Skip to content

Security, Networking, and DLP

This section covers networking policy, device controls, data motion & DLP, external processors, proxy configuration, and security best practices.

What You'll Learn

  • How to configure networking policy and proxy routing
  • How to enforce device controls and data motion/DLP settings
  • How to integrate external processors and secure proxy secrets
  • How to align runtime security posture to regulated requirements

1. Networking

Networking policy controls outbound access, proxy routing, and secure DNS/DoH.

Use networking configuration to:

  • Define network capabilities and categories.
  • Configure ZTNA-style egress rules via proxyRouting.
  • Override browser and proxy behavior on a per-app or per-profile basis.

See: Networking


2. Device controls

runtime.devices governs printers, removable media, bluetooth, and NFC.

Example (restrict removable media and disable bluetooth/NFC):

json
{
  "configuration": {
    "launch": {
      "runtime": {
        "devices": {
          "printers": "virtual-only",
          "removableMedia": {
            "mode": "restricted",
            "encryptionRequired": true,
            "allowedDevices": [
              {
                "matchType": "hardwareId",
                "pattern": "USB\\VID_XXXX&PID_YYYY\\SERIAL",
                "patternType": "exact"
              }
            ]
          },
          "bluetooth": "disabled",
          "nfc": "disabled"
        }
      }
    }
  }
}

Recommendations:

  • Enforce device controls at global scope for consistent posture.
  • Use hardwareId / vendorId / certificateThumbprint matchAll rules for removable media allowlists.

See: Devices


3. Data motion and DLP

runtime.dataMotion defines controls for:

  • Clipboard
  • Drag-and-drop
  • Screen capture and sharing

Combined with classification metadata, dataMotion rules enable classification-aware DLP policies.

Example (deny clipboard out for CUI/ITAR and watermark screen capture):

json
{
  "configuration": {
    "launch": {
      "runtime": {
        "dataMotion": {
          "settings": {
            "clipboard": { "enabled": true, "defaultAction": "deny" },
            "screenCapture": {
              "enabled": true,
              "watermark": {
                "text": "CUI // SP-CTI\n{User.UPN} @ {Timestamp.UTC}",
                "opacity": 0.3,
                "persistent": true,
                "style": "diagonalRepeating"
              }
            }
          },
          "rules": [
            {
              "id": "clip-deny-cui-itar-out",
              "channel": "clipboard",
              "direction": "out",
              "match": {
                "classifications": {
                  "normalized": ["CUI", "ITAR"]
                }
              },
              "action": { "type": "deny" }
            }
          ]
        }
      }
    }
  }
}

Best practices:

  • Use a deny-by-default posture for sensitive channels and allow specific flows via rules.
  • Pair screen capture watermarking with audit trails for regulated environments.

See: Data Motion


4. External processors and connectors

External processors integrate third-party engines (DLP, OCR, CASB, etc.) into data motion pipelines.

Key concepts:

  • Define processors under configuration.integrations.
  • Reference them from dataMotion rules using action.type = "process".
  • Chain processors for multi-step inspection (for example, OCR → DLP → redaction).

Use cases:

  • Content-aware clipboard filtering.
  • OCR scanning of captured images before allowing export.
  • Policy-driven routing to external CASB or inspection services.

See:


5. Proxy configuration and secrets

In addition to the user-visible Proxy Settings dialog, you can enforce proxy usage at policy level:

  • Add --proxy-server=... flags via configuration.launch.flags or apps[].modifications.flags.
  • Use variable substitution with CRED lookups to avoid embedding credentials in policy files.

Example (global proxy flag with CRED variables):

json
{
  "configuration": {
    "launch": {
      "flags": [
        "--proxy-server=socks5://{{CRED:PolicyProxy001:username}}:{{CRED:PolicyProxy001:password}}@proxy.corporate.local:1081"
      ]
    }
  }
}

See:


6. Security best practices

For ITAR/CMMC-aligned security posture, combine:

  • Strong matchAll rules (publisherCertificate, fileHash) and allowlist policies.
  • ABAC requirements on sensitive apps and mounts.
  • DataMotion rules with DLP-aware classification.
  • Hardened Secure Sandbox storage (encrypted, posture-validated sources).
  • Integrity-protected audit trails with fail-closed behavior.

See: Security Best Practices