Custom Policy Setup and Best Practices Guide

In this guide, we will be showing you how to set up a custom policy and some best practices to follow when creating one.

 ***Be sure to click Save Policy after making changes in each part of the Policies section.***

 

We recommend that you do the following by default for all created policies:

- Under the Category Access Section of Policies:

• Set the Security supercategory to "Block".
  • We recommend blocklisting this entire category because it protects users from things such as spam, phishing sites, malware, infected sites, botnets, and more. 

• Next, set Drugs & Alcohol as well as Adult Content to "Block".

 

• • Keep the Risk Level Access setting Unchecked.
    • This is only recommended for use in very locked-down environments, zero-trust policies, medical labs, or kiosks.
    • Enabling this can cause blocks to screen sharing/remote desktop tools as well as your DNS resolvers. Enable this only after safelisting dns.google.com and cloudflare-dns.com (or any other resolver you use) in the "Websites" tab as the Risk Level Access reputation filter can block those addresses and prevent DNS from resolving on the endpoint.

You also have the option to enforce the Safe Search feature which will filter explicit search results from Google, Bing, DuckDuckGo, and YouTube. Enforcing this feature is optional depending on the use case and customer preferences.

 

After applying the recommended settings, you can customize your policy based on your specific needs and what you want users to be able to access.

 

The next section of this article contains details on the different parts of the Policies section, including examples of how and why you'd use particular settings.

Categories

This section of the Policies tab gives you control over which content categories you want users to have access to. Here you can choose to Allow or Block either the entire Supercategory or any of the Subcategories located within.

Websites

The Websites section of the Policies tab allows you to add domains to be allowed and blocked. The domains in your allowlist and blocklist will override any content categories (with the exception of the Web Apps super/subcategories) that you have set to be allowed/blocked in the Categories section. This allows you to further specify what sites you want to allow users access to without having to compromise by blocking them from entire domains.

 

Additionally, you can also upload a .csv file to your safe/blocklist. To do this, click the "CSV" button next to "Add URL" and then click "Add URLs w/CSV". This will then allow you to choose the file you want to upload.

Here's an example of how to format your .csv files:

Mode refers to including or excluding subdomains. True = include, False = exclude subdomains.

 

Here's what it should look like if you were to upload the above .csv file:

 

Location Blocking:

This feature of the Policies section allows you to allow or block access to websites based on the IP they geolocate to. For example, if you don't want your users to be able to access websites from Russia, you could choose the "Block" setting and add the "Russian Federation" to your Blocked Countries list. If they try accessing a site like "goverment.ru" for example, they will receive a block page instead.

 

Blocked Countries Best Practices:

• Russia
• China
• Iran
• Nigeria
• North Korea (Democratic People's Republic of)
• Belarus

 

Allowed Countries Best Practices:

• United States
• Canada
• United Kingdom
• Ireland
• France
• Germany 
• Australia