Secure Mobile Access 12.4 Administration Guide

Using End Point Control Restrictions in a Community

When you’re creating a community, you have the option of restricting access to users based on the security of their client devices. To do this, specify which End Point Control zones are available to users in this community. There are four types of zones—Deny, Standard, Quarantine, and Default. For more information on how to create and configure End Point Control zones, and the device profiles they use to classify connection requests, see Managing EPC with Zones and Device Profiles.

You can also set an inactivity timer, even if you don’t use End Point Control zones for a community, if your users access the appliance using the Connect Tunnel client.

To apply End Point Control restrictions for a community

  1. In the AMC, navigate to User Access > Realms.
  2. Click the link for the community you want to configure, and then click the End Point Control tab.

  3. Use a Deny zone if you have a device profile that is unacceptable in your deployment. You might, for example, want to deny access to any user who has Google Desktop installed on the PC with which they are trying to connect. Select (or create) an entry in the Deny zones list and click the >> button to move it to the In use list. Deny zones are evaluated first (if there’s a match, the user is logged off).

    To create a new EPC zone and then add it to the list, click the + (New) icon. For information on how to create a zone, see Defining Zones.

  4. You can assign one or more End Point Control Standard zones to the community, which are used to determine which devices are authorized to access a community. If you don’t select a zone, community members are assigned to the default zone, which could limit or even deny access to resources, depending on your access policy. Select the checkbox for a zone in the Standard zones list and then click the checkmark () at the top of the list to add it to the In Use list.
  5. If the community references more than one zone, use Move Up and Move Down to arrange their order in the list. Zones are matched in the order they are listed, so it is important to you consider which devices are authorized in each zone. You should place your most specific zones at the top of the list.
  6. If a client device does not match a zone, use the settings in the Zone fallback options area to place it into the default zone, or quarantine the device and (optionally) display a customized page with text and links. See Creating a Quarantine Zone for more information.
  7. To set the Inactivity Timer (which is triggered when there is no keyboard or mouse activity) for community members, select a time limit (ranging from After 3 mins to After 24 hours or Never) from the End inactive user connections list. This is a Windows-only setting that is used by the network tunnel client.

    If End Point Control is not used in a community, or at all, the Inactivity Timer is still effective for user sessions, as the Default Zone will still be applied.

  8. Click Save to complete the configuration of the community.

    The appliance uses EPC interrogation to check for certain device profile attributes on the client and then classifies the device accordingly. If a Quarantine zone is your fallback option, and if EPC interrogation somehow fails, a device that would normally be quarantined may instead end up in the Default zone.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.