policy rules are enforced at the device group level, the
attributes provide granular security that ensures the devices that
Prisma Access Browser
allows to access your apps are adequately maintained and adhere with your
security standards before they are allowed access to your network resources. For
example, before allowing access to your most sensitive apps, you might want to
ensure that the mobile devices accessing your apps are not rooted or jailbroken. In
this case, you would create a device group with an attribute that only allows mobile
devices that are not rooted or jailbroken. The following sections detail the
attributes you can use to determine device group membership for mobile devices. To
learn about attributes for managing device group membership on Windows and macOS
devices, see Configure Prisma Access Browser Device Posture Attributes
Root/Jailbreak Status
Enable this attribute to create a device group that only allows mobile devices
that have not been rooted or jailbroken.
Active Screen Lock
Active screen lock mechanisms limit device access to authorized users only,
preventing malevolent players from gaining access to confidential information on
a mobile device. When you enable the
Active screen lock
attribute in a device group,
Prisma Access Browser
verifies that the device is
enabled with an automatic screen lock, password, PIN, biometric, or similar lock
feature before allowing access to the group.
iOS and Android OS Versions
Creating a device group that uses the device's operating system as a posture is a
good way to make sure that users have specific versions of the OS. If you add an
OS version attribute as match criteria for a device group,
Prisma Access Browser
checks the device OS version matches the attribute you defined before allowing
membership in the device group.
Define the list of acceptable operating system versions for the
Select the iOS or Android versions, minimal minor versions, and minimal
security patch level to allow into the device group and then click
Save
.
Device Type
Enable the
Device type
attribute to ensure that the device
group only contains specific types of devices—such as smartphones or tablets.
This can be especially useful when you need to create specialized rules for the
different devices.
Device Manufacturer
Enable the
Device manufacturer
attribute to restrict
device group membership to Android devices from selected manufacturers. This
attribute is supported for Android devices only; it does not support iOS
devices.