Showing results for 
Search instead for 
Did you mean: 

HostChecker Policy

New Contributor

HostChecker Policy

Hi -

I'm sure this has been addresses but my searches haven't turned up anything. Basically I want to check whether a device is is managed or not and assign different role mapping.

For example - Check Machine for file corp.txt then assign role A, if file corp.txt does not exist then assign Role B.

I've found where you can create custome expressions to assing role mappings but still can't figure how to assign a different role if the file isn't presnet.

In a nut shell - One user has multple devices, Corporate Laptop, home machine, tablet, phone. I want assign a differnt role based on what device there logging in from.


Super Contributor

Re: HostChecker Policy


You can achieve this in diferent ways

>Create a sign in URL mapped to 4 different REALMS for example Corp User, Home User, Mobile Users and Tablet Users

Evaluate and enforce HC on all the 4 REALMS accordingly, for example for Corp users REALM, you can evaluate and enforce HC to check for the presence of a text file corp.txt. For Home Users, you can check for Home.txt etc

So when User signs into the sign in URL, he/she will see only the REALMS for which HC passes, a Corp user will see Corp Users, mobile Users,Tablet Users REALM

You can also evaluate the host check policies at REALM level and enforce it at the role

Note : when defining the HC policy, please uncheck the option " send reason strings".

If you want a single REALM and 4 different roles, the custom host checker expression policy needs to be conjfigured so that you mention under role mapping, if Hc policy=corp ,assign corp role and then stop the processing when rule matches.Below that role mapping rule, configure another custom expression HC policy if HC policy=home, assign Home Users role and stop processing when rule matches, then below have another role mapping rule this time a normal rule like users=*, assign mobile Users and tablet role

Please mark this as an accepted solution if this answers your query



Super Contributor

Re: HostChecker Policy

To accomplish your intent -

  • Define a Host Checker Policy called FilePresent. Implement a rule in this policy which checks for the existence of file corp.txt (with a full path, of course)
  • Define a realm AllUsers and under Host Checker Policies for the realm note that you want to evaluate policy FilePresent. Turn off "Send reason string" option.
  • In the role-mapping rules for realm AllUsers, create a rule based on an expression. Define an expression "CorpFile" with value 'hostCheckerPolicy="FilePresent"'. If CorpFile is true, assign the user to role CorpUser
  • and so on....

Hope this is helpful.


Respected Contributor

Re: HostChecker Policy

You can be as complex or simple as you want, unfortunately, with something like this.

Do you want to do a single realm and role map based on that? or do you want  multiple realms? do you want a single sign-in policiy or multiples?

Each has benefits & negatives that you need to weigh for your environment.

New Contributor

Re: HostChecker Policy


Thanks so much for the responses. I ended up using a single user realm with "everyone*", and tying HC policies to role mappings. I'm checking for a local file names corp.txt or not and then for mobile devices checking against OS and mapping a diffrent role that way.

Once I got the hang of what I needed to do it wasn't to bad. Again, it ended up being a single user realm, two HC policies and three role mappings.

I'll probably tweak it some more as I move closer to production.

Thanks again for the help and insight.

Respected Contributor

Re: HostChecker Policy

you are welcome; glad to hear it worked