Browse Docs

Using device based policies

Overview

In DefensX, policies are consistently executed based on users' group memberships. When Active Directory (AD) or Azure Active Directory (AzureAD) is in use, user group memberships are automatically detected by the DefensX Agent without requiring any additional configuration.

This approach offers a significant advantage in shared server environments such as Terminal Server, Citrix, or Azure Virtual Desktop Pool. Unlike other DNS-only solutions that treat all users on the same server uniformly, DefensX can apply distinct policies for different users even when they are logged into the same server simultaneously. This capability ensures that security and access controls are tailored to each user, enhancing both flexibility and security in multi-user environments.

However, you may want to apply additional restrictions when users are not using their own computers and are instead using shared computers. This document provides instructions for applying device-based policies.

Configuring Device Based Policies

Use Case Definition

To clarify the configuration process, consider the following scenario:

  • Environment: The customer uses both Azure Virtual Desktop shared computers and personal notebooks.

  • User Scenario:

    • When user John Doe uses his own notebook, he can visit streaming websites like hulu.com.

    • When John Doe logs into an Azure Virtual Desktop computer, accessing streaming websites should be blocked to conserve bandwidth and CPU resources on the shared computer.

Creating the Policies

To configure the policies as described:

  • You need to create separate deployments for shared computers like Azure Virtual Desktop or Terminal Servers

  • During the new deployment setup, enable "Create a Local Group" and "Create a Policy Group". You can also attach a User Group to a deployment and a policy later.

  • In our example, The customer has two deployments:

    • Default Deployment

    • Shared PCs Deployment

In this case, policies should be created like this:

device based policies

Key configuration points:

  • John Doe’s notebook is under the "Default" deployment.

  • Azure Virtual Desktop and Terminal Servers are under the "Shared PCs" deployment.

  • A policy named "Shared PCs" is created. Although deployment and policy names don’t need to match, policies are executed based on the linked user groups to the deployments and policies. Therefore, ensure the same user group is linked to both the deployment and the related policy.

  • The "Shared PCs" policy is executed first if multiple policies exist, following the display order in the backend.

  • Streaming services are blocked in the "Shared PCs" policy and allowed in the "Default" policy.

Policy Execution

John Doe is not a member of the user group "Shared PCs". However, when he logs into an Azure Virtual Desktop computer under the "Shared PCs" deployment, his DefensX session on that computer automatically receives the "Shared PCs" user group from the deployment definition. As a result, the policy engine applies the "Shared PCs" policy first and blocks access to hulu.com.

shared pc edit

When John Doe uses his personal notebook under the "Default" deployment, he is not attached to the "Shared PCs" user group. Therefore, the policy engine skips the "Shared PCs" policy and allows access to hulu.com based on the "Default" policy.

personal computer

Summary

Using a specific deployment for shared computers is advisable for future planning. Even if device-based policies are not initially planned, this approach simplifies future changes.

Tip
 You can change a computer’s deployment later, although it requires additional steps. Starting with a specific deployment for shared computers from the beginning is recommended.

You can also check the logs and click on the "Check with current policies" button to verify how the policy engine executed for a specific log.

logs edit2