> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/user-guide/organization-admin-app/business-owner-default-authority/security-and-governance/enforced-security-policies/device-and-platform-restrictions.md).

# Device and platform restrictions

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

#### Purpose <a href="#purpose" id="purpose"></a>

The **Device OS** access control allows organizations to:

* **Restrict access** to specific device platforms
* **Allow access** only from approved operating systems
* **Block insecure** or **unsupported** device types
* **Enforce security** policies based on device compliance

This helps improve overall security by ensuring users only access systems from trusted platforms.

***

#### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before configuring device-based access control, make sure:

* You have **Admin** or **Security Management** permissions
* An **Access Security** policy can be created or edited
* You know which device OS platforms should be allowed or denied (for example: **Windows, macOS, iOS, Android**)

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

#### Step 1: Create a New Access Security Policy <a href="#step-1-create-a-new-access-security-policy" id="step-1-create-a-new-access-security-policy"></a>

* Sign in as an administrator : [Oten Admin | Security Policy & User management](https://admin.oten.live/)
* Profile Account → **Admin**
* Welcome page **Admin**&#x20;
* Click on menu **Security Policy** → **Access Security**&#x20;
* Click button **Create access security**

***

#### Step 2: Add an Access Security Rule <a href="#step-2-add-an-access-security-rule" id="step-2-add-an-access-security-rule"></a>

1. In the **Access Security Rules** section, select **Add rule**
2. A new rule (for example, *Rule 1*) will be created

***

#### Step 3: Configure Device OS Condition <a href="#step-3-configure-device-os-condition" id="step-3-configure-device-os-condition"></a>

1. Under the rule, select **Add condition**
2. Choose **Device OS**

***

#### Step 4: Select Policy Mode <a href="#step-4-select-policy-mode" id="step-4-select-policy-mode"></a>

Choose how the selected device OS should be treated:

**Whitelist / Allow**

* Users with the selected device OS **will have access**
* Recommended when you want to explicitly allow only trusted platforms

**Example**:

* Allow access only from **Windows** and **macOS**

**Blacklist / Deny**

* Users with the selected device OS **will not have access**
* Recommended when you want to block specific platforms

**Example**:

* Deny access from **Android** devices

***

#### Step 5: Select Device Operating System <a href="#step-5-select-device-operating-system" id="step-5-select-device-operating-system"></a>

1. In the **Device OS** field, select one or more platforms&#x20;
2. Multiple OS types can be added depending on policy requirements

***

#### Step 6: (Optional) Add More Conditions <a href="#step-6-optional-add-more-conditions" id="step-6-optional-add-more-conditions"></a>

* Select **Add condition** to combine Device OS with other controls such as:
  * IP address or IP range
  * Location
  * Device compliance
* Conditions within the same rule are evaluated together

***

#### Step 7: Create Access Security Policy <a href="#step-7-create-access-security-policy" id="step-7-create-access-security-policy"></a>

1. Review all configured rules and conditions
2. Select **Create access security** to save and activate the policy

***

### Result <a href="#result" id="result"></a>

* User access is evaluated based on their device operating system
* Access is **granted or denied** according to the configured policy mode
* Policies are enforced during sign-in and access attempts

***

### Additional Notes <a href="#additional-notes" id="additional-notes"></a>

* If **Whitelist / Allow** is used and no OS is matched, access will be denied by default
* If **Blacklist / Deny** is used, only the selected OS platforms are blocked
* Device OS detection depends on client and browser capabilities
* For higher security, combine Device OS rules with MFA or IP-based controls

***

### Summary <a href="#summary" id="summary"></a>

* Device OS access control helps secure systems by platform
* Supports both **allowlist** and **denylist** models
* Can be combined with other access security rules
* Suitable for both enterprise and high-security environments
