Launcher Policy System

The Launcher Policy System allows administrators to control which applications users can launch through the Turbo Launcher. Using JSON-based configuration files, you can specify which shortcuts from the Start Menu and Desktop are available to users, and customize how those applications are launched with additional security settings.

What you'll learn

• How the policy system works
• JSON configuration format
• Launch profiles for multiple variants
• Common policy scenarios
• Deployment methods for enterprises

How It Works

Security Model

The policy system uses a whitelist approach - only applications you explicitly allow will be available to users. This provides maximum security by ensuring only approved applications can be launched.

No Policy File Error

If no policy file is found at any configured location, or if the policy file contains errors, the Launcher will display an error message: "Policy file is not configured". Both the Applications and Files tabs will show this error with a Retry button to reload the policy.

Policy Evaluation

The system continuously monitors and evaluates policies:

1. Scans Start Menu and Desktop shortcuts
2. Checks each shortcut against your policy rules
3. Only displays shortcuts that match an "allow" policy
4. Applies any modifications (security flags, arguments) you've configured
5. Collects launch profiles from matching rules for additional launch variants

Policy File Format

Policies are defined in JSON format. The system supports two versions:

Version 1.0

Basic application policies with matchers and modifications.

Version 1.1

Adds:

• configuration section for global launch settings
• files section for file operation policies
• File associations embedded in app policies
• apps as an alias for policies (both work interchangeably)

Basic Structure (v1.1)

{
  "version": "1.1",
  "configuration": {
    "launch": {
      "flags": ["--remote-sandbox"]
    }
  },
  "apps": [
    {
      "name": "Policy Description",
      "enabled": true,
      "priority": 100,
      "matchers": [
        {
          "type": "targetPath",
          "pattern": ".*\\\\myapp\\.exe$",
          "patternType": "regex"
        }
      ],
      "action": "allow"
    }
  ],
  "files": [
    {
      "name": "Block importing executables",
      "enabled": true,
      "priority": 100,
      "operation": "import",
      "matchers": [
        {
          "type": "fileExtension",
          "pattern": "(exe|dll|msi)$",
          "patternType": "regex"
        }
      ],
      "action": "deny"
    }
  ]
}

Policy Fields

Field	Required	Description
name	Yes	Human-readable description of the policy
enabled	Yes	Whether this policy is active (true/false)
priority	Yes	Priority number (higher numbers evaluated first)
matchers	Yes	Array of conditions that must all match
action	Yes	Either "allow" or "modify"
modifications	No	Changes to apply when launching the application
profiles	No	Array of launch profiles for additional launch variants

Matcher Types

Type	Description	Example
shortcutName	Matches the display name of the shortcut	"Google Chrome"
targetPath	Matches the executable file path	"C:\Program Files\Google\Chrome\Application\chrome.exe"
arguments	Matches command-line arguments	"--incognito"

Pattern Types

Type	Description
exact	Exact text match (case-insensitive)
regex	Regular expression pattern matching

Common Policy Examples

Allow Specific Applications

{
  "name": "Allow Office Applications",
  "enabled": true,
  "priority": 100,
  "matchers": [
    {
      "type": "shortcutName",
      "pattern": "(Microsoft Word|Microsoft Excel|Microsoft PowerPoint)",
      "patternType": "regex"
    }
  ],
  "action": "allow"
}

Allow Applications from Trusted Locations

{
  "name": "Allow Program Files Applications",
  "enabled": true,
  "priority": 50,
  "matchers": [
    {
      "type": "targetPath",
      "pattern": "^C:\\\\Program Files\\\\.*",
      "patternType": "regex"
    }
  ],
  "action": "allow"
}

Add Security Settings to Browsers

{
  "name": "Secure Browser Launches",
  "enabled": true,
  "priority": 75,
  "matchers": [
    {
      "type": "shortcutName",
      "pattern": "(Chrome|Firefox|Edge)",
      "patternType": "regex"
    }
  ],
  "action": "allow",
  "modifications": {
    "turboFlags": [
      "--skin-border-color=#80008200",
      "--using=myorg/custom-layer",
      "--remote-sandbox",
      "--clipboard-size=1000"
    ],
    "arguments": {
      "append": "--incognito"
    }
  }
}

Block Specific Applications

To block applications, simply don't include an "allow" policy for them. The whitelist model means anything not explicitly allowed will be hidden.

