Stage 2 — Tighten the Policy

With the app proven on fulltrust (Stage 1), the goal now is to remove trust until the session is isolated to the level your data sensitivity requires — without breaking the app. The technique is incremental: clone the working policy, change one thing, test, and only keep the change if the app still works. Because compatibility was already established in Stage 1, any regression you see is caused by the last setting you touched.

Set up an editable policy

  1. Clone fulltrust in the Policies editor and give the copy a working name (for example myapp_tuning). Never edit the built-in templates. See Policy Sets & the Editor.
  2. Assign the clone to your Stage 1 Virtual Desktop workspace so you keep testing in the same known-good delivery mode.
  3. Change one setting, save, relaunch, and re-run your core workflow. Keep the change if the app still works; revert it if it does not, and note why.
Aim for a target, not zero

You are moving from fulltrust toward lowtrust (or notrust/disposable for the most sensitive workloads). The right stopping point is the loosest policy that still meets your isolation requirement — over-tightening only creates support tickets.

Isolation checklist

Work down this list. Each row maps an isolation goal to the policy node that controls it and the reference page with the exact properties, units, and any app.config.xml overrides. Change one row at a time.

Isolation goalPolicy nodeReference
Restrict which files and paths the app can reachsecurity.fileSystem (trustLevel, allowed/blocked paths, virtual shares)File System
Stop data leaving through copy/pastesecurity.clipboard (enabled, direction, max size)Clipboard
Control upload/download across the browser boundarysecurity.dataTransfer (upload/download toggles, max file size)Client Data Transfer
Confine or block network accesssecurity.network (isolation, allowed/blocked domains, loopback)Network Isolation
Prevent the app from spawning other processessecurity.childProcessPolicy (allow child processes, allow/block lists)Child Process Control
Govern file picker behavioursecurity.dialogs (headless dialogs, native fallback)File Dialogs
Control printing / document egresssecurity.printing (enabled, physical printers, max output size)Printing
Discard or persist user state between sessionssession.sessionIsolation (profile cleanup, registry/filesystem persistence)Session Isolation
Cap CPU, memory, resolution, and frame rateresources (CPU/RAM limits, resolution, FPS, disk quota)Resources
Watch for what breaks

Common regressions while tightening: the app can no longer open or save where it expects (file system), an updater or helper fails to start (child process control), activation or a backend call fails (network isolation), or settings no longer persist between sessions (session isolation). Each maps directly to a checklist row, so revert that one node and reconsider the requirement.

Remember the global layer

Some policy values are capped, gated, or forced by the Gateway's app.config.xml. If a setting does not take effect as expected, check the override notes on the relevant reference page and see Policies for how the two layers combine.

Once the app runs correctly at your target isolation level, you have a policy you trust. Continue to Stage 3 — App Collection Delivery to project just the single app.