> ## Documentation Index
> Fetch the complete documentation index at: https://docs.charlemagnelabs.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Policies

> Define and apply security policies across your org, groups, and individual devices

The **Policies** page lets Org Admins configure the behavioral rules that Agent Charley enforces on enrolled devices. Policies use a three-level scope hierarchy — org-wide defaults, group overrides, and per-device pins.

## Scope Hierarchy

```
global (org-wide default)
  └── group (subset of devices)
        └── device (individual device override)
```

Policies merge from broadest to most specific. A value set at the group level overrides the same value at global; a value set at the device level overrides both. Only the fields you explicitly set are overridden — unset fields fall through to the broader scope.

## Policy Types

| Type            | Controls                                                                     |
| --------------- | ---------------------------------------------------------------------------- |
| **App Config**  | UI visibility, email analysis, stealth mode, telemetry, flow logs            |
| **Flow Config** | Which URL categories are tracked and reported                                |
| **DLP Config**  | Data loss prevention — pattern detection, block/warn mode, clipboard control |

## Editing the Org-Wide Policy

The **Org (global)** scope is the default scope shown when you open the Policies page. Changes here apply to all enrolled devices that do not have a group or device override for the same field.

1. Select a **policy type** from the tab bar (App Config, Flow Config, DLP Config).
2. Click the scope selector and choose **Org**.
3. Edit the fields in the editor panel.
4. Click **Save**.

<Warning>
  Enabling **Locked** on a policy prevents individual devices from overriding it locally, even if the device has its own override configured. Use this for compliance-critical settings.
</Warning>

## Group Policies

Apply a policy override to a device group without changing the org-wide baseline.

1. Click **Group override** in the scope selector.
2. Choose a group from the dropdown. (Manage groups under **Devices → Groups**.)
3. Edit the policy fields you want to override for this group.
4. Click **Save**.

Devices not in any group continue to use the org-wide policy. Devices in the group receive the merged result: org-wide values plus any field overridden at the group level.

## Device Policies

Override a specific device's policy — useful for exceptions, testing, or pilot rollouts.

1. Click **Device override** in the scope selector.
2. Start typing a device name or email to search, then select the device.
3. Edit the policy fields for that device only.
4. Click **Save**.

Device policies take the highest precedence in the merge chain.

## Policy-Managed Badge

Policies created via the [Policy-as-Code CLI or SDK](/policy-as-code/overview) display a **Managed by code** badge. These policies can still be viewed in the dashboard but are best edited through your version-controlled policy files to keep your git history consistent.

## Active Policies Table

The bottom of the Policies page shows all policies currently set for the active type — org-wide, all groups, and device overrides — in a single table. Click **Edit** on any row to jump directly to that scope's editor.

## App Config Fields

| Field                             | Default | Description                                                      |
| --------------------------------- | ------- | ---------------------------------------------------------------- |
| `suppress_frontend_ui`            | `false` | Hide the browser extension's UI (coin, panel, badges)            |
| `suppress_email_content_analysis` | `false` | Skip phishing analysis of email content                          |
| `stealth_mode`                    | `false` | Run entirely invisible — no tray icon, no dashboard access       |
| `flow_logs_enabled`               | `true`  | Stream device activity to Charley for analytics                  |
| `telemetry_enabled`               | `true`  | Report threat telemetry for the Overview dashboard               |
| `suppress_policy_locked`          | `false` | Allow device to override even locked policies (use with caution) |

## Flow Config Fields

| Field        | Default | Description                              |
| ------------ | ------- | ---------------------------------------- |
| `enabled`    | `true`  | Enable or disable flow tracking entirely |
| `categories` | all     | URL categories to classify and report    |

Available categories: `SECURITY_BLOCK`, `BANKING`, `CRYPTO`, `ECOMMERCE`, `EMAIL`, `JOB_SITES`, `SOCIAL_MEDIA`, `PRODUCTIVITY`, `TRUSTED`.

## DLP Config Fields

| Field                                      | Description                                                      |
| ------------------------------------------ | ---------------------------------------------------------------- |
| `enabled`                                  | Enable DLP scanning                                              |
| `targets.apply_to_all_apps`                | Scan clipboard paste in all apps                                 |
| `targets.apps_allowlist`                   | Only scan in the listed apps (by name, e.g. `Chrome`, `Slack`)   |
| `detections.builtins`                      | Built-in detectors: `credit_card`, `ssn_us`, `email`, `phone`    |
| `detections.custom_regex`                  | Custom patterns (name + regex)                                   |
| `actions.mode`                             | `block` — prevent paste, `warn` — alert user, `allow` — log only |
| `actions.clear_clipboard_on_block`         | Clear clipboard when blocking                                    |
| `actions.allow_once_override`              | Let the user bypass the block once per trigger                   |
| `ui.notify_on_block` / `ui.notify_on_warn` | Show a toast notification                                        |
| `ui.toast_cooldown_sec`                    | Minimum seconds between successive toasts (0 = always)           |

## Policy Templates

The template bar lets you save and reuse common policy configurations.

* Click **Save as template** from the editor to name and store the current configuration.
* Click a template in the bar to load it into the editor (you can then adjust and save).
* Templates are shared across your org and stored server-side.

## Next Steps

* [Groups](/dashboard/groups) — create device groups and assign members
* [Policy as Code](/policy-as-code/overview) — version-control and automate policy deployment via CLI/SDK
