Select Policies

SECURITY  Administrator or Super Administrator privileges in Workplace

NAVIGATION  Workplace Online > Configuration > Team Settings > Policy Profiles > click a policy profile > + Add Policies

This page allows you to find and select policies to add to a policy profile.

Individual Policy Definitions and Instructions

The areas below describe how adding or modifying specific policies within your policy profiles will affect users. If a policy has already been added to the profile, the words already selected will display at the right of the policy. You may add any other policy to the policy profile.

NOTE   Data entry and/or additional selection fields for policies are only available when the check box corresponding to the policy is selected.

Policy What it does How to use it
IP Address Whitelist Restricts log in via a web browser, Workplace Mobile or Workplace Desktop to specified IP addresses.

Select check box, then click Save. This will return you to the Policy Profile Detail page.

Then click the Manage link to add or remove whitelisted IP addresses:

Only logins from IP addresses on this list will be successful. If there are no records on this list, all IP addresses will be allowed to log in.

By default, users will be able to log in to any component of Workplace from an IP address on this list. To exclude login to some Workplace components, you may clear the Workplace Online, Workplace Mobile and/or Workplace Desktop check boxes for any IP address.

You can use wildcard symbol * to include a range of IP addresses.

NOTE  Wildcards are implemented in a very simple way. Just use one or more asterisks in the pattern. An asterisk will replace 0 or more characters

For example, for the IP address 123.456.789.111 all the following patterns will match:
123.*.789.111
123*
123.*.789.*
Public Sharing Allow users with the correct permissions to create Public Shares to content stored in the service.

Select check box. When this policy is added to the policy profile, you can choose to enable any or all of the following additional settings:

Enforce Email Validation

Public share recipients will be prompted to enter their name (optional) and email address (required) when they access the share.

Enforce Password

Requires that public share recipients enter a password before accessing the file.

Maximum Expiration Length

Determines the maximum amount of time that the share is available. You may select a duration. Users to whom this policy profile applies will be able to adjust the duration downward, but they will not be able to increase it.
Watermark Previews

Places a watermark on files are viewed with View Only permissions.

The watermark consists of the user's full name and email address. This only applies to converted files, not images or videos. Refer to File conversion limits for more information on which file types are converted.

 Select check box.
Require Device Approval Devices require approval by a team administrator before the user may connect to the service. Select check box, then select the type of device that requires approval (mobile or desktop), or select all to require approval for all devices.
Wipe Data when Account Disabled

Remotely erase all data synced via the Workplace service from the user's devices when their account is disabled.

If this policy is enabled, the Disable and Wipe Devices option is selected by default when you disable a user.

When a device is wiped, it is also purged.

NOTE  If Active Directory integration is enabled and a user is disabled via Active Directory, the synced data in the Workplace Folder will be automatically wiped from all their devices.

 Select check box.
Wipe Data when Account Deleted

Remotely erase all data synced via the Workplace service from the user's devices when their account is deleted.

When this policy is enabled and a user account is deleted, the default Don’t Wipe option next to each device is changed to Wipe.

When a device is wiped, it is also purged.

NOTE  If Active Directory integration is enabled and a user is deleted via Active Directory, the synced data in the Workplace Folder will be automatically wiped from all their devices.

 Select check box.
Session Timeout Number of minutes after which a web session will expire. Select check box, enter the number of minutes.
The default value for this field is 60.
Allow "Remember Me" Users are allowed to select the "Remember Me" option on the Log In page. Select check box.
Display IP Address in Web UI IP address of user currently logged in is shown in UI. Select check box.
Automatically Disable and Recycle Devices Automatically disables devices that have not connected to Workplace for a specified number of months, and recycles devices the have been disabled for a specified number of months.

This policy is enabled by default, with a setting of 3 months since last connection before a device is disabled, and 12 months in a disabled state before the device is recycled. If no action is taken, recycled devices will be purged after 90 days.

An email notification will be sent to team administrators and the device owner whenever a device status changes due to this policy.

Policy What it does How to use it
Password Strength Minimum strength required when users create their passwords. Select the check box, then select a minimum password strength.
Password Expiration Number of days after which the password will expire.

Optionally allows prevention of password expiration for password with a strength of 5, even when password expiration is enabled.
 Select the check box, then enter the number of days.

Optionally select the Strength score 5 passwords do not expire check box.
Recent Password Cycle Number of times that a password must be changed until it can be reused. Select the check box, then enter the number of cycles.
Recent Password Interval Number of days for which recent password cannot be reused. Select the check box, then enter the number of days.
Password Length Requirements Minimum and maximum length of passwords. Select the check box, then enter a minimum number and/or a maximum number.

The range is 6-30. The default value for the Minimum field is 6. The default value for the Maximum field is 30
Must Contain Letters Password must contain at least one letter. Select the check box, then select the type of letter requirement you want to enforce: any, upper case, lower case, both.
Must Contain Digits Passwords must contain at least one digit. Select the check box.
Disallow Characters Characters that passwords cannot contain. Select the check box, then enter the characters you do not want to allow users to include in passwords.

'|' cannot be a rejected character.
Restrict Number of Failed Login Attempts Number of failed login attempts required to deactivate the account. Select the check box, then enter a number.

The default value for this field is 5.
Two-Factor Authentication Use two-factor authentication in the login process. Select the check box.

