Policy Structure
Every policy has the same top-level shape in YAML:scope and target
| Scope | Target | Applies to |
|---|---|---|
global | omit (or null) | All devices in the org |
group | group name or group UUID | All devices in that group |
device | device UUID | That specific device only |
apply will fail with a 404.
locked
When locked: true, the device agent cannot override the policy locally — even if a device-level policy would normally take precedence. Use this for compliance-critical settings you never want overridden.
App Config (app_config)
Controls the Agent Charley application’s behavior on the endpoint.
| Field | Type | Default | Description |
|---|---|---|---|
suppress_frontend_ui | bool | false | Hides the browser extension’s visible elements |
suppress_email_content_analysis | bool | false | Disables email content phishing scanning |
stealth_mode | bool | false | No tray icon, no local dashboard, completely silent |
flow_logs_enabled | bool | true | Enables the URL activity stream to the Charley API |
telemetry_enabled | bool | true | Enables threat event reporting for analytics |
suppress_policy_locked | bool | false | If true, device can override even locked policies |
Flow Config (flow_config)
Controls which URL categories Agent Charley classifies and reports.
| Field | Type | Default | Description |
|---|---|---|---|
enabled | bool | true | Enable or disable flow tracking entirely |
categories | list[string] | all | URL categories to classify and report |
Available Categories
| Value | Description |
|---|---|
SECURITY_BLOCK | Known malicious, phishing, and threat domains |
BANKING | Online banking and financial services |
CRYPTO | Cryptocurrency exchanges and wallets |
ECOMMERCE | Shopping and retail sites |
EMAIL | Webmail services (Gmail, Outlook, etc.) |
JOB_SITES | Job boards and recruiting platforms |
SOCIAL_MEDIA | Social networks |
PRODUCTIVITY | Work tools (docs, project management, collaboration) |
TRUSTED | Org-allowlisted domains |
DLP Config (dlp_config)
Controls data loss prevention — scanning clipboard content and blocking or warning on sensitive data patterns.
targets
Either apply_to_all_apps: true or provide apps_allowlist — not both. apps_allowlist entries are matched against the application’s display name on macOS (as reported by NSWorkspace).
detections.builtins
| Value | Detects |
|---|---|
credit_card | Luhn-valid 13–19 digit card numbers (Visa, MC, Amex, Discover) |
ssn_us | US Social Security Numbers in XXX-XX-XXXX or XXXXXXXXX format |
email | Email addresses |
phone | US phone numbers in common formats |
actions.mode
| Value | Behavior |
|---|---|
block | Cancels the paste. Optionally clears the clipboard. |
warn | Allows the paste but shows a warning notification. |
allow | Logs the detection but takes no visible action. |
slack_context
When slack_context.enabled is true, DLP triggers only when the user is pasting into a Slack window that matches the specified channel types. If slack_context is omitted or disabled, DLP applies regardless of the target application.