Device Access policies in Trio’s Zero Trust framework control which devices are allowed to access corporate resources. These policies ensure that only authorized, compliant, and trusted devices can sign in, based on defined conditions such as network, location, and device posture.
Note: Device Access policies are currently supported on macOS and Windows devices only.
When to Use Device Access
Use Device Access policies to:
Restrict access to corporate resources from untrusted networks
Enforce security checks before device login
Require additional authentication or actions when risk conditions are met
Apply Zero Trust principles to device-level access
Accessing Device Access Policies
In the Trio dashboard, navigate to Security → Zero Trust.
Open the Conditional List tab.
If no policies exist, an empty state is shown with recommended Zero Trust scenarios.
Select Device Trust, Network Trust, or another scenario, then click Create policy.
Step 1: Define Policy Details
Enter a Policy Name
Use a descriptive name (for example: HR Portal Access Control).
(Optional) Add a Description
Explain the purpose of the policy for other administrators.
Choose an Enforcement Mode:
Report-only: Logs violations without enforcing actions.
Enforce: Actively applies actions when conditions are met.
Click Next to continue.
Step 2: Choose Device Login Scope
Select how the policy applies at login:
Device-based login rules determine when the policy is evaluated.
Confirm the scope before proceeding.
Click Next.
Step 3: Set Conditions
Conditions define when the policy applies. You can configure one or more of the following:
Corporate IP / Egress CIDR
Ensures device traffic originates from approved corporate IP ranges.
Select an Operator (for example: In list).
Choose one or more predefined IP Ranges (such as Corporate HQ or Remote Workforce).
Location-Based Login Rules
Allow or deny access based on the device’s geographic location.
Device Compliance
Enforce security posture requirements before access is allowed.
You can choose whether any or all configured conditions must match for the policy to apply.
Click Save Condition after configuring each condition.
Step 4: Choose Actions
Actions determine what happens when policy conditions are met.
Available actions include:
Lock Device
Immediately locks the device.
Requires setting a Lock PIN, which will apply to all assigned devices.
Require MFA at Login
Prompts users for multi-factor authentication.
Offline Restricted Mode
Allows offline login but restricts access to corporate profiles and apps.
After selecting the desired action, click Save and publish.
Lock PIN Configuration (If Applicable)
When selecting Lock Device:
Enter a secure PIN in the Set Lock PIN dialog.
Confirm the PIN.
Save the PIN to apply it to all devices assigned to this policy.
After Publishing
The policy becomes active immediately if Enforce mode is selected.
Devices matching the conditions will be evaluated at login.
Policy status and activity can be monitored from the Conditional List.
Best Practices
Start with Report-only mode to validate conditions before enforcing actions.
Combine Network Trust and Geolocation conditions for stronger Zero Trust enforcement.
Use clear policy names to simplify management at scale.
Regularly review IP ranges and device compliance requirements.