Platform Documentation
Platform Documentation
Breadcrumbs

End User Accounts and Device Policy

Purpose

This policy defines RunWhen’s policies around end user accounts and device protections.

Scope

This policy applies to:

  • All employees, contractors, and third parties using Google Workspace and GitHub accounts.

  • All authentication methods, including passwords, OAuth tokens, and API keys.

Google Workspace Accounts

Token Expiry

  • OAuth tokens and session tokens are configured to expire after 24 hours.

  • Users must re-authenticate after token expiration.

Password Complexity

  • Minimum length: 12 characters.

  • Must include at least one uppercase letter, one lowercase letter, one number, and one special character.

  • Must not match any of the previous 10 passwords.

Password Change Frequency

  • Passwords must be changed at least every 90 days.

  • Accounts are configured to enforce automatic prompts when passwords expire.

Password Configuration

  • Passwords are managed via Google Workspace Admin Console with enforced complexity and rotation rules.

  • 2-factor authentication (2FA) is mandatory for all accounts.

GitHub Accounts

  • GitHub access must be via SSO (Google Workspace) where supported.

  • If direct GitHub authentication is required:

    • Same password complexity and rotation rules apply as in Section 3.

    • 2FA is mandatory (preferably via hardware security keys).

  • Personal access tokens (PATs) must:

    • Be configured with the minimum required scope.

    • Expire after a maximum of 90 days.

    • Be stored only in approved secret managers (not in code or plaintext).

Devices

  • When the company MacOS MDM vendor is selected, all employees must ensure that it is installed and admin configured on any laptop that may carry okteto/gcloud/kubeconfig credentials to access our dev environments

  • Screen lock after 10 minutes

  • FileVault (full disk encryption) must be on

  • Automatic security updates must be on

  • Gatekeeper application verification protection must be on

  • XProtect malware protection must be on

  • System Integrity protection must be on

Governance

This policy is jointly owned by the Head of Engineering and Head of Security/Compliance, and it is reviewed at least annually or whenever practices evolve significantly.

For any questions or clarifications regarding this policy, please contact the Security or Engineering leadership team.