No problem! HIP based security policies really shouldn't be used to prevent unwanted people/devices from connecting because HIP data isn't sent until AFTER they connect and the tunnel is up. It's really more for like "if a PC doesn't have X or X updates, or if it's a type of device that only vendors use, restrict them to these limited areas". I.e, you're okay with them connecting, but you don't want them to have as much access.
If it's an unwanted device, you don't want it to even be able to connect. In this case you can just create portal configs for Windows or macOS as a match criteria. Or you could require both saml and machine certs so only your corporate devices that have their assigned certs installed on them can connect.
Quite often I work for regional government facilities where we can't actually restrict what they connect with, just what they have access to. I haven't ever had a use case to prevent MacOS or Linux from even connecting. This is usually because there are a LOT of contractors, like me, and elected officials all over the place.
10
u/RagingNoper 14d ago
You can actually restrict portal/gateway access based on OS in the portal client auth section.