Conditional access policies

Conditional Access Policies generally consider various factors to assess whether to allow or deny access to a specific resource or service. By implementing them, organizations can effectively enforce security measures that align with their unique needs and requirements.

  1. To view Devolutions Server's Conditional Access Policies in the web interface, go to Administration – Configuration– Server Settings.

Administration – Configuration – Server Settings
Administration – Configuration – Server Settings

  1. Click on Conditional Access Policies under Security.

Security – Conditional Access Policies
Security – Conditional Access Policies

Configure Login from the web interface

  1. Select Login in the Target drop-down menu and click on the plus button (Add).

Target drop-down menu and plus button
Target drop-down menu and plus button

  1. Choose a policy name and action from the Action when matched and Action when not matched menus.
    • Continue: Go to the next policy. Default action is applied if it is the last policy.
    • Access Denied: The user access will be denied. Users will receive an error and will not be abled to log in.
    • Access Allowed: The user access will be allowed. A 2FA could be needed, depending on the configuration.

Action when matched and Action when not matched menus
Action when matched and Action when not matched menus

  1. Click on the plus button (Add) in the Rules section.

Rules section
Rules section

  1. Choose from the drop-down menu whether the rule applies to:
    • Authentication type
    • Time
    • IP Addresses
    • Geo IP
    • Users
    • Users Groups
    • Administrator

Rules section
Rules section

  1. Click Add to close the window.

  2. Select All or Any under Rules – Rule validation.

Rules – Rule validation
Rules – Rule validation

All: All rules must be followed to continue. Any: The user can log in once a rule has been followed.

  1. Click Is Active to enable or disable the policy.

Is Active
Is Active

  1. Click Add to save the policy.

Configure Multi-Factor Authentication from the web interface

Select MFA in the Target drop-down menu.

  1. Choose a Default action when no policy matches between the following:
    • MFA Required: MFA is enforced for all users. A default MFA type is set for all users.
    • MFA Skipped: MFA is not enforced.
    • MFA Optional per User: MFA is enforced on an individual basis. The administrator chooses who uses MFA and what product or technology they use. Choose this option if not all users are set up for multi-factor authentication.

When MFA usage is set to MFA Optional per User, the MFA method must be configured in Administration – Users for each user. Edit or add a user, then go to the Multi-factor section to configure it. You can also set an MFA type on the user if they are using a product different than the default method. See Multi-factor (Edit User).

Default action when no policy matches
Default action when no policy matches

  1. Back to the Multi-factor section, choose who to send the reset email to between Administrator(s) or a Specific email (in which case you must specify the email in the Specific email field).
    Send reset email to & Specific email
    Send reset email to & Specific email
  2. Check the boxes next to the supported authenticators that you want to enable. You can choose as many as necessary.

The currently supported multi-factor authenticators are Authenticator (TOTP), Yubikey, Email, SMS, Duo, and Radius. You must configure them separately using the instructions next to them. Emails need to be configured beforehand in Devolutions Server for the Email and SMS (without Twilio) MFAs.

Supported MFA
Supported MFA

  1. Select the Default MFA between the ones you enabled in the previous step.

  2. Select alternate ways to log in between Email and Backup codes. These options will be offered when users do not have access to their usual method.

    Default and Alternate MFA
    Default and Alternate MFA

  3. Click Save.

  4. To add a rule to the Conditional Access Policies, go back to Administration – Configuration– Server Settings – Security – Conditional Access Policies.

  5. Select MFA in the Target drop-down menu and click on the plus button (Add).

Target drop-down menu and plus button
Target drop-down menu and plus button

  1. Choose a policy name and action from the Action when matched and Action when not matched menus.
    • Continue: Go to the next policy. Default action is applied if it is the last policy.
    • MFA Required: MFA is enforced for all users. A default MFA type is set for all users.
    • MFA Skipped: MFA is not enforced.
    • MFA Optional per User: MFA is enforced on an individual basis. The administrator chooses who uses MFA and what product or technology they use. Choose this option if not all users are set up for multi-factor authentication.

Action when matched and Action when not matched menus
Action when matched and Action when not matched menus

  1. Click on the plus button (Add) in the Rules section.

Rules section
Rules section

  1. Choose from the drop-down menu whether the rule applies to:
    • Authentication type
    • Time
    • IP Addresses
    • Geo IP
    • Users
    • Users Groups
    • Administrator

Rules section
Rules section

  1. Click Add to close the window.

  2. Select All or Any under Rules – Rule validation.

Rules – Rule validation
Rules – Rule validation

All: All rules must be followed to continue. Any: The user can log in once a rule has been followed.

  1. Click Is Active to enable or disable the policy.

Is Active
Is Active

  1. Click Add to save the policy.