Workstation Policies

Workstation policies enable users to implement foundational policies in a IBM Security Policy Framework for rapid deployment. For convenience, the following most commonly used policies are available.

Windows Workstation Policies

  • Software Development Tools

    This high-priority policy targets common software development processes that may run frequently. Targeting them in an early out policy speeds up the policy processing and minimizes delays an end-user could see. This policy will also cause policy evaluation for child processes to be skipped.

  • Visual Studio Installers

    Silently elevates various Microsoft Visual Studio installers and upgrades, including Visual Studio Enterprise, Community, and Professional.

  • Malware Attack Protection

    This policy prevents Living Off The Land Binaries (LOLBAS), a cyber attack method that misuses existing legitimate tools or programs on a computer for malicious functions, from being executed by commonly exploited parent applications, such as cmd.exe, bash and PowerShell, among others.

  • Capture Application Elevation Attempts

    This policy targets non-Microsoft applications that trigger a UAC prompt and sends policy feedback to the server. This policy can be used to learn about applications users attempt to elevate before a silent elevation policy or justification/approval workflow is put into place.

  • Allow Microsoft Signed Security Catalog

    This policy allows Microsoft Signed Security Catalog files (Operating System applications) to run and can be used in combination with blocklist policies to prevent legitimate Operating System Applications from being blocked.

macOS Workstation Policies

  • Elevate Common Preference Panes

    Silently elevates commonly used preference panes such as the Date and Time, Energy Preferences, and Network Settings.

  • Elevate Xcode

    Silently elevates Xcode by granting the system.install.apple-software and com.apple.dt.Xcode.LicenseAgreementXPCServiceRights Authorization rights.

  • Elevate Console

    Silently elevates the Console application using a just-in-time elevation action limited to 5 minutes. This policy allows a user unfettered Admin access for 5 minutes.

  • Elevate Jamf Commands

    Elevates the policy and recon Jamf commands after a justification.

  • Elevate Package Installers

    Silently elevates package (pkg) installers and sends feedback to the server about when this policy is triggered.

  • Elevate sudo pmagentctl updateclientitems

    Allows all users to run sudo pmagentctl updateclientitems without having to input credentials.

  • Block sudo commands for non-admin group users

    All sudo commands will be blocked unless requested by members of the Admin group. If requested by a member of the Admin group, sudo will resume normal operation.

  • Monitor sudo Usage

    Monitors the usage of the sudo command and sends feedback to the server.

  • Monitor Admin Applications

    Monitors for applications launched requiring Admin rights, excluding Apple System applications. This policy can be useful before removing Admin rights from end users.

Creating Workstation Policies

  1. Under your Computer Group, navigate to Application Policies. Click Create Policy.

  2. On the What type of policy? page, select Workstation Policies and click Next Step.

    alt

  3. On the What policies would you like to create? page, select the check box next to the name of the workstation policies to deploy. Note that multiple policies can be selected. Click Next Step.

    alt

  4. Confirm your selections and click Next Step. The Application Policies page is redisplayed with the newly added workstation policy.