JsonPolicyExamples.h
For the source code for this file, see JsonPolicyExamples.h source.
Example JSON Policy files
Policy Audit
Default policies with the options explicitly set for readability, allows keyboards, mice, audio, network and internal disks.
Replace %NEWGUID% with a GUID string like {82BCE4F6-2E54-43EA-A8AB-9E346549FF5E}.
Replace %TIMESTAMP% with the UTC time of the generation like 2021-04-15T14:26:54.746Z.
Copy
{
"configuration": {
"source": "%NEWGUID%",
"version": "1",
"content": "2021042502",
"timestamp": "%TIMESTAMP%",
"devices": {
"identities": {
"default": true
}
}
},
"options": [
{
"id": "1",
"name": "Service settings",
"what": [
{
"comment": "Installation Mode: 0) IDAC, 1) EMSS, 2) API",
"option": "79",
"value": "2"
},
{
"comment": "Device Identification Hash Algorithm: 0) SHA-1 case sensitive, 1) SHA-256 case insensitive",
"option": "88",
"value": "1"
},
{
"comment": "Centralized Device Logs: 0) events not logged, 1) events logged",
"option": "49",
"value": "1"
},
{
"comment": "Key Logger Detection: 0) disabled, 7) exclusive (lock, notify and log event)",
"option": "55",
"value": "0"
},
{
"comment": "Truncate Full Shadow: 0) no truncation, x) files above x MB are truncated",
"option": "94",
"value": "0"
}
]
},
{
"id": "2",
"name": "UI settings",
"what": [
{
"comment": "Show Tray Icon: 0) do not show tray icon, 1) show tray icon",
"option": "25",
"value": "1"
},
{
"comment": "Settings Changed Notifications: 0) no notification, 1) notifications for temporary rights only, 2) notifications for any change",
"option": "26",
"value": "2"
},
{
"comment": "Device Attachment Notifications: 0) device un/plugged are notified, 1) device un/plugged are silent",
"option": "95",
"value": "0"
}
]
},
{
"id": "3",
"name": "Enforcement settings",
"what": [
{
"comment": "Audit Mode: 0) enforcement, 1) audit, denied access won't be blocked but only logged",
"option": "90",
"value": "0"
},
{
"comment": "Hdd Definition: 0) Legacy (BUS and HDD must be configured), 1) Internal/External (External: Windows REMOVABLE flag or connected through an external BUS)",
"option": "98",
"value": "1"
},
{
"comment": "Online definition: 0) server availability, 1) wired connection, 2) controlled by API",
"option": "60",
"value": "1"
}
]
},
{
"id": "4",
"name": "Media encryption settings",
"what": [
{
"comment": "Encryption Strength: 0) Legacy(AES256CTR, SHA256), 1) Compliant(AES256CBC, PBKDF2), 2) Strong(AES128XTS, Argon2id)",
"option": "85",
"value": "2"
},
{
"comment": "Weaker Encryption Restriction: 0) no restriction, 1) read only, 2) force upgrade, 3) disabled",
"option": "84",
"value": "0"
},
{
"comment": "Encrypted Key Password Complexity: 0) requires strong passwords; 1) allow weak passwords",
"option": "45",
"value": "0"
},
{
"comment": "Password Minimum Length: x) minimum number of characters (1-99)",
"option": "68",
"value": "8"
},
{
"comment": "User Certificate Generation: 0) certificate requested when no valid certificate found, 1) no request",
"option": "48",
"value": "0"
},
{
"comment": "Microsoft Certificate Authority Template: name used by User Certificate Generation when an enrolment is performed",
"option": "65",
"value": "User"
},
{
"comment": "Microsoft Certificate Authority: 0) disabled, 1) enabled only for decentralized encryption, 2) enabled",
"option": "76",
"value": "1"
},
{
"comment": "Wipe Free Space: 0) disabled, 1) enabled",
"option": "70",
"value": "0"
},
{
"comment": "Retain Data: 0) Unselected, 1) Forced UnSelected, 2) Selected, 3) Forced Selected",
"option": "74",
"value": "1"
},
{
"comment": "Portable Encryption Size Limit: x) maximum size in GB for which portable encryption will be offered (SubVolBro/EDisk.dat, max is 2048)",
"option": "78",
"value": "128"
},
{
"comment": "Encryption Prompt: text displayed to the user when it can only encrypt",
"option": "75",
"value": "Corporate policy restricts access to encrypted devices"
}
]
}
],
"policies": [
{
"id": "101",
"name": "Full access to login, network and audo: Keyboards & Mice (35) / Biometric Devices (25) / Secondary Network (9) / Wifi (21) / Audio (37)",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "35"
},
{
"class": "25"
},
{
