# Device and platform restrictions

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

#### Purpose <a href="#purpose" id="purpose"></a>

The **Device OS** access control allows organizations to:

* **Restrict access** to specific device platforms
* **Allow access** only from approved operating systems
* **Block insecure** or **unsupported** device types
* **Enforce security** policies based on device compliance

This helps improve overall security by ensuring users only access systems from trusted platforms.

***

#### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before configuring device-based access control, make sure:

* You have **Admin** or **Security Management** permissions
* An **Access Security** policy can be created or edited
* You know which device OS platforms should be allowed or denied (for example: **Windows, macOS, iOS, Android**)

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

#### Step 1: Create a New Access Security Policy <a href="#step-1-create-a-new-access-security-policy" id="step-1-create-a-new-access-security-policy"></a>

* Sign in as an administrator : [Oten Admin | Security Policy & User management](https://admin.oten.live/)
* Profile Account → **Admin**
* Welcome page **Admin**&#x20;
* Click on menu **Security Policy** → **Access Security**&#x20;
* Click button **Create access security**

***

#### Step 2: Add an Access Security Rule <a href="#step-2-add-an-access-security-rule" id="step-2-add-an-access-security-rule"></a>

1. In the **Access Security Rules** section, select **Add rule**
2. A new rule (for example, *Rule 1*) will be created

***

#### Step 3: Configure Device OS Condition <a href="#step-3-configure-device-os-condition" id="step-3-configure-device-os-condition"></a>

1. Under the rule, select **Add condition**
2. Choose **Device OS**

***

#### Step 4: Select Policy Mode <a href="#step-4-select-policy-mode" id="step-4-select-policy-mode"></a>

Choose how the selected device OS should be treated:

**Whitelist / Allow**

* Users with the selected device OS **will have access**
* Recommended when you want to explicitly allow only trusted platforms

**Example**:

* Allow access only from **Windows** and **macOS**

**Blacklist / Deny**

* Users with the selected device OS **will not have access**
* Recommended when you want to block specific platforms

**Example**:

* Deny access from **Android** devices

***

#### Step 5: Select Device Operating System <a href="#step-5-select-device-operating-system" id="step-5-select-device-operating-system"></a>

1. In the **Device OS** field, select one or more platforms&#x20;
2. Multiple OS types can be added depending on policy requirements

***

#### Step 6: (Optional) Add More Conditions <a href="#step-6-optional-add-more-conditions" id="step-6-optional-add-more-conditions"></a>

* Select **Add condition** to combine Device OS with other controls such as:
  * IP address or IP range
  * Location
  * Device compliance
* Conditions within the same rule are evaluated together

***

#### Step 7: Create Access Security Policy <a href="#step-7-create-access-security-policy" id="step-7-create-access-security-policy"></a>

1. Review all configured rules and conditions
2. Select **Create access security** to save and activate the policy

***

### Result <a href="#result" id="result"></a>

* User access is evaluated based on their device operating system
* Access is **granted or denied** according to the configured policy mode
* Policies are enforced during sign-in and access attempts

***

### Additional Notes <a href="#additional-notes" id="additional-notes"></a>

* If **Whitelist / Allow** is used and no OS is matched, access will be denied by default
* If **Blacklist / Deny** is used, only the selected OS platforms are blocked
* Device OS detection depends on client and browser capabilities
* For higher security, combine Device OS rules with MFA or IP-based controls

***

### Summary <a href="#summary" id="summary"></a>

* Device OS access control helps secure systems by platform
* Supports both **allowlist** and **denylist** models
* Can be combined with other access security rules
* Suitable for both enterprise and high-security environments


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oten.gitbook.io/identity-support/user-guide/business-account/business-owner-default-authority/security-and-governance/enforced-security-policies/device-and-platform-restrictions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.