The Policies page lets Org Admins configure the behavioral rules that Agent Charley enforces on enrolled devices. Policies use a three-level scope hierarchy — org-wide defaults, group overrides, and per-device pins.
Scope Hierarchy
global (org-wide default)
└── group (subset of devices)
└── device (individual device override)
Policies merge from broadest to most specific. A value set at the group level overrides the same value at global; a value set at the device level overrides both. Only the fields you explicitly set are overridden — unset fields fall through to the broader scope.
Policy Types
| Type | Controls |
|---|
| App Config | UI visibility, email analysis, stealth mode, telemetry, flow logs |
| Flow Config | Which URL categories are tracked and reported |
| DLP Config | Data loss prevention — pattern detection, block/warn mode, clipboard control |
Editing the Org-Wide Policy
The Org (global) scope is the default scope shown when you open the Policies page. Changes here apply to all enrolled devices that do not have a group or device override for the same field.
- Select a policy type from the tab bar (App Config, Flow Config, DLP Config).
- Click the scope selector and choose Org.
- Edit the fields in the editor panel.
- Click Save.
Enabling Locked on a policy prevents individual devices from overriding it locally, even if the device has its own override configured. Use this for compliance-critical settings.
Group Policies
Apply a policy override to a device group without changing the org-wide baseline.
- Click Group override in the scope selector.
- Choose a group from the dropdown. (Manage groups under Devices → Groups.)
- Edit the policy fields you want to override for this group.
- Click Save.
Devices not in any group continue to use the org-wide policy. Devices in the group receive the merged result: org-wide values plus any field overridden at the group level.
Device Policies
Override a specific device’s policy — useful for exceptions, testing, or pilot rollouts.
- Click Device override in the scope selector.
- Start typing a device name or email to search, then select the device.
- Edit the policy fields for that device only.
- Click Save.
Device policies take the highest precedence in the merge chain.
Policy-Managed Badge
Policies created via the Policy-as-Code CLI or SDK display a Managed by code badge. These policies can still be viewed in the dashboard but are best edited through your version-controlled policy files to keep your git history consistent.
Active Policies Table
The bottom of the Policies page shows all policies currently set for the active type — org-wide, all groups, and device overrides — in a single table. Click Edit on any row to jump directly to that scope’s editor.
App Config Fields
| Field | Default | Description |
|---|
suppress_frontend_ui | false | Hide the browser extension’s UI (coin, panel, badges) |
suppress_email_content_analysis | false | Skip phishing analysis of email content |
stealth_mode | false | Run entirely invisible — no tray icon, no dashboard access |
flow_logs_enabled | true | Stream device activity to Charley for analytics |
telemetry_enabled | true | Report threat telemetry for the Overview dashboard |
suppress_policy_locked | false | Allow device to override even locked policies (use with caution) |
Flow Config Fields
| Field | Default | Description |
|---|
enabled | true | Enable or disable flow tracking entirely |
categories | all | URL categories to classify and report |
Available categories: SECURITY_BLOCK, BANKING, CRYPTO, ECOMMERCE, EMAIL, JOB_SITES, SOCIAL_MEDIA, PRODUCTIVITY, TRUSTED.
DLP Config Fields
| Field | Description |
|---|
enabled | Enable DLP scanning |
targets.apply_to_all_apps | Scan clipboard paste in all apps |
targets.apps_allowlist | Only scan in the listed apps (by name, e.g. Chrome, Slack) |
detections.builtins | Built-in detectors: credit_card, ssn_us, email, phone |
detections.custom_regex | Custom patterns (name + regex) |
actions.mode | block — prevent paste, warn — alert user, allow — log only |
actions.clear_clipboard_on_block | Clear clipboard when blocking |
actions.allow_once_override | Let the user bypass the block once per trigger |
ui.notify_on_block / ui.notify_on_warn | Show a toast notification |
ui.toast_cooldown_sec | Minimum seconds between successive toasts (0 = always) |
Policy Templates
The template bar lets you save and reuse common policy configurations.
- Click Save as template from the editor to name and store the current configuration.
- Click a template in the bar to load it into the editor (you can then adjust and save).
- Templates are shared across your org and stored server-side.
Next Steps
- Groups — create device groups and assign members
- Policy as Code — version-control and automate policy deployment via CLI/SDK