"class": "9"
},
{
"class": "21"
},
{
"class": "37"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"granted": [
"Read",
"Write"
]
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "102",
"name": "Prevent access to Virtual USB (36), prevent VM Ware and Citrix mapping",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "36"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"granted": [
"None"
]
},
"messages": {
"notify": true,
"denied": "Access is denied, please contact your administrator"
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "103",
"name": "Enable notification when access is denied for classes with a file system",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "1"
},
{
"class": "2"
},
{
"class": "3"
},
{
"class": "26"
}
]
},
"how": {
"priority": "0"
},
"what": {
"messages": {
"notify": true,
"denied": "Access is denied, please contact your administrator"
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "104",
"name": "Allow access to additional internal disk (SSD/HDD)",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "3"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"disk": [
"Fixed"
],
"granted": [
"Read",
"Write"
]
}
},
"when": {
"permanent": "Always"
}
}
]
}Offers Encryption
Enhance the default policies offering the user to encrypt removable when plugged.
Copy
{
"configuration": {
"source": "%NEWGUID%",
"version": "1",
"content": "2021042502",
"timestamp": "%TIMESTAMP%",
"devices": {
"identities": {
"default": true
}
}
},
"options": [
{
"id": "1",
"name": "Service settings",
"what": [
{
"comment": "Installation Mode: 0) IDAC, 1) EMSS, 2) API",
"option": "79",
"value": "2"
},
{
"comment": "Device Identification Hash Algorithm: 0) SHA-1 case sensitive, 1) SHA-256 case insensitive",
"option": "88",
"value": "1"
},
{
"comment": "Centralized Device Logs: 0) events not logged, 1) events logged",
"option": "49",
"value": "1"
},
{
"comment": "Key Logger Detection: 0) disabled, 7) exclusive (lock, notify and log event)",
"option": "55",
"value": "0"
},
{
"comment": "Truncate Full Shadow: 0) no truncation, x) files above x MB are truncated",
"option": "94",
"value": "0"
}
]
},
{
"id": "2",
"name": "UI settings",
"what": [
{
"comment": "Show Tray Icon: 0) do not show tray icon, 1) show tray icon",
"option": "25",
"value": "1"
},
{
"comment": "Settings Changed Notifications: 0) no notification, 1) notifications for temporary rights only, 2) notifications for any change",
"option": "26",
"value": "2"
},
{
"comment": "Device Attachment Notifications: 0) device un/plugged are notified, 1) device un/plugged are silent",
"option": "95",
"value": "0"
}
]
},
{
"id": "3",
"name": "Enforcement settings",
"what": [
{
"comment": "Audit Mode: 0) enforcement, 1) audit, denied access won't be blocked but only logged",
"option": "90",
"value": "0"
},
{
"comment": "Hdd Definition: 0) Legacy (BUS and HDD must be configured), 1) Internal/External (External: Windows REMOVABLE flag or connected through an external BUS)",
"option": "98",
"value": "1"
},
{
"comment": "Online definition: 0) server availability, 1) wired connection, 2) controlled by API",
"option": "60",
"value": "1"
}
]
},
{
"id": "4",
"name": "Media encryption settings",
"what": [
{
"comment": "Encryption Strength: 0) Legacy(AES256CTR, SHA256), 1) Compliant(AES256CBC, PBKDF2), 2) Strong(AES128XTS, Argon2id)",
"option": "85",
"value": "2"
},
{
"comment": "Weaker Encryption Restriction: 0) no restriction, 1) read only, 2) force upgrade, 3) disabled",
"option": "84",
"value": "0"
},
{
"comment": "Encrypted Key Password Complexity: 0) requires strong passwords; 1) allow weak passwords",
"option": "45",
"value": "0"
},
{
"comment": "Password Minimum Length: x) minimum number of characters (1-99)",
"option": "68",
"value": "8"
},
{
"comment": "User Certificate Generation: 0) certificate requested when no valid certificate found, 1) no request",
"option": "48",
"value": "0"
},
{
"comment": "Microsoft Certificate Authority Template: name used by User Certificate Generation when an enrolment is performed",
"option": "65",
"value": "User"
},
{
"comment": "Microsoft Certificate Authority: 0) disabled, 1) enabled only for decentralized encryption, 2) enabled",
