Examples

From the example policy above, let’s take a look at a few users and how they are accessing the cloud application. For the sake of this example let’s assume that you are using an external IdP such as Okta or Ping for authentication.

User Device Application
User A Work issued laptop Outlook
User B Home Computer Outlook
User C Work issued laptop Office 365 web portal (OWA)
User D Computer at the Apple store Office 365 web portal (OWA)
User E Android Cell Phone Mail Application
  • User A launches Outlook for the first time after the Forcepoint ONE SSE deployment on their work laptop. According to the policy, direct app access is allowed for Client Apps (locally installed applications) and thus Outlook connects directly to Office 365. User A experiences no issues and is satisfied.
  • User B launches Outlook for the first time after the Forcepoint ONE SSE deployment on a home computer that they use occasionally. In this situation Outlook connects directly to Office 365 as again the policy states that all Client Apps (locally installed applications) regardless of device or location is allowed.
    • In the future granular policy can be set to identify managed versus unmanaged devices to restrict client apps to only managed devices.
  • User C uses their work laptop while at the airport to login to the webportal and check their email. Based on the policy they are allowed secure access. They are passed through the Forcepoint ONE SSE proxy which directs them to the configured external IdP (Okta or Ping) for authentication. They enter their credentials and passed back to the secure proxied version of Office 365.
  • User D is at the mall shopping and stops into an apple store and wishes to check their work email quickly. Similarly to User C, the policy is setup so that they can access the web application from anywhere and on any device through secure app access. User C types in the Office 365 URL and enters their username. They are then passed securely to Forcepoint ONE SSE which directs them to their external IdP for authentication. After entering their credentials they are passed back to the secure proxied version of Office 365. If User C forgets to logout before they leave, the system logs them out after 15 minutes of inactivity as set in the policy.
  • User E is setting up their android phone for the first time and attempts to add their work account to their phone. ActiveSync is allowed through secure app access so once they enter their credentials, ActiveSync will configure their device settings to point to the secure Forcepoint ONE SSE proxy server to grant them access. This process is seamless to the user and they are immediately able to use the mail application on their device.

After the initial deployment, it is good to assess your logs and alert notifications to reevaluate your policies. Please view the admin guide page on the different and how to use them to review and assess your log reports. After getting a better understanding of how your employees are accessing company data (what data, from where, and on what devices), you will be able to apply greater restrictions to the policy to enhance your data’s security. Each company is different and there is no exact template to follow when granularly adjusting your policies. However, below is a general guideline for steps to take and links to articles that provide more detailed information on the different types of policies that can be created.

  1. Manage your users and create groups to apply new policy rules.
  2. Create your own DLP patterns and then create or adjust policies to be more restrictive.
  3. Granularly adjust policies.