Skip to main content

Policies

You can create and manage device security policies to enforce specific security rules for your organization's devices.

You have the flexibility to customize these rules and add Enforcement integrations to ensure that devices comply with your organization's security standards.

Compliance Goals

Each security check in a policy can be configured with a three-tier compliance system:

  1. Set your compliance goal — Define the time period in which devices should become compliant (e.g., 30, 60, or 90 days). This goal is only visible to administrators and serves as the baseline for warning and blocking timelines.

  2. Warn users — Configure when users are informed about a security risk on their device. For version-based checks (such as OS or browser versions), you can choose:

    • Before compliance goal — Warn users a set number of days before the compliance goal is reached.
    • On the compliance due date — Warn users when the compliance goal is reached.

  3. Block a device — Determine when a non-compliant device will be blocked from access. The same timing options are available:

    • Before compliance goal — Block the device a set number of days before the compliance goal.
    • On the compliance due date — Block the device when the compliance goal is reached.

For binary checks (such as disk encryption or screen lock), enabling warn or block will take effect immediately when the device is non-compliant.

✅ Available Security Checks

A policy can include the following checks:

  1. Add devices to organization

    • When enabled, devices will be added and reported to the organization.

  2. Allow users to skip the device verification

    • Users will be able to skip the device verification process and gain access to the application.

  3. Allow unsupported devices to access the application

    • Devices that aren't supported by XFA can still access the application.

  4. Validate Operating System version

    • XFA will verify the OS version of each device. Set a compliance goal to define how long the OS version can be out of date, and configure when to warn or block users.
    • Additional options:
      • Allow or restrict specific beta versions.
      • Allow or restrict older major versions that are still supported.

  5. Validate Operating System autoupdate setting

    • XFA checks if devices have auto-updates enabled. You can warn or block users who have autoupdates disabled.

  6. Validate browser version

    • XFA verifies the browser version of each device. Set a compliance goal to define how long the browser version can be out of date, and configure when to warn or block users.
    • Additional options:
      • Allow or restrict specific beta versions.
      • Allow or restrict older major versions that are still supported.

  7. Validate disk encryption

    • Devices without disk encryption will trigger warnings or can be blocked based on your settings.

  8. Validate screen lock

    • XFA checks whether devices have screen lock enabled and allows for warnings or blocking users without it.

  9. Validate antivirus

    • The system verifies whether antivirus software is active on the device, with options to warn or block users without it.

  10. Validate password manager

    • Ensures users have a password manager enabled. You can decide whether to warn or block users who don't comply.

  11. Validate biometric authentication

    • Enforce users to use biometric authentication on their device. You can decide whether to warn or block users who don't comply.

  12. Validate device reboot

    • Enforce users to regularly reboot their devices. Set a compliance goal to define how many days can pass since the last reboot, and configure when to warn or block users.

  13. Validate Windows Recall

    • XFA checks whether Windows Recall is disabled on Windows devices to protect sensitive data from being captured and stored. You can decide whether to warn or block users who have Windows Recall enabled.

  14. Require the native application to be installed

    • Require the native application to be installed (desktop-only for enhanced security insights). You can decide whether to warn or block users who don't comply.

  15. Allow users to skip the token flow on mobile devices

    • Users will be able to skip the token flow on mobile devices and gain access to the application.

  16. Allow users to skip the token flow on desktop devices

    • Users will be able to skip the token flow on desktop devices and gain access to the application.

  17. Allow agentless sign-in

    • Allow agentless sign-in (users can verify without installing the XFA agent when enough information is available). You can decide whether to warn or block users who don't comply.

  18. Validate firewall status

    • Ensure a firewall is enabled to block unauthorized network access. You can decide whether to warn or block users who don't comply.

  19. Validate DNS

    • Ensure secure DNS resolution by requiring compliant DNS servers to prevent DNS hijacking. You can decide whether to warn or block users who don't comply.

  20. Validate screen sharing

    • Ensure screen sharing is disabled to prevent unauthorized remote access. You can decide whether to warn or block users who have screen sharing enabled.

  21. Validate remote scripting

    • Ensure remote scripting is disabled to prevent execution of potentially harmful scripts. You can decide whether to warn or block users who have remote scripting enabled.

  22. Validate remote management

    • Ensure remote management is disabled to prevent unauthorized device control. You can decide whether to warn or block users who have remote management enabled.

  23. Validate remote login

    • Ensure remote login is disabled to reduce the risk of unauthorized access. You can decide whether to warn or block users who have remote login enabled.

  24. Validate jailbroken

    • Prevent security vulnerabilities by restricting jailbroken devices that bypass built-in protections. You can decide whether to warn or block users with jailbroken devices.

  25. Validate rooted devices

    • Prevent security vulnerabilities from rooted Android devices. You can decide whether to warn or block users with rooted devices.

  26. Validate developer mode

    • Enhance device security by preventing access from devices with developer mode enabled. You can decide whether to warn or block users who have developer mode enabled.

  27. Validate Secure Boot

    • Require Secure Boot to be enabled for enhanced security. You can decide whether to warn or block users who don't comply.

  28. Validate Integrity Protection

    • Require Integrity Protection to be enabled for enhanced security. You can decide whether to warn or block users who don't comply.

  29. Validate secrets in environment

    • Detect and prevent exposed secrets in environment variables or runtime context to reduce credential leakage risk. You can decide whether to warn or block users who have secrets detected.

  30. Validate autonomous agents

    • Detect autonomous agents and require approved controls before allowing access. You can decide whether to warn or block users who have autonomous agents present.

  31. Validate unguarded elevation

    • Detect and prevent unguarded privilege elevation that can lead to unauthorized high-privilege actions. You can decide whether to warn or block users who have unguarded elevation detected.

Enforcement Integrations

You can integrate this policy with various enforcement tools (e.g., Microsoft, Google, Okta) to ensure that only compliant devices have access to your business platforms. This helps automate device security across your organization and guarantees that users meet the required security standards.

To modify or enforce these rules, visit your dashboard and configure the enforcement settings to fit your organization's needs.

For more details on enforcement, refer to our enforcement documentation.