Rublon

Secure Remote Access

By

Last updated on June 27, 2024

Group Policies is a Policy-Based Access Control (PBAC) feature within the Rublon Admin Console that allows assigning custom policies to user groups. Administrators can assign group policies on a per-application basis by specifying the policy to be used (as a set of rules) and the scope (one or more groups). This means you can assign one custom policy to more than one group in the context of a specific application. 

Global Policy vs. Application Policy vs. Group Policy

  • Global Policy – policy applies to all users in the organization. It can be overridden by the Application Policy or Group Policy.
  • Application Policy – policy set per application applicable to all users who log in to a specific application. There can be only one Application Policy per application. The Application Policy can be overridden by the Group Policy.
  • Group Policies – policies set per application applicable to all users belonging to the groups. There can be many Group Policies per application.

Effective Policy Order

The order in which policies are applied in the application context:

  1. Group Policy – Overrides the settings of Application Policy and Global Policy
  2. Application Policy – Overrides the settings of Global Policy
  3. Global Policy – These settings are applicable only if not overridden by Group Policy or Application Policy

If several group policies refer to the group to which a user belongs, the order of these group policies is the deciding factor. Using the Move To Top option, you can change the order of policies when editing an application.

Policy Order Example

1. Users who are members of the Demo group:

  • Authentication Methods Policy: from the All Auth Methods Policy Group Policy.
  • Authorized Networks Policy: from Global Policy
  • Remembered Devices Policy: from the Remembered Devices For 7 Days Policy Group Policy

2. Users who are members of the group Test:

  • Authentication Methods Policy: from the Auto Push Policy Group Policy
  • Authorized Networks Policy: from Global Policy
  • Remembered Devices Policy: from the Remembered Devices For 7 Days Policy Group Policy

3. Users outside the Demo and Test groups:

  • Authentication Methods Policy: from the All Auth Methods Policy Application Policy
  • Authorized Networks Policy: from Global Policy
  • Remembered Devices Policy: from Global Policy

Common Group Policy Use Cases

The following examples show how you can use group policies in everyday use cases.

Disable Remembered Devices for IT Admins

1. Sign in to the Rublon Admin Console.

2. In the Groups tab, create an IT Admins user group. (See: How to add group)

Image showing adding a new IT Admins group

3. In the Users tab, add the IT Admins in your organization to the IT Admins group. (See: How to add users to group)

Image showing adding users to an IT Admins group

4. In the Policies tab, create a Disable Remembered Devices policy where you check Do not remember devices in the Remembered Devices section. (See: How to create new policy and Remembered Devices)

Image showing the creation of the Disable Remembered Devices policy

5. In the Applications tab, assign the Disable Remembered Devices policy to the IT Admins group in one or more applications. (See: How to assign Group Policies to groups within application)

Image showing how to assign a policy to one or more user groups in the context of an application

Require IT Admins to use hardware keys

1. Sign in to the Rublon Admin Console.

2. In the Groups tab, create an IT Admins user group. (See: How to add group)

Image portraying adding a new group

3. In the Users tab, add the IT Admins in your organization to the IT Admins group. (See: How to add users to group)

Image showing how to add users to a group

4. In the Policies tab, create a Security Key Only policy where you check WebAuthn/U2F and YubiKey OTP and uncheck everything else in the Authentication Methods section. (See: How to create new policy and Authentication Methods)

5. In the Applications tab, assign the Security Key Only policy to the IT Admins group in one or more applications. (See: How to assign Group Policies to groups within application)

Image showing assigning the Security Key Only policy to the IT Admins group

Disable the SMS Passcode authentication method for external users

1. Sign in to the Rublon Admin Console.

2. In the Groups tab, create an External Users user group. (See: How to add group)

Image showing the creation of the External Users group

3. In the Users tab, add the external users in your organization to the External Users group. (See: How to add users to group)

Image showing adding external users to a group

4. In the Policies tab, create an SMS Passcode Disabled policy where you uncheck SMS Passcode in the Authentication Methods section. (See: How to create new policy and Authentication Methods)

5. In the Applications tab, assign the SMS Passcode Disabled policy to the External Users group in one or more applications. (See: How to assign Group Policies to groups within application)

Image showing assigning the SMS Passcode Disabled policy to the External Users group

Bypass MFA for local network access for regular users but not IT Admins

This example shows how settings in the Group Policy can override settings in the Application Policy.

Assumptions

  1. Regular users are users who do not belong to any group, and IT Admins are users who belong to the IT Admins group.
  2. An Application Policy defines a local network IP range that should bypass MFA and applies to regular users, and a Group Policy does not define any IP range, overrides the Application Policy, and applies to IT Admins.

Steps

1. Sign in to the Rublon Admin Console.

2. In the Groups tab, create an IT Admins user group. (See: How to add group)

Image showing how to add a new group

3. In the Users tab, add the IT Admins in your organization to the IT Admins group. (See: How to add users to group)

Image showing how to add users to a group

3. In the Policies tab, create a Bypass MFA for Local Network Access policy where you enter your local network’s IP range in the Authorized Networks section. (See: How to create new policy and Authorized Networks)

Image showing the creation of the Bypass MFA for Local Network Access policy

4. Create a Do Not Bypass MFA for Local Network Access policy where you add the Authorized Networks section but leave it empty. (See: How to create new policy and Authorized Networks)

Image showing the creation of the Do Not Bypass MFA for Local Network Access policy

5. In the Applications tab, assign the Bypass MFA for Local Network Access policy as an Application Policy to one or more applications. (See: How to assign Application Policy to application)

Image showing assigning the Bypass MFA for Local Network Access policy as an Application Policy

6. Assign the Do Not Bypass MFA for Local Network Access policy as a Group Policy to the IT Admins group in one or more applications. (See: How to assign Group Policies to groups within application)

Image showing assigning the Do Not Bypass MFA for Local Network Access policy as a Group Policy to the IT Admins group

Result

Image showing the result of assigning both an Application Policy and a Group Policy to an application

The Bypass MFA for Local Network Access application policy applies to regular users and defines a local network IP range that bypasses MFA.

The Do Not Bypass MFA for Local Network Access policy applies to IT Admins and does not define any IP range, meaning it will override the Application Policy for the IT Admins group and, therefore, IT Admins will not bypass MFA for local network access.

The good thing about this approach is that you can now create more groups for regular users, such as VPN Users, Windows Users, or High-Risk Users , and assign specific Group Policies to them, too, all while the Bypass MFA for Local Network Access application policy is still in effect (as long as it is not overridden by another group policy, naturally).

Related Posts

Rublon Admin Console – Documentation

Rublon Admin Console – FAQ