Workstyle Summary

You can view a summary of the Workstyles, Application Groups, and Messages in your policy for Mac by clicking the OS X node in the policy editor.

Some of these tabs may not be displayed if they have not been configured in your policy.

Overview

The Overview tab allows you to quickly access the following features of your policy:

  • General: Allows you to edit the description of your Workstyle and enable or disable it.
  • Totals: Allows you to configure Application Rules.
  • Filters: Allows you to configure filters.

Application Rules

Application Rules are applied to Application Groups. Application Rules can be used to enforce allowlisting, monitoring, and assigning privileges to groups of applications. They are a set of rules that apply to the applications listed in the Application Group.

You need an Application Group before you can create an Application Rule.

Application Rules are color coded in the interface:

An image example of Application Rules and their color coding in the Privilege Management interface.

  • Green: The default action is Passive (No Change) or Allow.
  • Orange: The default action is Block.

 

For more information, please see Application Groups.

Insert an Application Rule

Click Application Rules to view, create, or modify the following for each Application Rule:

Option Description
Target Application Group

Select from the Application Groups list.

Default Action Select from Passive (No Change), Allow Execution, or Block Execution. This is what will happen if the application in the targeted Application Group is launched by the end user.
Default End User Message Select if a message will be displayed to the user when they launch the application. We recommend using Messages if you're blocking the execution of the application so the end user has some feedback on why the application doesn't launch.
   
Auditing
Raise an Event Whether or not you want an event to be raised if this Application Rule is triggered. This will forward to the local event log file.
   
BeyondInsight Reporting Options  
BeyondInsight Events When configured, sends BeyondInsight events to BeyondInsight.
Privilege Management Reporting When configured, sends Privilege Management Reporting events to BeyondInsight.

For more information, please see Application Groups.

Application Rule Precedence

If you add more than one Application Rule to a Workstyle, then entries that are higher in the list will have a higher precedence. Once an application matches an Application Rule, no further rules or Workstyles will be processed. If an application could match more than one Workstyle or rule, then it is important you order both your Workstyles and rules correctly. You can move Application Rules up and down to change the precedence.

Filters

The Filters tab of a Workstyle can be used to further refine when a Workstyle will be applied. By default, a Workstyle will apply to all users and computers who receive it. However, you can add one or more filters that will restrict the application of the Workstyle:

Account Filters

Account filters specify the users and groups the Workstyle will be applied to.

When a new Workstyle is created, a default account filter will be added to target either Standard users only or Everyone (including administrators), depending on your selection in the Workstyle Wizard.

To restrict a Workstyle to specific groups or users, you can filter on the Account Name, UID/GID, or both.

  1. Expand the appropriate Workstyle in the left pane and click Filters.
  2. Select Add a new local OS X account or Add a new domain account if you want to use Windows AD to create your filters. If you choose this option, you need to create a mapping between your Windows SID macOS UID/GUID. You can choose to filter by User or Group.
    • For User, you can match on the Account Name, the User ID, or both. In the instance of both, they both must match for the filter to be applied. The Account Name is not case sensitive.
    • For Group you can match on the Group Name, the Group ID, or both. In the instance of both, they both must match for the filter to be applied. The Group Name is not case sensitive.
  1. Click OK to finish configuring your filter.

By default, an account filter will apply if any of the user or group accounts in the list match the user. If you have specified multiple user and group accounts within one account filter, and want to apply the Workstyle only if all entries in the account filter match, then check the box at the top of the screen that says All items below should match.

You can add more than one account filter if you want the user to be a member of more than one group of accounts for the Workstyle to be applied.

If an account filter is added, but no user or group accounts are specified, a warning will be displayed advising No accounts added, and the account filter will be ignored.

If All items below should match is selected, and you have more than one user account listed, the Workstyle will never apply, as the user cannot match two different user accounts.

For more information, please see Clarification regarding the status of Identity Management for Unix (IDMU) & NIS Server Role in Windows Server 2016 Technical Preview and beyond.

Computer Filters

A computer filter can be used to target specific computers. You can specify a computer using either its host name, or by an IP address.

To restrict the Workstyle to specific computers by IP address:

  1. Select the Filters tab, and then click Add a new filter.
  2. Click Add a Computer Filter > Add a new IP rule. The Add IP rule dialog box appears.
  3. Enter the IP address manually, in the format 123.123.123.123.
  4. Click Add.

You can also use the asterisk wildcard (*) in any octet to include all addresses in that octet range, for example, 192.168.*.*. Alternatively, you can specify a particular range for any octet, for example, 192.168.0.0-254. Wildcards and ranges can be used in the same IP Address, but not in the same octet.

To restrict the Workstyle to specific computers by hostname:

  1. Select the Filters tab, and then click Add a Filter.
  2. Click Add a Computer Filter > Add a new hostname rule. The Add hostname rule dialog box appears.
  3. Enter a hostname, or alternatively browse for a computer. You can use the * and ? wildcard characters in hostnames.
  4. Click Add.

By default, a computer filter is applied if any of the computers or IP Addresses in the list match the computer or client. If you specified multiple entries, and want to apply the Workstyle only if all entries in the computer filter match, then check the option All items below should match.

If a computer filter is added, but no host names or IP addresses are specified, a warning is displayed advising No rules added, and the computer filter is ignored.