BetterCloud allows you to create policies to manage third party apps installed on your domain by your users. These policies can keep your domain secure by automatically revoking access to the account or domain associated with the application. Policies can also notify users if they install a potentially risky application.
- Set up notifications triggered when policy violations occur
- Set up auto-revoking of app permissions that will correct violations upon your domain's next sync
You can view all the sharing policies you have created here:
- To whom the policy is applied
- The conditions of the policy
- The actions the policy takes upon violations
- Ability to delete policy
- Whether or not end user's are notified when they install an app that violates a policy
- Create a new policy
Creating a policy
There are several steps involved in setting up an App Policy on your domain.
- Select who on your domain the policy will be applied to:
- Org Unit
- Individual User
- Note: Policies applied directly to a user take priority over those that apply to the user through his Org Unit or the domain that the user is a part of. Policies applied to Org Units take priority over those applied to everyone.
- Define when the policy will apply:
- All newly installed apps will have this action taken on them (not available when creating policy for individual users)
- The policy will apply if any of the criteria are true, or will only apply if all the criteria are true
- Select the conditions that cannot be violated
a.) Which permissions the app must require to be in violation of the policy:
- Drive - read/write
- Directory - read/write
- Email - read/write
- Domain - read/write
- Account - read/write
- Other - read/write
b.) Whether the app has access to the entire domain (app installed by admin) or just the account of the user who installed the app
c.) The permissions score of the app (the higher the permissions score, the more access the application has to your domain)
- Selecting the actions taken by the policy:
- Send Notification: The user will be notified that the app is a violation both in the end user view of BetterCloud, as well as via email
- Blacklist: Revokes the permissions of the app
- Whitelist: Approves and will keep permissions for all subsequent installs
- Leave Unresolved: The app will appear as a violation, but permissions will not be affected - further manual actions will be required at the discretion of the admin
- Save policy or select 'Save and Run' to enact the policy immediately
- These apps remain installed, but users are not able to log in or use the app, as access has been revoked.
- Once access have been revoked, a user could uninstall and reinstall the app - the app would the be required to be blacklisted again.
- This will automatically grant your users access these apps, though they must still be installed by new users.
- All newly installed apps would appear here (before they are Blacklisted or Whitelisted.)
- Users are able to log in and use all apps on this list, so make sure to check in and review these apps.
End User Notification
End Users are notified by email and within BetterCloud:
- Notifying via email can be done by clicking "Send Notification". You can edit the email message by click on "edit":
- Select template
- Send to - who this message is sent to
- Reply to - this email will receive the reply message
- BCC - blind carbon copy any additional people
- Email Body
- Dynamic Fields
- Save as new template
- Within BetterCloud, Users will be able to view their violations on the homepage:
Can a user still install an app if it is blacklisted?
- Yes, but upon the next sync the permissions for the app will be revoked.
Can a user still log into an app that has had its permissions revoked?
- Yes, but the app will not have access to the user's data.
Can I install apps for my users using BetterCloud?
- No, you can only revoke permissions or allow permissions.
Can I uninstall an app for my users using BetterCloud?
- No, the app will remain installed when permissions are revoked.
If I blacklist an app, when do the permissions get revoked?
- Upon the next sync.