Launcher Policy System

The Launcher Policy System allows administrators to control which applications users can launch through the Turbo Launcher. Using JSON-based configuration files, you can specify which shortcuts from the Start Menu and Desktop are available to users, and customize how those applications are launched with additional security settings.

What you'll learn

• How the policy system works
• JSON configuration format
• Common policy scenarios
• Deployment methods for enterprises

How It Works

Security Model

The policy system uses a whitelist approach - only applications you explicitly allow will be available to users. This provides maximum security by ensuring only approved applications can be launched.

Fail-Safe Behavior

If the policy file cannot be loaded or contains errors, all shortcuts will be available to prevent users from being locked out of their applications. This ensures the system remains functional even with configuration issues.

Policy Evaluation

The system continuously monitors and evaluates policies:

1. Scans Start Menu and Desktop shortcuts
2. Checks each shortcut against your policy rules
3. Only displays shortcuts that match an "allow" policy
4. Applies any modifications (security flags, arguments) you've configured

Policy File Format

Policies are defined in JSON format with the following structure:

Basic Structure

{
  "version": "1.0",
  "policies": [
    {
      "name": "Policy Description",
      "enabled": true,
      "priority": 100,
      "matchers": [
        {
          "type": "targetPath",
          "pattern": ".*\\\\myapp\\.exe$",
          "patternType": "regex"
        }
      ],
      "action": "allow"
    }
  ]
}

Policy Fields

Field	Required	Description
name	Yes	Human-readable description of the policy
enabled	Yes	Whether this policy is active (true/false)
priority	Yes	Priority number (higher numbers evaluated first)
matchers	Yes	Array of conditions that must all match
action	Yes	Either "allow" or "modify"
modifications	No	Changes to apply when launching the application

Matcher Types

Type	Description	Example
shortcutName	Matches the display name of the shortcut	"Google Chrome"
targetPath	Matches the executable file path	"C:\Program Files\Google\Chrome\Application\chrome.exe"
arguments	Matches command-line arguments	"--incognito"

Pattern Types

Type	Description
exact	Exact text match (case-insensitive)
regex	Regular expression pattern matching

Common Policy Examples

Allow Specific Applications

{
  "name": "Allow Office Applications",
  "enabled": true,
  "priority": 100,
  "matchers": [
    {
      "type": "shortcutName",
      "pattern": "(Microsoft Word|Microsoft Excel|Microsoft PowerPoint)",
      "patternType": "regex"
    }
  ],
  "action": "allow"
}

Allow Applications from Trusted Locations

{
  "name": "Allow Program Files Applications",
  "enabled": true,
  "priority": 50,
  "matchers": [
    {
      "type": "targetPath",
      "pattern": "^C:\\\\Program Files\\\\.*",
      "patternType": "regex"
    }
  ],
  "action": "allow"
}

Add Security Settings to Browsers

{
  "name": "Secure Browser Launches",
  "enabled": true,
  "priority": 75,
  "matchers": [
    {
      "type": "shortcutName",
      "pattern": "(Chrome|Firefox|Edge)",
      "patternType": "regex"
    }
  ],
  "action": "allow",
  "modifications": {
    "turboFlags": [
      "--skin-border-color=#80008200",
      "--using=myorg/custom-layer",
      "--remote-sandbox",
      "--clipboard-size=1000"
    ],
    "arguments": {
      "append": "--incognito"
    }
  }
}

Block Specific Applications

To block applications, simply don't include an "allow" policy for them. The whitelist model means anything not explicitly allowed will be hidden.

Modifications

You can customize how applications are launched by adding modifications to your policies:

Turbo Flags

Add Turbo-specific security and isolation settings:

"modifications": {
  "turboFlags": [
    "--skin-border-color=#80008200",
    "--using=myorg/custom-layer",
    "--remote-sandbox",
    "--clipboard-size=1000"
  ]
}

Application Arguments

Modify the command-line arguments passed to applications:

"modifications": {
  "arguments": {
    "prepend": "--safe-mode",
    "append": "--no-plugins",
    "replace": "--kiosk-mode"
  }
}

Policy File Locations

The Launcher looks for policy files in the following locations (in order):

1. System-wide: %PROGRAMDATA%\Turbo\Launcher\policy.json
2. User-specific: %LOCALAPPDATA%\Turbo\Launcher\policy.json
3. Built-in: Default embedded policy (if no custom policy found)

For enterprise deployments, use the system-wide location to apply policies to all users on a machine.

Enterprise Deployment

Manual Deployment

Copy your policy file to the target location:

copy "policy.json" "%PROGRAMDATA%\Turbo\Launcher\policy.json"

SCCM/Configuration Manager

1. Create an Application or Package that includes your policy.json file
2. Create a PowerShell deployment script that:
   • Creates the Launcher policy directory
   • Copies the policy file from the package contents
3. Deploy to your target device collections

PowerShell Script Example:

# Create the Launcher policy directory
$policyPath = "$env:PROGRAMDATA\Turbo\Launcher"
if (!(Test-Path $policyPath)) {
    New-Item -Path $policyPath -ItemType Directory -Force
}

# Copy policy file from SCCM package contents
# $PSScriptRoot refers to the directory containing this script
Copy-Item "$PSScriptRoot\policy.json" "$policyPath\policy.json" -Force

Testing and Validation

JSON Validation

Ensure your policy file is valid JSON before deployment. Use online JSON validators or tools like jq to verify syntax.

Testing Approach

1. Test policies on a small group of users first
2. Monitor the Launcher logs for policy-related errors
3. Verify that expected applications appear and blocked applications are hidden
4. Test any modifications to ensure they work as expected