Quick Overview

MAC Groups in zAccess allow administrators to group endpoint devices based on their MAC addresses. This facilitates identity-based access control where policies and rulesets can be applied to devices regardless of their current IP address, location, or network. MAC Groups are essential for managing known, trusted devices within a zero-trust framework.

How to Use This Feature in the UI

1. Go to Policy Configuration > MAC Groups.
2. Click ADD GROUP.
3. Enter a Group Name that reflects the purpose or user set (e.g., “Corporate Laptops” or “Contractor Devices”).
4. Input one or more valid MAC addresses in the required format (e.g., 00:1A:2B:3C:4D:5E).
5. Click Save to create the group.

Concepts & Use Cases

• Device-Based Access Control: Identify and enforce policies for specific hardware endpoints regardless of network or user login.
• BYOD & Guest Segmentation: Isolate personal or unmanaged devices by assigning them to a MAC group with limited permissions.
• Zero Trust Enforcement: Require that only devices in approved MAC groups can access sensitive applications.
• Compliance Assurance: Ensure that only registered, compliant machines connect to critical resources.

Troubleshooting & FAQs

• Why isn’t a device being matched to its MAC group?
  Ensure the MAC address is entered correctly and belongs to the interface used for zAccess login. Avoid duplicate or invalid entries.
• Can a device belong to more than one MAC group?
  Yes. Devices can exist in multiple groups and are evaluated in the order defined by ruleset priorities.
• Is MAC spoofing a concern?
  MAC addresses can be spoofed, so MAC Groups should be used in conjunction with other posture or identity checks for high-security environments.
• How can I audit MAC group usage?
  Use the Endpoint Sessions page or Event Logs to view devices’ matched groups during login.