Configuration Section (v1.1)

The configuration section contains global settings that apply to all launches, separate from security policies.

Global Launch Flags

{
  "version": "1.1",
  "configuration": {
    "launch": {
      "flags": [
        "--remote-sandbox",
        "--enable=usedllinjection",
        "--mount=Desktop:@DESKTOP@=@DESKTOP@"
      ]
    }
  }
}

These flags are automatically applied to all application launches without requiring any matchers or actions.

File Policies (v1.1)

File policies control file operations in the Files tab. Each operation has a default behavior:

Operation	Default	Description
import	Allow	Import files into sandbox
export	Deny	Export files from sandbox
open	Allow	Open files with configured applications
delete	Allow	Delete files in sandbox

File Policy Structure

{
  "name": "Block executable imports",
  "enabled": true,
  "priority": 1000,
  "operation": "import",
  "matchers": [
    {
      "type": "fileExtension",
      "pattern": "(exe|dll|msi)$",
      "patternType": "regex"
    }
  ],
  "action": "deny"
}

File Matcher Types

Type	Description	Example
fileExtension	Matches file extension (no leading dot)	"pdf", "docx"

File Policy Examples

Block dangerous file imports:

{
  "name": "Block importing executables",
  "enabled": true,
  "priority": 1000,
  "operation": "import",
  "matchers": [
    {
      "type": "fileExtension",
      "pattern": "(exe|dll|msi|bat|cmd|ps1)$",
      "patternType": "regex"
    }
  ],
  "action": "deny"
}

File Associations (v1.1)

File associations define which applications can open specific file types. They are configured in application policy rules.

File Association Structure

{
  "name": "Allow Adobe Acrobat",
  "enabled": true,
  "priority": 100,
  "matchers": [
    {
      "type": "targetPath",
      "pattern": ".*Acrobat\\.exe$",
      "patternType": "regex"
    }
  ],
  "action": "allow",
  "fileAssociations": [
    {
      "extension": "pdf",
      "verb": "open",
      "arguments": "\"%1\""
    }
  ]
}

How It Works

1. When a file is opened, the system searches application rules for matching file associations
2. Uses the application's matcher to find the executable in the Start Menu
3. If no association is configured, the file cannot be opened
4. If multiple applications support the same extension, highest priority wins

File Association Fields

Field	Required	Description
extension	Yes	File extension without leading dot (e.g., "pdf", "txt")
verb	No	Action verb (default: "open"; can be "edit", "print", etc.)
arguments	No	Command arguments with %1 placeholder for file path. The arguments are used as-is with no modifications.
turboFlags	No	Additional Turbo flags for this file type

Examples

Single File Type:

{
  "name": "Allow Adobe Acrobat",
  "matchers": [
    {"type": "targetPath", "pattern": ".*Acrobat\\.exe$"}
  ],
  "action": "allow",
  "fileAssociations": [
    {"extension": "pdf", "verb": "open", "arguments": "\"%1\""}
  ]
}

Multiple File Types:

{
  "name": "Allow Notepad++",
  "matchers": [
    {"type": "targetPath", "pattern": ".*notepad\\+\\+\\.exe$"}
  ],
  "action": "allow",
  "fileAssociations": [
    {"extension": "txt", "verb": "open", "arguments": "\"%1\""},
    {"extension": "log", "verb": "open", "arguments": "\"%1\""},
    {"extension": "xml", "verb": "open", "arguments": "\"%1\""}
  ]
}

Multiple Verbs:

{
  "name": "Allow Microsoft Word",
  "matchers": [
    {"type": "targetPath", "pattern": ".*WINWORD\\.EXE$"}
  ],
  "action": "allow",
  "fileAssociations": [
    {"extension": "docx", "verb": "open", "arguments": "\"%1\""},
    {"extension": "docx", "verb": "edit", "arguments": "/e \"%1\""}
  ]
}

Modifications

You can customize how applications are launched by adding modifications to your policies:

Turbo Flags

Add Turbo-specific security and isolation settings:

"modifications": {
  "turboFlags": [
    "--skin-border-color=#80008200",
    "--using=myorg/custom-layer",
    "--remote-sandbox",
    "--clipboard-size=1000"
  ]
}

Application Arguments

Modify the command-line arguments passed to applications:

"modifications": {
  "arguments": {
    "prepend": "--safe-mode",
    "append": "--no-plugins",
    "replace": "--kiosk-mode"
  }
}

Launch Profiles

Launch profiles allow you to define multiple launch variants for an application that appear as additional context menu items in the Launcher UI. Each profile applies modifications on top of the base policy modifications.

