Appearance
Security, Networking, and DLP
This section covers networking policy, device controls, data motion & DLP, external processors, proxy configuration, and security best practices.
What You'll Learn
- How to configure networking policy and proxy routing
- How to enforce device controls and data motion/DLP settings
- How to integrate external processors and secure proxy secrets
- How to align runtime security posture to regulated requirements
1. Networking
Networking policy controls outbound access, proxy routing, and secure DNS/DoH.
Use networking configuration to:
- Define network capabilities and categories.
- Configure ZTNA-style egress rules via
proxyRouting. - Override browser and proxy behavior on a per-app or per-profile basis.
See: Networking
2. Device controls
runtime.devices governs printers, removable media, bluetooth, and NFC.
Example (restrict removable media and disable bluetooth/NFC):
json
{
"configuration": {
"launch": {
"runtime": {
"devices": {
"printers": "virtual-only",
"removableMedia": {
"mode": "restricted",
"encryptionRequired": true,
"allowedDevices": [
{
"matchType": "hardwareId",
"pattern": "USB\\VID_XXXX&PID_YYYY\\SERIAL",
"patternType": "exact"
}
]
},
"bluetooth": "disabled",
"nfc": "disabled"
}
}
}
}
}Recommendations:
- Enforce device controls at global scope for consistent posture.
- Use hardwareId / vendorId / certificateThumbprint
matchAllrules for removable media allowlists.
See: Devices
3. Data motion and DLP
runtime.dataMotion defines controls for:
- Clipboard
- Drag-and-drop
- Screen capture and sharing
Combined with classification metadata, dataMotion rules enable classification-aware DLP policies.
Example (deny clipboard out for CUI/ITAR and watermark screen capture):
json
{
"configuration": {
"launch": {
"runtime": {
"dataMotion": {
"settings": {
"clipboard": { "enabled": true, "defaultAction": "deny" },
"screenCapture": {
"enabled": true,
"watermark": {
"text": "CUI // SP-CTI\n{User.UPN} @ {Timestamp.UTC}",
"opacity": 0.3,
"persistent": true,
"style": "diagonalRepeating"
}
}
},
"rules": [
{
"id": "clip-deny-cui-itar-out",
"channel": "clipboard",
"direction": "out",
"match": {
"classifications": {
"normalized": ["CUI", "ITAR"]
}
},
"action": { "type": "deny" }
}
]
}
}
}
}
}Best practices:
- Use a deny-by-default posture for sensitive channels and allow specific flows via rules.
- Pair screen capture watermarking with audit trails for regulated environments.
See: Data Motion
4. External processors and connectors
External processors integrate third-party engines (DLP, OCR, CASB, etc.) into data motion pipelines.
Key concepts:
- Define processors under
configuration.integrations. - Reference them from dataMotion rules using
action.type = "process". - Chain processors for multi-step inspection (for example, OCR → DLP → redaction).
Use cases:
- Content-aware clipboard filtering.
- OCR scanning of captured images before allowing export.
- Policy-driven routing to external CASB or inspection services.
See:
5. Proxy configuration and secrets
In addition to the user-visible Proxy Settings dialog, you can enforce proxy usage at policy level:
- Add
--proxy-server=...flags viaconfiguration.launch.flagsorapps[].modifications.flags. - Use variable substitution with
CREDlookups to avoid embedding credentials in policy files.
Example (global proxy flag with CRED variables):
json
{
"configuration": {
"launch": {
"flags": [
"--proxy-server=socks5://{{CRED:PolicyProxy001:username}}:{{CRED:PolicyProxy001:password}}@proxy.corporate.local:1081"
]
}
}
}See:
6. Security best practices
For ITAR/CMMC-aligned security posture, combine:
- Strong matchAll rules (publisherCertificate, fileHash) and allowlist policies.
- ABAC requirements on sensitive apps and mounts.
- DataMotion rules with DLP-aware classification.
- Hardened Secure Sandbox storage (encrypted, posture-validated sources).
- Integrity-protected audit trails with fail-closed behavior.
