Policy Management

Policies define the security rules and restrictions applied to enrolled devices and work profiles. Create, customize, and assign policies to users or groups.

Policy Overview

A policy contains settings for:

  • Container: Resource limits, runtime settings
  • Network: VPN, firewall, DNS configuration
  • DLP: Clipboard, screenshot, USB controls
  • Applications: Allowed/blocked apps, managed apps
  • Compliance: Required security settings

Creating a Policy

  1. Navigate to Policies → Create Policy
  2. Enter a policy name and description
  3. Configure settings in each category
  4. Save and optionally assign to groups

Policy Types

Container Policy

container:
  memory_limit: 4GB
  cpu_limit: 2
  storage_limit: 50GB
  network_isolation: true
  unprivileged: true

Network Policy

network:
  vpn:
    required: true
    kill_switch: true
  firewall:
    default: deny
    allow:
      - "*.company.com"
      - "slack.com"
      - "github.com"
  dns:
    providers:
      - 1.1.1.1
    filtering: true

DLP Policy

dlp:
  clipboard:
    block_paste_out: true
    allow_paste_in: true
  screenshot:
    block: true
    watermark: false
  printing:
    allowed: false
  usb:
    block_storage: true
    allow_hid: true

Application Policy

applications:
  install_mode: managed_only
  managed_apps:
    - com.slack.Slack
    - com.microsoft.teams
  blocked_apps:
    - com.dropbox.*
  required_apps:
    - com.company.vpn

Compliance Policy

compliance:
  encryption_required: true
  min_os_version: "10.0"
  passcode_required: true
  passcode_min_length: 8
  jailbreak_detection: true
  update_required_within: 7d

Policy Assignment

Assign policies to:

  • All Devices: Default policy for new enrollments
  • Groups: Department or role-based assignment
  • Individual Users: User-specific overrides
Policy Precedence: User policies override group policies, which override the default policy.

Policy Inheritance

Policies can inherit from a base policy and override specific settings. This allows you to create a base security policy and customize for different teams. 

# Contractor policy inherits from base
name: "Contractor Policy"
extends: "Base Security Policy"
overrides:
  dlp:
    clipboard:
      block_paste_out: true
  network:
    allow:
      - "contractor-portal.company.com"

Policy Versioning

Zero tracks policy changes with version history. Roll back to previous versions if needed.

Testing Policies

# Test policy on a single device
zero policy test --policy "New Policy" --device dev_123

# Simulate policy application
zero policy simulate --policy "New Policy" --group "Engineering"

Next Steps