Configuring block login policy

You can block users logins to applications entirely from risky locations or time based for contractors by not allowing access outside of work hours.

1. Navigate to Protect > Policies page.
2. On the Login Policy tile, click the Add Action drop-down and then select the Block Login action.
   
   
   

   A default policy gets created for the Block Login.

   
   
   

   You can either Save the policy or you can edit the default policy variables.

3. To specify which Groups the action applies to:
   Groups can be locally defined groups, security groups and OUs pulled from active directory.

   Note: By default, Any is selected which means policy is applicable to all groups.

   Available options are:

   • Any
   • Selected
   1. Click the Any value to open the Select Groups dialog box.
   2. To limit the policy to selected groups, click Selected option.
      
      
      
   3. To add a group, click the green plus icon and then select the group from the drop-down you wish the action to apply to.
      You can add as many groups as needed for the policy.
   4. Select the Negate checkbox to apply policy line to every group except the group you selected.
   5. To save the selected group(s), click Ok.
4. To specify which Device the action applies to:
   Note: By default, Any is selected which means policy is applicable to all devices including unmanaged devices.

   Available options are:

   • Any
   • OS & User-Agent
   • Device Profile
   If you want to select common operating systems and/or User-Agent Strings:
   1. Click the Any value to open the Device dialog box.
   2. Select OS & User-Agent option.
   3. Select the applicable operating systems.
      
      
      Available options are Apple iOS, Apple Mac OS X, Google Android, Google Chrome OS, Microsoft Windows Phone, Microsoft Windows PC and Other OS.
   4. To limit the policy to matches of selected operating systems along with any user-agent strings, click the green plus icon and then enter the string(s).
      You can add as many user-agent strings as needed for the policy.
   5. Select the Negate checkbox to apply policy line to every device except the device you selected.
   6. To save the selected device(s), click Ok.
   If you want to select device profile:
   1. Click the Any value to open the Device dialog box.
   2. To limit the policy to selected device profiles, click Device Profile option.
      
      
      
   3. To add a device profile, click the green plus icon and then select the device profile from the drop-down you wish the action to apply to.
      You can add as many device profiles as needed for the policy.
   4. Select the Negate checkbox to apply policy line to every device profile except the device profile you selected.
   5. To save the selected device profile(s), click Ok.
5. Apply specific actions when a user is accessing from certain Location:
   Available options are:
   • Any
   • Selected
   1. Click the Any value to open the Select Locations dialog box.
   2. To apply specific actions when a user is accessing from certain locations, click Selected option.
      
      
      

      You can restrict or block users entirely from unsafe or untrusted locations and restrict or control where a user is accessing the cloud application from (either geographic location or IP).

   3. To select a location, click the green plus icon and then select the location from the drop-down you wish the action to apply to.

      You can add as many locations as needed for the policy.

      Attention: When installing the SmartEdge agent at an explicit proxy site with Agent Override set to Chain to Explicit Proxy, ensure that IaaS Provider IPs is not blocked in the login policy. Otherwise, the end-user will not be able to log into the SmartEdge agent.
   4. Select the Negate checkbox to apply policy line to every location except the location you selected.
   5. To save the selected location(s), click Ok.
6. Select a unique Behavior at login that will trigger the policy action.
   Available options are:
   • Any
   • Selected
   1. Click on the default behavior to open Behavior dialog box.
      
      
      
   2. To trigger the policy action based on specific behavior, click Selected option.
   3. To trigger the policy action when a new device is detected that they have not used before, select New Device Detected checkbox.
   4. To trigger the policy action when a user logs in to protected applications from distant locations within a short amount of time, select Suspicious User Locations checkbox.
      For example, if the user login to M365 in California and then 5 minutes later log in to Salesforce from New York.
   5. To save selected details, click OK.
7. Select a specific Time Range (days of the week or workday hours) for when the action will apply.
   Available options are:
   • Any
   • Selected
   1. Click on the default time range to open Time Range dialog box.
      
      
      

      You can select Any to apply action any time and day or you can select Selected to prevent users (especially contractors) from having accessing beyond work hours and days.

      Note: When you select Selected, approved start time, end time, and days are shown for region.
   2. Select the Start time.
   3. Select the End time.
   4. Select the applicable Day(s).
      Available options are Sun, Mon, Tue, Wed, Thu, Fri and Sat.
   5. To save selected details, click OK.
8. Click the default action to open Action dialog box.
   
   
   
   1. To notify about the block login to user, select the appropriate User Email.
   2. To notify about the block login to group, select the appropriate Group Email.
   3. To generate a Forcepoint alert, select the Generate Alert checkbox.
      Admin can view Forcepoint alerts from Analyze > Alerts page.
   4. To save selected details, click OK.
9. To save the updated policy, click Save.