I'm sure this has been addresses but my searches haven't turned up anything. Basically I want to check whether a device is is managed or not and assign different role mapping.
For example - Check Machine for file corp.txt then assign role A, if file corp.txt does not exist then assign Role B.
I've found where you can create custome expressions to assing role mappings but still can't figure how to assign a different role if the file isn't presnet.
In a nut shell - One user has multple devices, Corporate Laptop, home machine, tablet, phone. I want assign a differnt role based on what device there logging in from.
You can achieve this in diferent ways
>Create a sign in URL mapped to 4 different REALMS for example Corp User, Home User, Mobile Users and Tablet Users
Evaluate and enforce HC on all the 4 REALMS accordingly, for example for Corp users REALM, you can evaluate and enforce HC to check for the presence of a text file corp.txt. For Home Users, you can check for Home.txt etc
So when User signs into the sign in URL, he/she will see only the REALMS for which HC passes, a Corp user will see Corp Users, mobile Users,Tablet Users REALM
You can also evaluate the host check policies at REALM level and enforce it at the role
Note : when defining the HC policy, please uncheck the option " send reason strings".
If you want a single REALM and 4 different roles, the custom host checker expression policy needs to be conjfigured so that you mention under role mapping, if Hc policy=corp ,assign corp role and then stop the processing when rule matches.Below that role mapping rule, configure another custom expression HC policy if HC policy=home, assign Home Users role and stop processing when rule matches, then below have another role mapping rule this time a normal rule like users=*, assign mobile Users and tablet role
Please mark this as an accepted solution if this answers your query
To accomplish your intent -
Hope this is helpful.
You can be as complex or simple as you want, unfortunately, with something like this.
Do you want to do a single realm and role map based on that? or do you want multiple realms? do you want a single sign-in policiy or multiples?
Each has benefits & negatives that you need to weigh for your environment.
Thanks so much for the responses. I ended up using a single user realm with "everyone*", and tying HC policies to role mappings. I'm checking for a local file names corp.txt or not and then for mobile devices checking against OS and mapping a diffrent role that way.
Once I got the hang of what I needed to do it wasn't to bad. Again, it ended up being a single user realm, two HC policies and three role mappings.
I'll probably tweak it some more as I move closer to production.
Thanks again for the help and insight.