"option": "76",
"value": "1"
},
{
"comment": "Wipe Free Space: 0) disabled, 1) enabled",
"option": "70",
"value": "0"
},
{
"comment": "Retain Data: 0) Unselected, 1) Forced UnSelected, 2) Selected, 3) Forced Selected",
"option": "74",
"value": "1"
},
{
"comment": "Portable Encryption Size Limit: x) maximum size in GB for which portable encryption will be offered (SubVolBro/EDisk.dat, max is 2048)",
"option": "78",
"value": "128"
},
{
"comment": "Encryption Prompt: text displayed to the user when it can only encrypt",
"option": "75",
"value": "Corporate policy restricts access to encrypted devices"
}
]
}
],
"policies": [
{
"id": "101",
"name": "Full access to login, network and audo: Keyboards & Mice (35) / Biometric Devices (25) / Secondary Network (9) / Wifi (21) / Audio (37)",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "35"
},
{
"class": "25"
},
{
"class": "9"
},
{
"class": "21"
},
{
"class": "37"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"granted": [
"Read",
"Write"
]
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "102",
"name": "Prevent access to Virtual USB (36), prevent VM Ware and Citrix mapping",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "36"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"granted": [
"None"
]
},
"messages": {
"notify": true,
"denied": "Access is denied, please contact your administrator"
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "103",
"name": "Enable notification when access is denied for classes with a file system",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "1"
},
{
"class": "2"
},
{
"class": "3"
},
{
"class": "26"
}
]
},
"how": {
"priority": "0"
},
"what": {
"messages": {
"notify": true,
"denied": "Access is denied, please contact your administrator"
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "104",
"name": "Allow access to additional internal disk (SSD/HDD)",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "3"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"disk": [
"Fixed"
],
"granted": [
"Read",
"Write"
]
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "105",
"name": "Allow encrypt/export for external removable",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "3"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"disk": [
"External"
],
"encryption": [
"Unencrypted"
],
"granted": [
"Encrypt",
"Export(Medium)"
]
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "106",
"name": "Allow access for encrypted removable",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "3"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"disk": [
"External"
],
"encryption": [
"Encrypted"
],
"granted": [
"Read",
"Write",
"Decrypt",
"Import",
"Export(Medium)"
]
}
},
"when": {
"permanent": "Always"
}
}
]
}Shadowing
Enhance the default policies with Shadowing, filename for read operations, content for write operations.
Copy
{
"configuration": {
"source": "%NEWGUID%",
"version": "1",
"content": "2021042502",
"timestamp": "%TIMESTAMP%",
"devices": {
"identities": {
"default": true
}
}
},
"options": [
{
"id": "1",
"name": "Service settings",
"what": [
{
"comment": "Installation Mode: 0) IDAC, 1) EMSS, 2) API",
"option": "79",
"value": "2"
},
{
"comment": "Device Identification Hash Algorithm: 0) SHA-1 case sensitive, 1) SHA-256 case insensitive",
"option": "88",
"value": "1"
},
{
"comment": "Centralized Device Logs: 0) events not logged, 1) events logged",
"option": "49",
"value": "1"
},
{
"comment": "Key Logger Detection: 0) disabled, 7) exclusive (lock, notify and log event)",
"option": "55",
"value": "0"
},
{
"comment": "Truncate Full Shadow: 0) no truncation, x) files above x MB are truncated",
"option": "94",
"value": "0"
}
]
},
{
"id": "2",
"name": "UI settings",
"what": [
{
"comment": "Show Tray Icon: 0) do not show tray icon, 1) show tray icon",
"option": "25",
"value": "1"
},
{
"comment": "Settings Changed Notifications: 0) no notification, 1) notifications for temporary rights only, 2) notifications for any change",
"option": "26",
"value": "2"
},
{
"comment": "Device Attachment Notifications: 0) device un/plugged are notified, 1) device un/plugged are silent",
