Appearance
Policy Recipes: Authorization
Task-oriented authorization recipes you can copy/paste. Each recipe affects application authorization and visibility and includes a quick validation step.
What You'll Learn
- How to allow or hide applications using matchers
- How to combine runtime modifications and arguments with authorization rules
- How to validate authorization behavior in the Applications view
Authorization Recipes (Apps)
These recipes affect application authorization and visibility only.
Allow Office Apps
Allow Word, Excel, PowerPoint by shortcut name.
json
{
"id": "allow-office-apps",
"displayName": "Allow Office Applications",
"enabled": true,
"priority": 100,
"matchAll": [
{ "type": "shortcutName", "pattern": "(Microsoft Word|Microsoft Excel|Microsoft PowerPoint)", "patternType": "regex" }
],
"action": "allow"
}Validate:
- Word, Excel, and PowerPoint appear in Applications.
- Each application launches successfully.
Allow Program Files (Glob)
Allow any .exe under C:\Program Files using a glob path.
json
{
"id": "allow-program-files-glob",
"displayName": "Allow Program Files Applications (glob)",
"enabled": true,
"priority": 50,
"matchAll": [
{ "type": "targetPath", "pattern": "C:\\\\Program Files\\\\**\\\\*.exe", "patternType": "glob" }
],
"action": "allow"
}Validate:
- A representative application installed under
C:\Program Filesappears in Applications. - The application launches successfully.
Secure Browsers (Runtime + Args)
Add isolation and Incognito/Private mode and set a visual border color for common browsers.
json
{
"id": "secure-browsers",
"displayName": "Secure Browser Launches",
"enabled": true,
"priority": 75,
"matchAll": [
{ "type": "shortcutName", "pattern": "(Chrome|Firefox|Edge)", "patternType": "regex" }
],
"action": "allow",
"modifications": {
"runtime": {
"isolation": { "remoteSandbox": true },
"visual": { "borderColor": "#80008200" }
},
"arguments": { "append": "--incognito" }
}
}Validate:
- Chrome, Firefox, and Edge appear in Applications and launch.
- Each browser shows an Incognito/Private indicator.
- A colored border appears around the window matching the configured
borderColor.
Show App but Require Manager Approval Before Launch
Make a sensitive application visible in Applications, but require an approval workflow (for example, manager approval) before it can launch in the Secure Sandbox runtime.
json
{
"configuration": {
"launch": {
"runtime": {
"approval": {
"workflows": [
{
"id": "manager-approval-app-launch",
"type": "accessRequest",
"operations": ["appLaunch"],
"providerRef": "manager-email-approval"
}
],
"defaults": {
"appLaunchWorkflowRef": "manager-approval-app-launch"
}
}
}
}
},
"apps": [
{
"id": "sensitive-engineering-tools",
"displayName": "Sensitive Engineering Tools",
"enabled": true,
"priority": 400,
"matchAll": [
{ "type": "targetPath", "pattern": "C:\\Tools\\Sensitive\\**.exe", "patternType": "glob" }
],
"action": "allow",
"authorization": {
"requirements": {
"userAttributes": [
{ "attribute": "usPersonStatus", "allowedValues": ["verified"] }
]
},
"approval": {
"mode": "required",
"workflowRef": "manager-approval-app-launch",
"reuse": {
"policy": "perUserPerApp",
"ttlSeconds": 86400
}
}
}
}
]
}Validate:
- The sensitive app appears in Applications (matching the configured shortcut/executable).
- When you attempt to launch the app, the client prompts for or initiates an approval workflow instead of launching immediately.
- After approval is granted, the app launches successfully into the Secure Sandbox runtime and an
authzevent withaction: "allow"is recorded. - If approval is rejected or expires, attempts to launch remain blocked and corresponding
authz/workflow.lifecycleaudit events are present.
Ban List: Block Consumer Browsers from Applications
Use an explicit deny policy to prevent certain applications from ever appearing in Applications or launching, even if other allow or approval rules exist. Deny policies act as a ban list and take precedence over allow.
json
{
"apps": [
{
"id": "ban-consumer-browsers",
"displayName": "Ban Consumer Browsers",
"enabled": true,
"priority": 1000,
"matchAny": [
{ "type": "targetPath", "pattern": "**\\Google\\Chrome\\Application\\chrome.exe", "patternType": "glob" },
{ "type": "targetPath", "pattern": "**\\Mozilla Firefox\\firefox.exe", "patternType": "glob" },
{ "type": "targetPath", "pattern": "**\\Microsoft\\Edge\\Application\\msedge.exe", "patternType": "glob" }
],
"action": "deny"
}
]
}Validate:
- On a device where Chrome, Firefox, and Edge are present, these shortcuts are still discovered by the Launcher, but:
- They do not appear in the Applications tab.
- Attempts to route to these executables (for example, via other policies or approval rules) result in
authzdeny events.
- Adding new
action: "allow"orauthorization.approvalrules that match these executables does not make them visible or launchable, because the deny policy takes precedence.
Notes:
- For broad catalog cleanup (for example, stripping out uninstallers or low-value shortcuts), combine deny policies with
configuration.discovery.providers[].filters.excludepatterns so unwanted entries are never discovered in the first place.
Related Topics
See also:
