User Protection Policy

User Protection policies control what people on your team can do from their managed devices — what apps they can run, what peripherals they can use, what websites they can reach, and what data they can move. Each sub-policy targets one slice of that behavior.

Path: Policies → Endpoint Users

Every sub-policy page shares the same target-list shape: rows of your Usergroups (expandable to individual users) with a Policy Type column showing what’s currently assigned. The button at the top reads Edit [Policy Type] + and is disabled until you tick a row. Selecting a Usergroup applies the change to everyone in it.

---

​

Device Control

Sub-path: Policies → Endpoint Users → Device Control

Controls which physical peripherals managed devices may use. Edit Device Policy dialog:

• Schedule Class — dropdown. Default Forever. Use to restrict the policy to specific time windows defined in Objects → Schedule.
• Devices — seven toggles, each defaulting to Allow unless noted:

---

​

App Control

Sub-path: Policies → Endpoint Users → App Control

Controls which applications (or app categories) managed devices may run. Edit App Policy dialog:

• Schedule Class — dropdown. Default Forever.
• App Categories — table of category-level rules:

Priority Level determines which rule takes effect if an app matches more than one category — High outranks Medium outranks Low. All Apps is the catch-all baseline.

---

​

Domain Filtering

Sub-path: Policies → Endpoint Users → Domain Filtering

Controls which categories of websites managed devices can resolve and visit. Edit Policy dialog:

• Schedule Class — dropdown. Default Forever.
• Domain Categories — long list of categories, each with an Allow toggle. Categories include Abortion, Academic Fraud, Activism, Adult & Pornography (off by default), Advertising, Armed Forces, Artificial Intelligence Technology, Arts & Fashion, and many more. Adult & Pornography is the only category that defaults to denied.

---

​

Data Leakage Prevention → App File Access

Sub-path: Policies → Endpoint Users → Data Leakage Prevention → App File Access

DLP rules for which applications can read which classes of sensitive data on a managed device. Edit DLP Policy dialog:

• Schedule Class — dropdown. Default Forever.
• Rules — ordered list. Rules at the top have higher priority. Drag to reorder.
• Each rule is a row with:
  • PRIORITY [N] badge.
  • If source is — multi-select dropdown over data classifications (e.g. PII, FINANCE, …).
  • apply to — dropdown to pick the application(s) the rule applies to.
  • ALLOW / BLOCK toggle.
  • Delete (trash) icon.
• Add execution rule button to append a new rule at the bottom.

---

​

Global Policy

Sub-path: Policies → Endpoint Users → Global Policy

The baseline posture policy that applies to every managed device in a group. Edit Global Policy dialog:

• Screen lock
  • Checkbox: “Require screen lock when idle” (default off). Locks the session after inactivity for users in this group.
• Disk encryption
  • Checkbox: “Require full-disk encryption” (default off). Devices for this group must report encryption as compliant.

---

​

A typical configuration order

1. Set Global Policy on the Common group first as your baseline (screen lock + disk encryption).
2. Tune Device Control if your environment requires restricting USB storage, Bluetooth, or other peripherals.
3. Configure App Control based on what your team uses (and prohibits).
4. Set Domain Filtering categories.
5. Add DLP rules under App File Access for any sensitive-data flows you care about.
6. Repeat per group if different teams need different policies.

​

Related

• Managing Users & Groups — define the Usergroups these policies target.
• Core Concepts — how Osto thinks about Assets, Objects, and Policies.