Security baselines define the compliance requirements that terminals must meet before accessing office applications through Zero Trust policies. The SASE client collects terminal attributes in real time and enforces these requirements—only terminals that pass the baseline checks can connect to the intranet.
Prerequisites
Before you begin, make sure that you have:
Access to the SASE console
The SASE client deployed on the terminals you want to manage (supports Windows, macOS, Android, and iOS)
Create a security baseline template
Log on to the SASE console.
In the left-side navigation pane, choose Terminal Management > Security Baselines.
Click Create Policy.
In the Create Security Baseline Template panel, configure the following parameters.
Basic configurations
Parameter Description Attribute Group Name A name for the baseline template. Must be 2–100 characters and can contain letters, digits, hyphens (-), and underscores (_). Baseline configurations
Parameter Description OS support Time Range The period during which the baseline is active. Configure Policy Effective Time and Policy Expiration Time. If the two times conflict, the expiration time takes effect. All Terminal Type The types of terminals allowed to access office applications under Zero Trust policies. Options: Unlimited, Allow Access from PCs, Allow Access from Mobile Terminals. All Security Wi-Fi The Wi-Fi network names that terminals must use to access the intranet. Terminals on unlisted networks cannot access protected applications. Add up to 10 names, each 2–50 characters, separated by commas. Windows, macOS Security Process The names and file paths of required security processes on the terminal. If the specified process is not found at the given path, the terminal is blocked. Add up to five processes; each name must be 2–50 characters, separated by commas. You can add up to 10 names. All Firewall Whether to require terminals to have their built-in firewall enabled. When enabled, terminals with the firewall disabled cannot access protected applications. All Click OK.
The new template appears on the Security Baselines page. SASE immediately starts enforcing the baseline for terminals that match the template settings.
Manage baseline templates
After creating a template, you can:
Edit: Click Details to view or modify the template in the Details panel.
Delete: Click Delete to remove the template.
When a terminal fails to meet a baseline, it is blocked from accessing the office applications specified in the associated Zero Trust policy. Notify users before activating a strict baseline to minimize access disruptions during rollout.
What's next
Bind the baseline template to a Zero Trust policy so SASE can enforce it. For details, see Configure a Zero Trust policy.