"option": "95",
"value": "0"
}
]
},
{
"id": "3",
"name": "Enforcement settings",
"what": [
{
"comment": "Audit Mode: 0) enforcement, 1) audit, denied access won't be blocked but only logged",
"option": "90",
"value": "0"
},
{
"comment": "Hdd Definition: 0) Legacy (BUS and HDD must be configured), 1) Internal/External (External: Windows REMOVABLE flag or connected through an external BUS)",
"option": "98",
"value": "1"
},
{
"comment": "Online definition: 0) server availability, 1) wired connection, 2) controlled by API",
"option": "60",
"value": "1"
}
]
},
{
"id": "4",
"name": "Media encryption settings",
"what": [
{
"comment": "Encryption Strength: 0) Legacy(AES256CTR, SHA256), 1) Compliant(AES256CBC, PBKDF2), 2) Strong(AES128XTS, Argon2id)",
"option": "85",
"value": "2"
},
{
"comment": "Weaker Encryption Restriction: 0) no restriction, 1) read only, 2) force upgrade, 3) disabled",
"option": "84",
"value": "0"
},
{
"comment": "Encrypted Key Password Complexity: 0) requires strong passwords; 1) allow weak passwords",
"option": "45",
"value": "0"
},
{
"comment": "Password Minimum Length: x) minimum number of characters (1-99)",
"option": "68",
"value": "8"
},
{
"comment": "User Certificate Generation: 0) certificate requested when no valid certificate found, 1) no request",
"option": "48",
"value": "0"
},
{
"comment": "Microsoft Certificate Authority Template: name used by User Certificate Generation when an enrolment is performed",
"option": "65",
"value": "User"
},
{
"comment": "Microsoft Certificate Authority: 0) disabled, 1) enabled only for decentralized encryption, 2) enabled",
"option": "76",
"value": "1"
},
{
"comment": "Wipe Free Space: 0) disabled, 1) enabled",
"option": "70",
"value": "0"
},
{
"comment": "Retain Data: 0) Unselected, 1) Forced UnSelected, 2) Selected, 3) Forced Selected",
"option": "74",
"value": "1"
},
{
"comment": "Portable Encryption Size Limit: x) maximum size in GB for which portable encryption will be offered (SubVolBro/EDisk.dat, max is 2048)",
"option": "78",
"value": "128"
},
{
"comment": "Encryption Prompt: text displayed to the user when it can only encrypt",
"option": "75",
"value": "Corporate policy restricts access to encrypted devices"
}
]
}
],
"policies": [
{
"id": "101",
"name": "Full access to login, network and audo: Keyboards & Mice (35) / Biometric Devices (25) / Secondary Network (9) / Wifi (21) / Audio (37)",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "35"
},
{
"class": "25"
},
{
"class": "9"
},
{
"class": "21"
},
{
"class": "37"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"granted": [
"Read",
"Write"
]
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "102",
"name": "Prevent access to Virtual USB (36), prevent VM Ware and Citrix mapping",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "36"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"granted": [
"None"
]
},
"messages": {
"notify": true,
"denied": "Access is denied, please contact your administrator"
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "103",
"name": "Enable notification when access is denied for classes with a file system",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "1"
},
{
"class": "2"
},
{
"class": "3"
},
{
"class": "26"
}
]
},
"how": {
"priority": "0"
},
"what": {
"messages": {
"notify": true,
"denied": "Access is denied, please contact your administrator"
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "104",
"name": "Allow access to additional internal disk (SSD/HDD)",
"who": {
"sids": [
"S-1-1-0"
]
},
"devices": {
"types": [
{
"class": "3"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"disk": [
"Fixed"
],
"granted": [
"Read",
"Write"
]
}
},
"when": {
"permanent": "Always"
}
},
{
"id": "105",
"name": "Allow and capture write operations & log read operations for users on external removables & portable devices",
"who": {
"sids": [
"S-1-5-32-545"
]
},
"devices": {
"types": [
{
"class": "3"
},
{
"class": "26"
}
]
},
"how": {
"priority": "0"
},
"what": {
"access": {
"disk": [
"Removable"
],
"granted": [
"Read",
"Write"
]
},
"audit": {
"shadow": {
"read": "Filename",
"write": "Content"
}
}
},
"when": {
"permanent": "Always"
}
}
]
}