Security

Hi

Customer want to restrict all employee onboarded device count max 3, but they also want to extend this policy for vip users like 5

I configured onboard provisioning settings max device as 5, I created a rule like authorization:endpoint_repository unique device count greater than 3 and authorization groups not equals vipusers [deny application access profile] I used this rule at application service, I tested but still users can onboard more than 3 device

How can I create and use exceptional onboard device rules?

You could also try applying the the below Max device limit enforcement for the employees in the OnBoard Authorization(application) service. This would restrict the non VIPs provisioning limit.

E.g:

 "Authorization:AD Groups Not Equals VIP" apply OnBoard Device limit.

Thank you Saravanan It worked :)

We created 2 provisioning profiles, one containing the 3 limit (standard) and one containing the 5 limit (VIP). All other settings were the same.

In the Onboard pre-auth application service, we created an authorisation check that matched a valid VIP AD group and that resulted in the VIP provisioning profile being assigned therefore allowing more devices. All other users got the standard profile.