Policies
A policy set is where ACP earns its name. It defines the envelope every session runs inside — what users may do with files, printing, the clipboard, the network and child processes, plus session lifecycle, recording, isolation, drive mappings and compute caps. This section documents the policy JSON node by node, following the order of the Admin policy editor.
What a policy set is
In the IAM model the stored entity is a policy set. Its content is three JSON documents plus a metadata block, stored in separate columns and merged into a single policy document when a session starts:
| Root node | Stored as | Controls |
|---|---|---|
security | securityPolicyJson | Clipboard, file system, data transfer, printing, network, child processes, file dialogs. |
session | sessionPolicyJson | Lifecycle and timeouts, remote desktop, audio, recording, drive mappings, session isolation. |
resources | resourcePolicyJson | CPU/RAM caps, desktop resolution, frame rate, streamer mode, disk quota, capture offsets. |
metadata | metadataJson | Template bookkeeping only — not applied to sessions. |
The top-level template also carries name, description and revision. The authoritative shape — every key, type, enum, default and min/max in this section — comes from the policy JSON schema shipped with the product and downloadable from the policy list page.
Anatomy of the editor
The Admin console edits a policy set through a single form. Most sections are accordions with visual controls; everything else is reachable through the Policy Configuration (Advanced) area, which exposes the four JSON blobs directly. Visual editors and the Advanced JSON tabs write the same underlying nodes — the accordions are a friendly front end over the JSON documented here.
Editor sections at a glance
The pages in this section follow the editor order. Each one documents its JSON node in full, with a property table, a sample, and any global override behaviour.
| Editor section | JSON node | Reference |
|---|---|---|
| Basic Information | name, description, revision | Policy Sets & the Editor |
| Resources | resources | Resources |
| Printing | security.printing | Printing |
| Client Data Transfer | security.dataTransfer | Client Data Transfer |
| File System | security.fileSystem | File System |
| Network Isolation | security.network | Network Isolation |
| Session Isolation | session.sessionIsolation | Session Isolation |
| Drive Mappings | session.driveMappings | Drive Mappings |
| Advanced — Security | security.clipboard | Clipboard |
| Advanced — Security | security.childProcessPolicy | Child Process Control |
| Advanced — Security | security.dialogs | File Dialogs |
| Advanced — Session | session lifecycle | Session Lifecycle |
| Advanced — Session | session.remoteDesktop, session.audio | Remote Desktop & Audio |
| Advanced — Session | session.recording | Recording |
| Advanced — Metadata | metadata | Metadata |
Two layers: policy set vs app.config.xml
There are two configuration layers. The policy set JSON is the per-workspace / per-user layer authored in the Admin console. The global app.config.xml is an operator-controlled file read by the Gateway service; effective enforcement then happens on the backend Session Manager (which writes policy.json and applies NTFS and firewall rules) and inside the session Streamer.
As a rule, policy wins per session — it overrides app.config defaults for any key it sets. But several global settings are deliberately non-negotiable. They behave as one of:
- Ceiling — policy may lower but never raise (audio enablement).
- Floor / baseline — the global value is always included; policy can only add to it (default blocked paths).
- Gate — a master switch that disables a whole subsystem regardless of policy (filesystem restrictions, headless dialogs).
- Forced — a fixed value policy cannot change (loopback networking).
- Injection — the Gateway writes a global default into the policy JSON before the backend sees it (recording defaults).
Audio enable is a ceiling; network.allowLoopback is forced true; fileSystem.blockedPaths is unioned with the global default-blocked and protected paths; the filesystem-restrictions master switch is a gate; security.dialogs.* is applied from app.config <headlessDialogs> (policy values are logged only); recording follows the precedence User > Workspace policy > Org > app.config global. Each page below calls out its specific behaviour.
Built-in policy sets
Four policy sets ship with every deployment, aligned to the file-system trust levels: notrust, lowtrust, fulltrust and disposable. Built-ins are read-only — clone one and tailor the copy rather than editing the template. See Trust Levels for the security rationale behind each.