π¦π΄π¨βπΌCA - Block Remote Work for not allowed users
What this policy is for π§β
Some roles are office-only β by design.
This policy makes sure those users can only sign in from your trusted, on-site networks (your customer locations).
Anywhere else? Blocked.
In short: members of the Not Allowed to Work Remote group can work at HQ only β not from cafΓ©s, home Wi-Fi, or βmysteriousβ IPs on the internet.
Combined with π§©β
- ππ’NLOC - Customer Locations
- π‘οΈπ§βπΌππGroup - Not Allowed to Work Remote Users
Together, they create a clean rule:
If youβre in the group and youβre not at a Customer Location β access is blocked.
π Configuration Overviewβ
How it works:
- Users in the group can authenticate only when the sign-in originates from a defined Customer Location (your trusted IP ranges).
- From any other location, sign-in is blocked across all apps.
π Purpose and Impactβ
This policy enforces predictable access for office-bound roles:
- Reduces risk from unmanaged and unknown networks
- Keeps compliance tight for roles that must remain on-prem
- Cuts down incident noise from βrandomβ remote sign-in attempts
Itβs simple, auditable, and easy to reason about: office-only means office-only.
π§ Governance & Securityβ
Before rollout:
- Align with HR/management on which roles are office-only
- Populate π‘οΈπ§βπΌππGroup - Not Allowed to Work Remote Users accordingly
- Validate ππ’NLOC - Customer Locations (IPs, VPN egress, branches)
After rollout:
- Review group membership regularly (joiners/movers/leavers)
- Monitor blocked sign-ins β repeated hits can indicate compromised credentials
- Re-verify named location ranges after WAN/VPN changes
π βRemote access isnβt a right β itβs a scoped exception.β
π§ Final Noteβ
This is your on-site only guardrail.
Keep the group tight, keep the locations accurate, and youβll keep risk β and noise β way down.
Set it. Test it.
And let the perimeter do its job. ππ