Appearance
Device-level Settings
Use device-level runtime settings to control access to peripherals (for example printers), virtual devices, or other runtime-managed hardware features. These settings are carried as opaque strings (flags) and enforced by the runtime.
What You'll Learn
- Where to place device runtime settings at global, app, and launch profile scopes
- Portable device keys you can rely on across runtimes (for example, printers)
- How to combine device restrictions with file routing and vendor-specific extensions
Where to configure
- Global (all launches):
configuration.launch.runtime.devices - Per-app (when that app launches):
apps[].modifications.runtime.devices - Per-launch profile (only when that launch profile is selected):
apps[].profiles[].runtime.devices
Authoring guidance
- Prefer portable settings under
runtime.devices(e.g., printers: "disabled" | "virtual-only" | "host-allowed"). - Place sensitive device restrictions at the system-wide (global) policy so user policy cannot re-enable devices.
- UI-level actions (for example Print verb visibility) are controlled via File Policies and routing; device-level runtime settings govern whether devices exist inside the sandboxed application at all.
- For vendor-specific values, use
runtime.extensions.{vendor}(structured; no raw flags).
Portable device options
The following portable device keys and values are defined by the policy schema and are intended to work across runtimes:
| Device | Key | Allowed values | Notes |
|---|---|---|---|
| Printers | runtime.devices.printers | "disabled", "virtual-only", "host-allowed" | Controls printer availability inside the sandboxed application. |
Example (illustrative; replace values with those supported by your runtime)
json
{
"configuration": {
"launch": {
"runtime": {
"devices": {
"printers": "disabled"
},
"extensions": {
"turboVm": { "printerPolicy": "restricted" }
}
}
}
},
"apps": [
{
"id": "sensitive-editor",
"displayName": "Sensitive Editor",
"enabled": true,
"priority": 300,
"matchAll": [
{ "type": "targetPath", "pattern": "**\\\\SensitiveEditor.exe", "patternType": "glob" }
],
"action": "allow",
"modifications": {
"runtime": {
"devices": {
"printers": "disabled"
}
}
}
}
]
}Tips
- Use system-wide policy for enterprise enforcement; per-user policy should not be able to bypass device restrictions.
- Combine device-level restrictions with file routing controls to manage Print/Open behaviors at the UI layer.
- Avoid raw flags; if a vendor-specific value is required, carry it under
runtime.extensionsrather than a string flag.
Related topics: Runtime Configuration
