Skip to main content
Skip table of contents

End User Accounts and Device Policy

Purpose

This policy defines RunWhen’s policies around end user accounts and device protections.

Scope

This policy applies to:

  • All employees, contractors, and third parties using Google Workspace and GitHub accounts.

  • All authentication methods, including passwords, OAuth tokens, and API keys.

Google Workspace Accounts

Token Expiry

  • OAuth tokens and session tokens are configured to expire after 24 hours.

  • Users must re-authenticate after token expiration.

Password Complexity

  • Minimum length: 12 characters.

  • Must include at least one uppercase letter, one lowercase letter, one number, and one special character.

  • Must not match any of the previous 10 passwords.

Password Change Frequency

  • Passwords must be changed at least every 90 days.

  • Accounts are configured to enforce automatic prompts when passwords expire.

Password Configuration

  • Passwords are managed via Google Workspace Admin Console with enforced complexity and rotation rules.

  • 2-factor authentication (2FA) is mandatory for all accounts.

GitHub Accounts

  • GitHub access must be via SSO (Google Workspace) where supported.

  • If direct GitHub authentication is required:

    • Same password complexity and rotation rules apply as in Section 3.

    • 2FA is mandatory (preferably via hardware security keys).

  • Personal access tokens (PATs) must:

    • Be configured with the minimum required scope.

    • Expire after a maximum of 90 days.

    • Be stored only in approved secret managers (not in code or plaintext).

Devices

  • When the company MacOS MDM vendor is selected, all employees must ensure that it is installed and admin configured on any laptop that may carry okteto/gcloud/kubeconfig credentials to access our dev environments

  • Screen lock after 10 minutes

  • FileVault (full disk encryption) must be on

  • Automatic security updates must be on

  • Gatekeeper application verification protection must be on

  • XProtect malware protection must be on

  • System Integrity protection must be on

Governance

This policy is jointly owned by the Head of Engineering and Head of Security/Compliance, and it is reviewed at least annually or whenever practices evolve significantly.

For any questions or clarifications regarding this policy, please contact the Security or Engineering leadership team.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close