Getting Started
- Overview & Company
  - About Identity and Access Management
  - About Evo Security
- Initial Setup & Requirements
  - Evo Prerequisites & Supported Operating Systems
  - Evo Authenticator Mobile App 5.1 (iOS and Android)
  - Evo Supported Authentication Methods
Directory Environments
- Environments
  - What type of Directory do I need?
  - Set up Evo on Active Directory (LDAP)
  - Set up Evo on Azure AD
  - What is Evo Cloud? Evo's Directory as a Service (DaaS) - How to get Started
  - Sync with Google Workspace
  - Unsupported - Microsoft Azure Virtual Desktop
Deployment & Configuration
- Installation & Setup
  - WS-Federation integration for Office 365 login
  - Elevated Access: Extended User Access Control session
  - Integrating Evo with Windows Desktops
  - Evo Secure Login for Windows / Troubleshooting Secure Login
  - LDAP Agent Settings Editor
  - Azure AD - Federating Microsoft 365 domain
  - Azure AD/On-Prem AD Hybrid Environment - Federating Microsoft 365 Domain
  - Sync with On-Prem Active Directory (LDAP)
  - Sync with Azure AD (AAD) using Microsoft Entra admin center
  - (New UI) Evo Cloud: Directory-As-A-Service Setup and Installation
- Advanced Configurations
  - Windows Credential Provider Best Practices
  - Can you install the Credential Provider on Azure AD joined machines?
  - How to protect Remote Desktop using Evo Security (RDP Support)
  - How to Change Windows Credential Provider Settings in Silent Mode after Installation
- Scripts & Automation
  - Deploy & Uninstall Evo Agent via PowerShell
- Branding & Customization
  - How do I update the Logos to match my company brand? (Web Page and Agent)
Product Information
Evo Portal
- Navigation & Managment
  - Welcome to the New Evo Portal!
  - Tenants Page
  - Onboarding Section
  - Policies Page
  - Rules Section (Global)
  - Integrations Page
  - Settings Section
  - Dashboard Page
  - Directories Page
  - Vault Section
  - Users Page
  - Groups Page
  - Help Desk Verification
  - Help Desk Verification with Microsoft Authenticator and Evo Secure Login
  - Elevated Access: End User Elevation
  - Access Tokens Page
  - Keys (Hardware Keys) Page
  - Endpoints Section
  - Applications Page
  - Elevation Section (Tenant)
  - Main Dashboard
  - Role-Based Permissions / List of Roles
  - Setup Elevated Access
  - Elevated Access: End User Elevation
- User & Directory Managment
  - How do I add or delete customers?
  - How do I add, edit or disable a Domain Account? ( Old UI )
  - How do I add, edit, or delete a directory?
  - How do I disable, enable, or delete user devices (Endpoints)?
  - User Groups
  - Custom Aliases ( Old UI )
  - Local Accounts ( Old UI )
  - Web Accounts
  - How do I manage my user licenses? (Billing and Administration)
- Security & SSO Settings
  - How do I add a rule for single sign-on (SSO) expiration?
  - Password Rotation with Evo
  - Identity Provider (IdP) Login
Integrations
- SSO & Identity Providers
  - Connect Web Apps via SAML with Evo: Version 3
  - Integrating Evo with Box.com (SAML/SSO)
  - Integrating Evo with Keeper
  - What SAML integrations are available?
  - Integrating Evo with Dropbox
  - Integrating Evo with Salesforce
- PSA / Documentation Tools
  - Evo Password Integration with ITGlue
  - Integrating Evo with IT Glue
  - Evo Password Integration with Hudu
  - Evo Integration with Autotask
  - Evo Integration with ConnectWise
  - Integrating Evo with Liongard
- Monitoring & Networking
  - Integrating Evo with Auvik
  - Integrating Evo with Domotz
User Onboarding & Guidance
- MFA & Access Behavior
  - How does the "MFA Status" toggle work?
  - Set Evo Secure Login as default option at login screen
  - MFA Grace Period
  - Temporary Authentication Lockout
- Account Management
  - How do I reset my Evo password?
  - How do I see authentication activity?
  - How do I convert user types?
  - How do I manage my users / users devices?
- End User Documentation
  - How do I create my user account?
  - How do i log in?
  - How do I register my device?
  - Evo Authenticator watch app
  - Using Evo Secure Login (End User)
  - Using Evo Security (End User) - Azure AD
  - Using Evo Security (End User) - Active Directory
  - Installing the macOS Credential Provider
Troubleshooting & FAQs
- Directories Troubleshooting
  - Troubleshooting Evo Authenticator Mobile App Issues
  - Error Fetching AD Groups: How to fix AAD Client Secret expired
  - Troubleshoot issues with the Evo LDAP Agent
  - On-prem AD Virtual Machine hosted on Azure (timeout settings)
- Secure Login Troubleshooting
  - Last User Caching: Evo Login Only & Fast User Switching
  - Error: Login Denied due to Temporary Lockout
  - Error Message: the account is disabled or not found
  - How to Fix Secure Login Always Requests Offline Code
  - How to use Offline code to login to Windows machine without Internet
- Elevated Access Troubleshooting
  - Error: The user has not been granted the requested logon type at this computer
  - How to Troubleshoot Elevated Access / Domain Accounts
- Mobile App Troubleshooting
  - Troubleshooting Evo Authenticator Mobile App Issues
- End User Troubleshooting
  - User cannot login after changing email
- RADIUS Troubleshooting
  - RADIUS - Secure RADIUS Servers with TLS/radsecproxy (CVE-2024-3596)
  - Requesting a RADIUS Server in Evo / RADIUS Troubleshooting
Support & Resources
- Support & Resources
  - Where to go for help / feature requests
  - Adding Evo Users to the Evo Support Portal
  - Setting up Mobile Email to Provide Logs to Evo
  - How do I add, edit, or delete email campaigns?
  - How do I update Evo software?
More