Profile Structure

{
  "name": "profile-id",
  "displayName": "Display Name",
  "arguments": {
    "append": "additional args",
    "prepend": "prefix args",
    "replace": "replacement args"
  },
  "turboFlags": ["--additional-flag"],
  "postLaunchAction": {
    "type": "OpenFolder",
    "path": "%LOCALAPPDATA%\\Turbo\\Containers\\sandboxes\\{ContainerId}\\logs"
  }
}

Profile Fields

Field	Required	Description
name	Yes	Unique identifier for the profile
displayName	Yes	Display name shown in the context menu
arguments	No	Additional argument modifications
turboFlags	No	Additional Turbo flags (additive to base flags)
postLaunchAction	No	Action to execute after application launch

Post-Launch Actions

Currently supports the OpenFolder action type, which opens a folder in Windows Explorer after the application launches.

Supported path variables:

• {ContainerId} - The Turbo container ID
• Environment variables: %USERPROFILE%, %TEMP%, %LOCALAPPDATA%, etc.

Example with Launch Profiles

{
  "name": "Allow Google Chrome with Profiles",
  "enabled": true,
  "priority": 100,
  "matchers": [
    {
      "type": "targetPath",
      "pattern": ".*chrome\\.exe$",
      "patternType": "regex"
    }
  ],
  "action": "allow",
  "modifications": {
    "arguments": {
      "append": "--hide-crash-restore-bubble"
    },
    "turboFlags": [
      "--enable=sandboxnetwork"
    ]
  },
  "profiles": [
    {
      "name": "chrome-incognito",
      "displayName": "Run Chrome (Incognito)",
      "arguments": {
        "append": "--incognito"
      }
    }
  ]
}

Context menu will display:

• Run (base arguments: --hide-crash-restore-bubble)
• Run Chrome (Incognito) (args: --hide-crash-restore-bubble --incognito)
• Run in diagnostic mode
• ─────────────────────────────
• Reset session

Key Concepts

• Additive modifications: Profile modifications are applied on top of all base policy modifications
• Priority-based merging: Profiles from all matching rules are collected; highest priority wins on name conflicts
• Multiple variants: Create unlimited launch profiles for different use cases (testing, debugging, different user modes, etc.)

Policy File Locations

The Launcher looks for policy files in the following locations (in order):

1. System-wide: %PROGRAMDATA%\Turbo\Launcher\policy.json (highest priority)
2. User-specific: %LOCALAPPDATA%\Turbo\Launcher\policy.json (fallback)

For enterprise deployments, use the system-wide location to apply policies to all users on a machine.

Enterprise Deployment

Manual Deployment

Copy your policy file to the target location:

copy "policy.json" "%PROGRAMDATA%\Turbo\Launcher\policy.json"

SCCM/Configuration Manager

1. Create an Application or Package that includes your policy.json file
2. Create a PowerShell deployment script that:
   • Creates the Launcher policy directory
   • Copies the policy file from the package contents
3. Deploy to your target device collections

PowerShell Script Example:

# Create the Launcher policy directory
$policyPath = "$env:PROGRAMDATA\Turbo\Launcher"
if (!(Test-Path $policyPath)) {
    New-Item -Path $policyPath -ItemType Directory -Force
}

# Copy policy file from SCCM package contents
# $PSScriptRoot refers to the directory containing this script
Copy-Item "$PSScriptRoot\policy.json" "$policyPath\policy.json" -Force

Testing and Validation

JSON Validation

Ensure your policy file is valid JSON before deployment. Use online JSON validators or tools like jq to verify syntax.

Testing Approach

1. Test policies on a small group of users first
2. Monitor the Launcher logs for policy-related errors
3. Verify that expected applications appear and blocked applications are hidden
4. Test any modifications to ensure they work as expected
5. Verify launch profiles appear correctly in context menus
6. Test post-launch actions to ensure they execute as expected