4.11 Managing User Logins with Universal Policies

Using universal policies, you can control which users and groups are allowed or denied to log in on Linux Agent computers in your Active Directory domain. This is accomplished by creating or modifying one or more Universal Policies and setting the login privileges for specified users or groups.

NOTE:For cloud AD logins, users or groups must be part of the MFPolicy-Users group.

To configure and apply Universal Policy login settings on Linux agents:

  1. Click + to add policies from the Web Console and expand the Linux folder.

  2. Expand the Linux and then the AD Login folders.

  3. Select the On-Premise or Cloud folders, then AD login provider mode, and then select a mode in the pull-down menu.

    For example, select Simple allow/deny list.

  4. Click Add again, and select the desired rule.

    IMPORTANT:When you configure a Universal Policy to prevent users or groups from logging in, this is in effect an exclusionary list for Active Directory objects. However, when you configure to “Allow AD users or groups” those objects will be the only AD users or groups that will be able to login on the Linux agents that have the Universal Policy applied. You cannot have both Allow and Deny logins in the policy at the same time.

  5. Click the browse button, and use the Select Users dialog box to (a) define if the rule is for users or groups, (b) choose the applicable domain, and (c) locate required users and or groups that are applicable to the policy.

  6. Save the changes to apply the policy to applicable Linux agents.

NOTE:For the policy to be applied to Linux Agent computers, the Linux Agent Service must be running on those devices. If the service is not running, use one of the commands below, applicable to the platform, to start the service:

  • systemctl start adb-agent.service

  • service adb-agent start

NOTE:For the policy to be applied to Linux Agent computers, the Linux Agent Service must be running on those devices. If the service is not running, use one of the following commands, applicable to the platform, to start the service:

  • systemctl start adb-agent.service

  • service adb-agent start