Policies Page

Last updated on August 1, 2025

Policies

This menu allows you to set custom policies for SSO Reset Frequencies, IP restrictions & Local account password length for your Evo instance

Policies are a great way to restrict access or define temporary single sign-on requirements. These "Rules" will only apply to your SAML enabled web applications that have been integrated with Evo.

When applying a rule, it is applied globally, and will apply to all clients and users.

There are currently Five categories of rules available.

Blocking IP Addresses allows you to restrict where log in attempts originate from.

By Country allows you to pick from a list of countries and territories to block.

Custom allows you to enter a single public IP address, or a block of public IP addresses you’d like to block.

Single Sign-On (SSO) allows you to control a temporary duration for SSO before the user must re-authenticate. Or enforce multi-factor authentication (MFA) for all logins.

Local Account Password Length allows you to set the password length amongst local accounts.

Session Management lets you control how long before the session timeouts and requires re-authenticates as well as retention of sessions.

Allowed Authentication Methods lets you control per tenant which Authentication methods are allowed

NOTE: Policies apply globally to all users/customers within your Evo Environment and are specific for SAML Web Apps. (Does not apply to Evo Credential Provider)

A policy for single sign-on can help you control a temporary duration for SSO before the user must re-authenticate or enforce multi-factor authentication (MFA) for all logins.

How do I add a rule for single sign-on (SSO) expiration?

NOTE: The SSO rule applies globally to all users/customers within your Evo Environment. SSO rule is specific for SAML Webapps. (Does not apply to Evo Credential Provider). Only 1 SSO rule is allowed per environment.

How to apply the rule globally

From the dashboard, click Policies.

Click the Add New Policy.

Click Single Sign-On (SSO) Reset Frequency.

Use the slider to define the rule.

To Always Require MFA. Move the slider all the way to the left.

To expire SSO after a period. Move the slider based on your organizations’ rules. Anywhere between 1 to 7 days.

How to edit a rule

From the dashboard, click Policies.

In the displayed list of rules, find the one you want to edit and select the pencil icon on the right

Make the edits you want.

Click Save Changes.

How to delete a rule

From the dashboard, click Policies.

In the displayed list of rules, find the one you want to delete and click the checkbox in the first column.

From the Action menu at the bottom, select Delete.

When defining a policy, you can specify a single IP address or a range of IP addresses to apply globally.

When creating a policy to block a large range of IP addresses, it might be advantageous to explore the reason that so many exclusions are being made.

Creating a policy to block a country, rather than a ranges of IP address, might better suit your needs.

*Blocking a country will block the entire country, no exceptions allowed.

NOTE: This policy will apply globally to all users/customers within your Evo Environment. This policy is specific for SAML Webapps.(Does not apply to Evo Credential Provider).

How do I block IP addresses / countries for SAML integrations?

How to apply the rule globally

From the dashboard, click Policies.

Click the Add New Policy button.

Click Block IP Addresses - Custom.

Enter the single public IP Address or the range of public IP Addresses you’d like to block. When entering an IP address range, it must be entered as X.X.X.X - X.X.X.X.

Click Apply. If after applying the IP addresses to the rule, you’ve found one that is incorrect or shouldn’t have been included. You can remove the address in question.

To remove: Click the trash can next to the IP address.

Repeat steps 6 & 7 for each IP address or range to be included in the rule.

Once all IP address have been added and confirmed as correct, click Add Rule.

Country Based Policy

When defining a Country based policy, you can select a single country/territory, or multiple countries/territories to block.

Blocking a country/territory will block the entire region, no exceptions allowed.

NOTE: This policy will apply globally to all users/customers within your Evo Environment. This policy is specific for SAML Webapps.

How to apply the rule by Country

From the dashboard, click Policies.

Click the Add New Policy.

Click Block IP Addresses – By Country.

From the list of countries check the box to the left for each country to be blocked. To locate a specific country, use the search field to narrow down the list. Once all countries have been checked, click Add Rule.

Did this answer your question?

😞

😐

🤩

Onboarding Section Rules Section (Global)