Policy assignment to non corporate machines

[IT Support1709152897]

Hi,

We have a requirement to restrict copy/paste out of a session/remote app on non corporate machines. Is there a way to apply a policy based on a machine not being a on our domain?

We are on 1909.

 

Thanks

[CarlStalhood]

You can configure SmartAccess - https://www.carlstalhood.com/smartaccess-smartcontrol-netscaler-gateway-12/

[IT Support1709152897]

15 minutes ago, Carl Stalhood1709151912 said:

You can configure SmartAccess - https://www.carlstalhood.com/smartaccess-smartcontrol-netscaler-gateway-12/

Thanks Carl. Do you need to push out the EPA client still for this, or is it now handled by the receiver? I imagine it wouldn't be pre-auth as i do my client checks at my saml IDP so not use EPA for a long time.

 

Thanks

[CarlStalhood]

To detect corporate vs non-corporate, you'd need EPA scan with EPA agent. You can do it in a post-auth policy (Session Policy expression).

[IT Support1709152897]

1 minute ago, Carl Stalhood1709151912 said:

To detect corporate vs non-corporate, you'd need EPA scan with EPA agent. You can do it in a post-auth policy (Session Policy expression).

Ok, thanks Carl, appreciated.

[Andy Vanderbeken]

4 hours ago, IT Support1709152897 said:

Hi,

We have a requirement to restrict copy/paste out of a session/remote app on non corporate machines. Is there a way to apply a policy based on a machine not being a on our domain?

We are on 1909.

 

Thanks

 

Here's something to consider perhaps based on first hand experience:

 

Last year I received this question as well from corporate management. After some research I implemented smart access but soon after that some additional and "exceptional" requests started coming in for a few specific external partner pc's that should be allowed after all.

 

Soon after that the request came to allow to -by default- no longer allow people all people with internal company pc's to be able to do it but rather restrict it to only people that request permission (with a valid reason)

 

After that the request came to allow a specific internal range of a subsidiary where different machines (windows and mac's) are randomly used by different persons. They need to have access.

 

Finally some time later the request came for a few specific user that need to get this functionality regardless of which machine they are using.

 

So eventually I realized I had to come up with a design model that allowed granular control over all of these scenario's and still provide certainty that no 'overlooked' situations could accidentally still have access where they shouldn't, both for internal or external machines, regardless whether through a full vpn or Citrix sessions through Netscaler gateway.

 

To design a fitting solution for all of these possibilities for once and for all I ended up chosing to apply a full deny of this functionality in my Virtual apps default policy (last priority) and then 3 exceptional policies with a higher priority based on respectively "client (machine) name", Client ip (range) and "User or Group" name.  Ever since I never have had to adjust the design again no matter what additional requests came in.

 

[IT Support1709152897]

19 minutes ago, Andy Vanderbeken said:

 

Here's something to consider perhaps based on first hand experience:

 

Last year I received this question as well from corporate management. After some research I implemented smart access but soon after that some additional and "exceptional" requests started coming in for a few specific external partner pc's that should be allowed after all.

 

Soon after that the request came to allow to -by default- no longer allow people all people with internal company pc's to be able to do it but rather restrict it to only people that request permission (with a valid reason)

 

After that the request came to allow a specific internal range of a subsidiary where different machines (windows and mac's) are randomly used by different persons. They need to have access.

 

Finally some time later the request came for a few specific user that need to get this functionality regardless of which machine they are using.

 

So eventually I realized I had to come up with a design model that allowed granular control over all of these scenario's and still provide certainty that no 'overlooked' situations could accidentally still have access where they shouldn't, both for internal or external machines, regardless whether through a full vpn or Citrix sessions through Netscaler gateway.

 

To design a fitting solution for all of these possibilities for once and for all I ended up chosing to apply a full deny of this functionality in my Virtual apps default policy (last priority) and then 3 exceptional policies with a higher priority based on respectively "client (machine) name", Client ip (range) and "User or Group" name.  Ever since I never have had to adjust the design again no matter what additional requests came in.

 

Thanks for your input. I was thinking about this way as well, as least for the short term until Corona is over. I'd be a bit concerned about implemented EPA when all our staff are WFH!

Will need to think about how i can do this when staff are on VPN, but using remote app.

[Andy Vanderbeken]

that's the beauty of this model. As long as you don't provide their software as locally installed onto the local machines but rather force users to have to go through Citrix virtual app or desktop sessions these policies will apply to them always and under all circumstances and scenario's. This way you control and contain all.