Skip to content

KB004: Configure OS-Based Login Policies

Article ID: KB004

Last Updated: June 21, 2025

Applies To: HySecure Gateway 7.1 and above

Category: Endpoint Security & Compliance

Overview

This guide explains how to configure OS-based login support to control user access based on the operating system detected on their device or browser. This feature enables administrators to enforce organizational IT policies by restricting access from unknown, outdated, or non-compliant operating systems.

Prerequisites

  • HySecure Gateway 7.1 or higher
  • Security Officer or Administrator access to the HySecure Management Console

Benefits

  • Policy Enforcement: Restrict access from outdated or end-of-life operating systems.
  • Security Compliance: Ensure only approved OS versions can access resources.
  • Detailed Logging: Track login attempts with OS information in Endpoint Security logs.
  • Flexible Control: Separate policies for different access methods.

Procedure

Step 1: Create Host Scan Policy

  1. Access Management Console

    • Login to HySecure Management Console as a Security Officer or Administrator.

  2. Navigate to Host Scan Policies

    • Go to Policies > Endpoint Security Policies > Host Scan Policies.

    • Click Add.

  3. Configure Basic Policy Settings

    • Enter appropriate Policy Name.

    • Provide Description.

    • Select Policy Type as Operating System.

Step 2: Create Operating System Sub-Policy

  1. Add OS Policy

    • Click Add Operating System Policy to create sub-policy.

  2. Configure Sub-Policy Details

    • Enter Policy Name for the sub-policy.

    • Select Sub-Policy Type:

      • Allow: Permit access for specified operating systems.

      • Block: Restrict access for specified operating systems.

  3. Configure Policy Scope

    Select Policy Applicable For:

    Option A: Client OR HyLite with Plugin

    • Enforces policy for users logging via HySecure/Workspace client.

    • Applies to HyLite portal WITH plugin.

    • Does NOT apply to browser-based logins without plugin.

    • Can be applied at OS version level, e.g. allowing login from all Windows 10 23H2 devices.

    Option B: Clientless (HyLite without Plugin)

    • Enforces policy for browser-based HyLite portal access.

    • Applies to logins WITHOUT plugin.

    • Does NOT apply to HySecure/Workspace client logins.

    • Can be applied at OS level, e.g. allowing login from all Windows devices.

  1. Navigate to Device Profiles

    • Go to Policies > Endpoint Security Policies > Device Profiles.

    • Create new device profile or edit existing one.

  2. Link Host Scan Policy

    • Select the created Host Scan Policy.

    • Associate with device profile.

    • Save configuration.

  3. Apply Device Profile

    • Assign device profile to users or groups (Optional).

    • Ensure policy validation occurs during Endpoint Security check.

Policy Configuration Examples

Example 1: Block Outdated Windows Versions

Policy Type: Operating System

Sub-Policy Type: Block

Target OS: Windows 7, Windows 8

Applicable For: Client OR HyLite with Plugin

Example 2: Allow Only Corporate-Approved OS

Policy Type: Operating System

Sub-Policy Type: Allow

Target OS: Windows 10, Windows 11, macOS 12+

Applicable For: Clientless (HyLite without Plugin)

Example 3: Block Mobile Devices

Policy Type: Operating System

Sub-Policy Type: Block

Target OS: iOS, Android

Applicable For: Both Client and Clientless

Logging and Monitoring

Log Information Included

Every login attempt (successful or failed) is logged with:

  • Host Scan Policy ID: Which policy was matched
  • OS Name: Operating system detected
  • OS Version: Version information
  • Login Result: Success or failure
  • User Information: Username and timestamp

Accessing Logs

  1. Navigate to Reports

    • Go to Logs > Endpoint Security Logs.

  2. Filter by Policy

    • Filter by Host Scan Policy ID.

    • Search by OS name or version.

    • Review login success/failure patterns.

Important Notes

OS Detection Limitations

Supported Detection:

  • Major OS versions (Windows, macOS, Linux).

  • Browser-based OS detection for clientless access.

  • Client-based detailed OS information.

Current Limitations:

  • No minor version support for Ubuntu, macOS, iOS, iPadOS.

  • Browser detection may be less precise than client detection.

Policy Scope Considerations

Client vs. Clientless:

  • Policies are specific to access method.

  • Users may need different policies for different access types.

  • Consider organizational access patterns when configuring.

Troubleshooting

Common Issues:

Policy Not Enforcing:

  • Verify device profile assignment.

  • Check if policy is linked to correct device profile.

  • Confirm user/group has device profile assigned, in case different user groups are to be linked with different device profiles.

Incorrect OS Detection:

  • Review client vs. clientless policy configuration.

  • Check OS detection logs for accuracy.

Users Cannot Access:

  • Review policy allow/block configuration.

  • Check if user's OS matches policy criteria.

  • Verify no conflicting policies exist.