Prisma Access Browser
Manage Prisma Access Browser Sign-in Rules
Table of Contents
Manage Prisma Access Browser Sign-in Rules
Prisma Access Browser
Sign-in RulesLearn how to create browser sign-in rules as a first level of securing your
Prisma Access Browser
deployment.Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Use sign-in rules to determine which users and devices have access to
Prisma Access Browser
. The Sign-in Rules page displays information about existing
sign-in rules:- Priority—The priority order for rule enforcement.
- Mode—Indicates whether the rule is active or disabled.
- Name—Identifies and describes the rule.
- Users—The users and user groups associated the each rule.
- Device groups—The device group associated the each rule.
- Network & Location—The specific networks and geolocations associated with the rule.
- Action—The actionPrisma Access Browsertakes for users and devices matching the rule:Allow,Block, orPromptthe user.
- Updated—Last updated date for the rule; hover to see the full timestamp.
When you create a sign-in rule, you define the scope of the rule. When a user
attempts to access
Prisma Access Browser
, the browser compares the scope of the rules
in order until it finds a rule match for the user/device and then it enforces the
corresponding access rule. In some cases, you may want the sign-in rules you define
to block Prisma Access Browser
if they match the scope of the rule. For example,
suppose the scope of the rule is set to match a device group for devices with a
specific OS and you do not want to allow access to devices that are still running
that OS. In that case, you would set the sign-in rule to block access for users that
match to it. In other cases, you might want allow users that match the sign-in rule
access to Prisma Access Browser
. For example, suppose the scope of the rule allows
users in a specific user group and in a device group that only allows devices
running a specific OS version, a specific client certificate, and has active
endpoint protection. In this case you might want the matching sign-in rule to allow
access to Prisma Access Browser
. The way you create your user groups and device groups
(including the corresponding device posture rules you enforce at the device group
level) informs how you will want to create your sign-in rules.When a user attempts to access the browser,
Prisma Access Browser
evaluates the sign-in
rules in top-down order until it finds a match for the user and device and then it
enforces the corresponding sign-in rule. If the user/device do not match any of the
defined sign-in rules, Prisma Access Browser
enforces the
Defualt
sign-in rule allow rule. There are two ways to create sign-in rules: one for managed devices and one for
unmanaged devices, as described in the following sections.
Create a Sign-in Rule for Managed Users
To create a sign in rule for managed users:
- Select and clickAdd rule.
- Enter aNamefor the rule.
- Set anAction, which can beActiveorDisabled.You can change theActionat any time. You may want to keep the rule disabled until you are ready to launch the new rulebase.
- ClickNext: Scopeand then define the match criteria for the rule.Select one or more values to define the scope of the sign-in rule. You can select one or more of the following options:
- Users/User groups—Select the users and user groups that you want to match this sign-in rule to accessPrisma Access Browser.
- Device groups—Select the device groups to match this sign-in rule for access toPrisma Access Browser.
- Networks—Select the public networks the device must be attached to in order to accessPrisma Access Browser. Use one of the following formats to specify the network:94.45.21.1or129.144.9.8/29
- Location—Select the geolocation from which to allow sign-in toPrisma Access Browser. If location services are not enabled on the device,Prisma Access Browseruses the GeoIP.
![]()
- ClickNext: Action.
- Set the action for the sign-in rule:
- Allow—Allow access toPrisma Access Browserfor users and devices that match the defined rule scope.
- Block—Block access toPrisma Access Browserfor users and devices that match the defined rule scope.
- Prompt—Notify users that match the sign-in rule scope that theirPrisma Access Browseris blocked by default, but allow them to bypass the block and continue to the browser.
![]()
- Savethe rule.
Create a Sign-in Rule for Unmanaged Users
Unmanaged device users are responsible for their own devices. Whenever they face
a posture compliance issue, the user must manage the issue on their own because
they do not have access to the corporate IT department. To help unmanaged users
better navigate access issues, you can create a special type of sign-in rule
that provide information about the compliance issue that is preventing access to
Prisma Access Browser
. The following limitations apply to this feature: the
default rule action is either Block or Prompt. Each user has only one allow rule
in one device group.
- Create a device group for the unmanaged users.This device group must match the device posture you require for unmanaged users.
- Create a sign-in rule to match your unmanaged users.
- Define the scope to match the device group you created for your unmanaged users.
- Set the action to eitherBlockorPrompt
- (Optional) Create a browser customization rule for the device group.Provide text in the customization rule to help the user understand the posture errors (on theSecurity checkstab).
![]()
