 
    Any device platformWindowsProcess running does not containChecks to make sure a process is not running on the device.osquery 
    Any device platformWindowsRegistry Key existsChecks whether the name of a registry key exists. osquery 
    Any device platformWindowsRegistry Key valueChecks whether a specific value for a registry key exists. osquery 
    Any device platformWindowsService installed containsChecks if Windows services are installed.osquery 
    Any device platformWindowsService running containsChecks whether a specific Windows service is running.osquery 
    Any device platformWindowsSystem Disks Bitlocker isChecks whether BitLocker has been enabled on the device.Microsoft BitLocker API
    Any device platformWindowsVersionChecks the OS version on the device.Microsoft Environment AP 
    Any integrationCrowdStrike FalconZero Trust Assessment ScoreChecks the device's zero trust score.Crowdstrike Host API 
    Any integrationCrowdStrike FalconDevice foundChecks whether CrowdStrike is able to collect data on the device.Crowdstrike Host API 
    Any integrationCrowdStrike FalconConnection isChecks whether the device is connected to CrowdStrike.Crowdstrike Host API 
    Any integrationCybereasonSensor foundChecks whether the Cybereason Silent Sensor is available on the device.Cybereason API
    Any integrationCybereasonPrevention statusChecks whether Cybereason prevention is enabled or not installed. Cybereason API 
    Any integrationIntuneConnection isChecks whether the device is connected to Intune.Microsoft Graph API 
    Any integrationIntuneRegistrationChecks the device's registration status for Intune.Microsoft Graph API 
    Any integrationJAMFConnection isChecks whether the device is connected to JAMF.Jamf Pro API 
    Any integrationJAMFManaged state isChecks whether the device is managed by JAMF.Jamf Pro API 
    Any integrationJAMFMobile Device Managed State isChecks whether the mobile device is managed by JAMF.Jamf Pro API 
    Any integrationKandjiAPI isChecks whether the Kandji API is available on the device.Kandji API 
    Any integrationKandjiDevice is managedChecks whether the device is managed by Kandji.Kandji API 
    Any integrationSentinelOneAgent is activeChecks whether the SentinelOne agent is in use.SentinelOne API 
    Any integrationSentinelOneAgent is decommissionedChecks whether the agent is in a  decomissioned state while the device is under maintenance, the user is on vacation, etc. SentinelOne API 
    Any integrationSentinelOneAgent operational stateChecks the status of the SentinelOne agent on the device.SentinelOne API 
    Any integrationSentinelOneConnection isChecks whether the device is connected to SentinelOne.SentinelOne API 
    Any integrationSentinelOneDevice foundChecks whether SentinelOne is able to collect data on the device.SentinelOne API 
    Any integrationWorkspace oneUEMChecks whether the device is connected to Workspace ONE.VMWare AirWatch API 
    Any integrationWorkspace oneUEMChecks whether the device is enrolled in Unified Endpoint Management (UEM).VMWare AirWatch API 
    Any authenticator versionN/AAuthenticator versionChecks the version of the Beyond Identity Authenticator installed on the device. Beyond Identity Authenticator 
  6. Click whether to Allow or Deny this transaction based on the attributes in this rule.

    • Allow - Stops processing the rules if the criteria is met and will allow the transaction to complete.

    • Allow W/ OS Verification - Stops processing the rules if the criteria is met and will allow the  transaction to complete once the user verifies their identity using their operating system. 

    • Deny - Stop processing the rules. and will deny the transaction.

  7. Click Add rule at the bottom of this dialog to add this rule to the policy.

    Policy Editor

  8. Repeat steps 3-7 to add more rules to this policy.

  9. When finished adding rules, click Publish changes on the Policy Editor page.

    Publish changes on Policy Editor

  10. When prompted, confirm that you want to publish changes.

  11. If you have Device360, when you are returned to the Policy page, click Simulate to see how the rules would impact devices in your organization.

    Use policy simulation to validate and test policies that will allow or restrict access to devices and apps before pushing them out to your fleet. This helps to ensure that deployments are successfully rolled out the first time without disruptions to users.

View version history

From the Policy page, you can view or revert to previous policy versions. This is helpful if you test a new policy and realize it will block a number of users so you want to revert to the last valid version of the policy.

  1. On the Policy page, click View version history.

    View version history

  2. On the panel that pops out to the right, select a previous version of a policy.

    Policy version history

  3. Review the previous policy.

    Previous policy version

  4. To revert to this policy, click the publish this policy link in the blue banner message that displays at the top of the page.

  5. On the Policy Editor (restore version) page, click Restore Version.

    Restore version

  6. When prompted, confirm that you want to publish the previous version.

    Restore confirmation