Forefront UAG inbuilt endpoint policies enable you to create tiers of access by determining whether or not endpoint devices are allowed to access internal sites and applications, or perform certain operations on the application servers, depending on the security settings of the endpoint devices.

An endpoint policy can contain:

• Platform-specific policies—These are enforced according to the operating system of the endpoint device from which the user accesses the Forefront UAG site. The available choices are Windows, Mac OS, Linux, or any other platform.
  
  
• Expressions—These are conditions that are made up of variables, free VBScript text, or a combination of both. An expression encompasses platform-specific expressions, which are enforced according to the platform of the endpoint device from which the user accesses the Forefront UAG site. You should use expressions to define a policy in deployments where you do not need to address platform-specific issues. You can also use expressions, including platform-specific expressions, to define multiple conditions once, and then use them in several policies.
  
  

You can use the policies that are provided with Forefront UAG, edit them, and define additional policies, as required. You can use policies to define multiple conditions once, and apply them to the Forefront UAG site and across several applications.

Note:
It is recommended that you tailor the default policies to your organization's security needs. For example, edit all platform-specific Default Web Application Access policies to check for the antivirus software that your corporate endpoint computers are running.

In addition to Forefront UAG inbuilt policies, you can evaluate endpoint settings as NAP policies downloaded from an NPS server. You specify the NPS server location and settings in the Forefront UAG Management console, and the NAP policies are retrieved from the specified server.