Creating a Private Access Control Rule

Configure a secure access rule to control access to your organization's internal apps by user, device, time, and location.

Define your enterprise applications and create private access control rules to allow or block access to these apps that meet the security needs and policies of your organization.

Trend Micro Vision One provides a default rule for private access control. The default rule is not editable and always has the lowest priority among all private access control rules. It will be applied if no other rules are matched and set to not allow any access to any configured internal app.

  1. On the Secure Access Rules screen, click the Private Access Control tab and then click Create Rule.

    The rule configuration screen appears.

  2. Specify a unique name and a description for the rule.

    By default, the rule template name and description are displayed as the rule name and description.

  3. Click the toggle next to Status to enable or disable the rule.

    You can also choose to enable or disable a rule on the Secure Access Rules screen after you create the rule.

  4. Configure the following Apply to rule factors.

    Rule Factor



    Select the internal apps that the rule applies to. Options include:

    • All apps: All the internal apps that have been added on the Internal Applications screen

    • Client access enabled apps: A subset of added internal apps that are enabled with client access.

    • Browser access enabled apps: A subset of added internal apps that are enabled with browser access.

    To add an internal app, click Add Internal Application on the Select Apps screen. For more information, see Adding an Internal Application.


    Select the users that the rule applies to. Options include:

    • All users: All the users from your IAM system

    • Selected users / groups: A subset of users from your IAM system


    Select the devices to which the rule applies based on the devices' security posture profiles.


    This option does not apply to browser access enabled applications. This means that, end users can launch their allowed browser access enabled applications from the user portal, regardless of the security posture of the devices they are using.

    To add a device posture profile, click Create device posture profile. For more information, see Adding a Device Posture Profile.


    Select the periods of time that the rule applies to. Options include:

    • Always: The rule takes effect all the time once created and enabled

    • Custom: Customize the time and date when the rule takes effect


    Trend Micro Vision One applies the rule according to the current time zone specified for the Trend Micro Vision One console.


    Select which geographic locations that the rule applies to.

  5. Select an action.
    • Block Internal App Access

    • Monitor Internal App Access

    • Allow Internal App Access

    For more information about actions, see Zero Trust Actions.

  6. Click Save.

    The rule is successfully created and listed on the Private Access Control screen.