Skip to content

Device-level Settings

Use device-level runtime settings to control access to peripherals (for example printers), virtual devices, or other runtime-managed hardware features. These settings are carried as opaque strings (flags) and enforced by the runtime.

What You'll Learn

  • Where to place device runtime settings at global, app, and launch profile scopes
  • Portable device keys you can rely on across runtimes (for example, printers)
  • How to combine device restrictions with file routing and vendor-specific extensions

Where to configure

  • Global (all launches): configuration.launch.runtime.devices
  • Per-app (when that app launches): apps[].modifications.runtime.devices
  • Per-launch profile (only when that launch profile is selected): apps[].profiles[].runtime.devices

Authoring guidance

  • Prefer portable settings under runtime.devices (e.g., printers: "disabled" | "virtual-only" | "host-allowed").
  • Place sensitive device restrictions at the system-wide (global) policy so user policy cannot re-enable devices.
  • UI-level actions (for example Print verb visibility) are controlled via File Policies and routing; device-level runtime settings govern whether devices exist inside the sandboxed application at all.
  • For vendor-specific values, use runtime.extensions.{vendor} (structured; no raw flags).

Portable device options

The following portable device keys and values are defined by the policy schema and are intended to work across runtimes:

DeviceKeyAllowed valuesNotes
Printersruntime.devices.printers"disabled", "virtual-only", "host-allowed"Controls printer availability inside the sandboxed application.

Example (illustrative; replace values with those supported by your runtime)

json
{
  "configuration": {
    "launch": {
      "runtime": {
        "devices": {
          "printers": "disabled"
        },
        "extensions": {
          "turboVm": { "printerPolicy": "restricted" }
        }
      }
    }
  },
  "apps": [
    {
      "id": "sensitive-editor",
      "displayName": "Sensitive Editor",
      "enabled": true,
      "priority": 300,
      "matchAll": [
        { "type": "targetPath", "pattern": "**\\\\SensitiveEditor.exe", "patternType": "glob" }
      ],
      "action": "allow",
      "modifications": {
        "runtime": {
          "devices": {
            "printers": "disabled"
          }
        }
      }
    }
  ]
}

Tips

  • Use system-wide policy for enterprise enforcement; per-user policy should not be able to bypass device restrictions.
  • Combine device-level restrictions with file routing controls to manage Print/Open behaviors at the UI layer.
  • Avoid raw flags; if a vendor-specific value is required, carry it under runtime.extensions rather than a string flag.

Related topics: Runtime Configuration