Workstation Policies
Workstation policies enable users to implement foundational policies in a Delinea Policy Framework for rapid deployment. For convenience, the following most commonly used policies are available.
Windows Workstation Policies
-
Software Development Tools
This high-priority policy targets common software development processes that may run frequently. Targeting them in an early out policy speeds up the policy processing and minimizes delays an end-user could see. This policy will also cause policy evaluation for child processes to be skipped.
-
Visual Studio Installers
Silently elevates various Microsoft Visual Studio installers and upgrades, including Visual Studio Enterprise, Community, and Professional.
-
Malware Attack Protection
This policy prevents Living Off The Land Binaries (LOLBAS), a cyber attack method that misuses existing legitimate tools or programs on a computer for malicious functions, from being executed by commonly exploited parent applications, such as cmd.exe, bash and PowerShell, among others.
-
Capture Application Elevation Attempts
This policy targets non-Microsoft applications that trigger a UAC prompt and sends policy feedback to the server. This policy can be used to learn about applications users attempt to elevate before a silent elevation policy or justification/approval workflow is put into place.
-
Allow Microsoft Signed Security Catalog
This policy allows Microsoft Signed Security Catalog files (Operating System applications) to run and can be used in combination with blocklist policies to prevent legitimate Operating System Applications from being blocked.
macOS Workstation Policies
-
Elevate Common Preference Panes
Silently elevates commonly used preference panes such as the Date and Time, Energy Preferences, and Network Settings.
-
Elevate Xcode
Silently elevates Xcode by granting the
system.install.apple-software
andcom.apple.dt.Xcode.LicenseAgreementXPCServiceRights
Authorization rights.
-
Elevate Console
Silently elevates the Console application using a just-in-time elevation action limited to 5 minutes. This policy allows a user unfettered Admin access for 5 minutes.
-
Elevate Jamf Commands
Elevates the policy and recon Jamf commands after a justification.
-
Elevate Package Installers
Silently elevates package (pkg) installers and sends feedback to the server about when this policy is triggered.
-
Elevate sudo pmagentctl updateclientitems
Allows all users to run
sudo pmagentctl updateclientitems
without having to input credentials.
-
Block sudo commands for non-admin group users
All sudo commands will be blocked unless requested by members of the Admin group. If requested by a member of the Admin group, sudo will resume normal operation.
-
Monitor sudo Usage
Monitors the usage of the sudo command and sends feedback to the server.
-
Monitor Admin Applications
Monitors for applications launched requiring Admin rights, excluding Apple System applications. This policy can be useful before removing Admin rights from end users.
Creating Workstation Policies
-
Under your Computer Group, navigate to Application Policies. Click Create Policy.
-
On the What type of policy? page, select Workstation Policies and click Next Step.
-
On the What policies would you like to create? page, select the check box next to the name of the workstation policies to deploy. Note that multiple policies can be selected. Click Next Step.
-
Confirm your selections and click Next Step. The Application Policies page is redisplayed with the newly added workstation policy.