Control access to applications

Use risk tiers and tags to define ACL rules that control access to enterprise applications.

After you configure your tiers and tags, you can use them to define access control (ACL) rules for enterprise applications. You can apply the following Device Posture types of ACL rules:

  • Device Risk Tier type. Configure access control rules (ACLs) to deny access to devices that are:

    • Classified as Unmanaged. In this context, unmanaged means that the Device Posture service does not have any information, visibility, or control over this device. The device may not have an EAA Client or mobile app installed, or, if one is installed, it has not authenticated. Without any signal or information about the device, Device Posture is unable to classify the device to any risk tier or risk tag.

    • Assigned to Medium or High tier.

    • Assigned to High tier.

  • Device Risk Tag type. Configure access control rules (ACLs) to deny access to devices that are not part of the selected tag.

The logic applied for tier and tag ACLs differs:

  • With tier ACLs, you block devices that belong to the selected group (high tier, medium or high tier, unmanaged devices).

  • With tag ACLs, you block devices that do not belong to the selected tag.


  • You cannot see device risk tiers and tags as criteria types if you do not have Device Posture enabled.

  • You can add Device Posture risk tiers and tags to new or existing rules.

  • You can deny access to medium or high tier, or unmanaged devices. Access is never denied to low-risk devices.

Apart from tier and tag type access rules, you can also configure ACLs for other criteria such as country, client IP, or time when you want to block or restrict user access.

To learn more about EAA ACLs types see Access control rules.