> ## Documentation Index
> Fetch the complete documentation index at: https://docs.osto.one/llms.txt
> Use this file to discover all available pages before exploring further.

# User Protection Policy

> Control what people on your team can do from their managed devices — apps, peripherals, websites, and data.

User Protection policies control what people on your team can do from their managed devices — what apps they can run, what peripherals they can use, what websites they can reach, and what data they can move. Each sub-policy targets one slice of that behavior.

> **Path:** Policies → Endpoint Users

Every sub-policy page shares the same target-list shape: rows of your **Usergroups** (expandable to individual users) with a **Policy Type** column showing what's currently assigned. The button at the top reads **Edit \[Policy Type] +** and is disabled until you tick a row. Selecting a Usergroup applies the change to everyone in it.

| Column             | What it shows                                                                                                               |
| ------------------ | --------------------------------------------------------------------------------------------------------------------------- |
| **Usergroup/Name** | Groups expand to reveal users. Defined in [Managing Users & Groups](/how-to-guides/asset-management/managing-users-groups). |
| **Email**          | The user's email.                                                                                                           |
| **Policy Type**    | *User Group Policy* (inherited from the group), *No Policy*, or a specific override.                                        |

***

## Device Control

> **Sub-path:** Policies → Endpoint Users → Device Control

Controls which physical peripherals managed devices may use.

**Edit Device Policy dialog:**

* **Schedule Class** — dropdown. Default *Forever*. Use to restrict the policy to specific time windows defined in **Objects → Schedule**.
* **Devices** — seven toggles, each defaulting to *Allow* unless noted:

| Device              | Default | Notes                                                                 |
| ------------------- | ------- | --------------------------------------------------------------------- |
| USB Storage Devices | Allow   | Has a **Read Only** checkbox sub-option to permit mount-as-read-only. |
| Portable Devices    | Allow   | Phones, cameras, media players.                                       |
| Wifi                | Allow   | The device's own Wi-Fi adapter.                                       |
| Webcam              | Allow   |                                                                       |
| Local Printers      | Allow   |                                                                       |
| Network Sharing     | **Off** | File / network sharing protocols.                                     |
| Bluetooth           | Allow   |                                                                       |

***

## App Control

> **Sub-path:** Policies → Endpoint Users → App Control

Controls which applications (or app categories) managed devices may run.

**Edit App Policy dialog:**

* **Schedule Class** — dropdown. Default *Forever*.
* **App Categories** — table of category-level rules:

| App Name          | Priority Level      | Action       |
| ----------------- | ------------------- | ------------ |
| All Apps          | Very Low (Default)  | Allow toggle |
| Instant Messaging | Low / Medium / High | Allow toggle |
| VPN               | Low / Medium / High | Allow toggle |
| Web Browser       | Low / Medium / High | Allow toggle |
| P2P               | Low / Medium / High | Allow toggle |

Priority Level determines which rule takes effect if an app matches more than one category — *High* outranks *Medium* outranks *Low*. *All Apps* is the catch-all baseline.

***

## Domain Filtering

> **Sub-path:** Policies → Endpoint Users → Domain Filtering

Controls which categories of websites managed devices can resolve and visit.

**Edit Policy dialog:**

* **Schedule Class** — dropdown. Default *Forever*.
* **Domain Categories** — long list of categories, each with an **Allow** toggle. Categories include *Abortion, Academic Fraud, Activism, Adult & Pornography* (off by default), *Advertising, Armed Forces, Artificial Intelligence Technology, Arts & Fashion*, and many more. *Adult & Pornography* is the only category that defaults to denied.

***

## Data Leakage Prevention → App File Access

> **Sub-path:** Policies → Endpoint Users → Data Leakage Prevention → App File Access

DLP rules for which applications can read which classes of sensitive data on a managed device.

**Edit DLP Policy dialog:**

* **Schedule Class** — dropdown. Default *Forever*.
* **Rules** — ordered list. *Rules at the top have higher priority. Drag to reorder.*
* Each rule is a row with:
  * **PRIORITY \[N]** badge.
  * **If source is** — multi-select dropdown over data classifications (e.g. *PII*, *FINANCE*, …).
  * **apply to** — dropdown to pick the application(s) the rule applies to.
  * **ALLOW** / **BLOCK** toggle.
  * Delete (trash) icon.
* **Add execution rule** button to append a new rule at the bottom.

***

## Global Policy

> **Sub-path:** Policies → Endpoint Users → Global Policy

The baseline posture policy that applies to every managed device in a group.

**Edit Global Policy dialog:**

* **Screen lock**
  * Checkbox: *"Require screen lock when idle"* (default off). Locks the session after inactivity for users in this group.
* **Disk encryption**
  * Checkbox: *"Require full-disk encryption"* (default off). Devices for this group must report encryption as compliant.

***

## A typical configuration order

1. Set Global Policy on the **Common** group first as your baseline (screen lock + disk encryption).
2. Tune Device Control if your environment requires restricting USB storage, Bluetooth, or other peripherals.
3. Configure App Control based on what your team uses (and prohibits).
4. Set Domain Filtering categories.
5. Add DLP rules under App File Access for any sensitive-data flows you care about.
6. Repeat per group if different teams need different policies.

## Related

* [Managing Users & Groups](/how-to-guides/asset-management/managing-users-groups) — define the Usergroups these policies target.
* [Core Concepts](/getting-started/core-concepts) — how Osto thinks about Assets, Objects, and Policies.