For more information, refer to Manage Two-Factor Authenticationand Log In.
Enforce (only available when 2FA is selected) 2FA is mandatory unless explicitly disabled for that user. Refer to Manage Two-Factor Authentication. There will be no grace period during which users may skip 2FA. New users added to the team will also have 2FA enforced. Select the check box.

All users on your team will be forced to use two-factor authentication the next time they log on.
IP Address Whitelist
(2FA)		 Allow IP addresses that can log in without two-factor authentication.
*Workplace Desktop installations will always ask for 2FA even when coming from a whitelisted IP.

Select the check box.
Once you have added this policy, you will manage the IP Whitelist on the Policy Profile Detail page, where you can click the 2FA IP Address White List link, which will open this popup:

For each IP address, enter the IP Address Pattern, enter a description, then click Add. You can use wildcard symbol * to include a range of IP addresses.

NOTE  Wildcards are implemented in a very simple way. Just use one or more asterisks in the pattern. An asterisk will replace 0 or more characters

For example, for the IP address 123.456.789.111 all the following patterns will match:
123.*.789.111
123*
123.*.789.*

When you have added all the addresses you want, click Update.

IP addresses on the list can successfully log in without two-factor authentication, even if 2FA is enabled for the account.

Policy What it does How to use it
Exclude Groups from Sharing Specify the groups to be hidden when users share projects or folders. Select check box. Once you have enabled this selection, you may manage restricted groups on the Policy Profile Detail page.
Restrict Unlock Override to Project Owner Prevent all users except the project owner from unlocking a locked file.
Select check box. Once you have enabled this selection, you may manage restricted groups on the Policy Profile Detail page.
Prevent Project Creation Users or groups or users to whom this policy is applied will not be able to create new projects. Select the check box.

 

NOTE  To prevent users from making changes to Workplace Desktop preferences, including backup folders, local Workplace location, and projects to sync, please refer to Select Policies, below.

Policy What it does How to use it
Lock Settings Prevents users from being able to make changes to settings and quitting. Users with this policy applied will not be able to control their sync preferences, backups, and networks settings via Workplace Desktop. Select the check box.
Local Storage Defaults Set the volume name, drive letter, and file path where users will access Workplace files on their device.

Select the check box, then click Save. This will return you to the Policy Profile Detail page. Then click the Manage link for this policy to set the default location for the Workplace folder on the Manage Workplace Location page.
Workplace v10 Storage Settings

Specifies the location in which v10 stores files, and the maximum amount of storage that can be used by the automatic sync process when a user opens a file.

Files that are opened on the device will automatically be retained in this cache and will be available while offline until the cache is full. Files opened the longest time ago will be automatically cleared from the cache.

NOTE  All files are stored in the cache location. Files that have been synced to the device to make them available offline are not included in the cache size.

For cache size, select the check box, then enter a value of 10 GB or greater in the corresponding field.

For cache location, select the check box, then click Save. This will return you to the Policy Profile Detail page. Then click the Manage Location link for this policy to Manage Cache Location.

Enforce Project Sync

Specify projects or folders that will automatically sync to the device. If this policy is enabled, the Project list controlled by administrator check box on the Workplace Desktop Sync tab will be selected by default upon installation, but users may clear the check box to customize the projects they wish to sync. If they select the check box again, only projects designated in this policy will be synced.

 Select the check box, then click Save. This will return you to the Policy Profile Detail page. Click the Manage link for this policy to open the Manage Projects to Sync page and designate which projects and/or folders will sync.
Restrict Offline Access Duration Sets the maximum number of days that files can be accessed without a connection to the Workplace service. Requires Workplace v10.3 or higher. Select the check box, then select a time period from the Deny access after dropdown.
SmartBadge Displays SmartBadge on Microsoft Office documents, allowing for enhanced collaboration. Select the check box.

The Auto-lock Microsoft Office Files check box enables automatic locking of Microsoft Office files when edited and automatic unlocking when closed. This check box is selected by default, but you may clear it if you wish.
Outlook Plugin Determines whether the Workplace Outlook plugin is enabled by default upon installation.
 Select the check box.
Disallow Remote Access Disable remote access to devices running Workplace. Select the check box.
Throttle Control Enable to set the maximum speeds at which Workplace devices can upload to and download from the Workplace service. Leave a field blank to use the maximum speed.

Users can, via the Workplace app Network tab, reduce transfer speed, but they cannot increase it beyond the limit you've set here if this policy is enabled.

NOTE  Throttle control settings apply to Workplace Desktop 7.2 and later only. These settings do not affect Workplace Server.

 Select the check box, then enter the maximum Download and Upload speeds in the fields provided.
File Backup
(metered plans only)		 Allows backup of files using Workplace Desktop v8 or earlier.

Select the check box.
Default Backup Folders
(metered plans only)		 Allows you to specify the folder paths to back up using Workplace Desktop v8 or earlier. If this policy is enabled, the Backup paths controlled by administrator check box on the Workplace Desktop Backup tab in Workplace Desktopwill be selected by default upon installation, but users may clear the check box to customize the folders they wish to back up. If they select the check box again, only paths designated in this policy will be backed up.
Select the check box, then click Save. This will return you to the Policy Profile Detail page. Click the Manage link for this policy to open the Manage Backup Folders page and designate which folders will be backed up.
Restrict Update Automation

All updates will require manual installation or remote deployment.

For Workplace for Windows and Mac v10 or later, the auto-update mechanism will be disabled.

For Workplace v8.x or earlier, update notifications will be disabled.

If the device's Version Status is Update required it will still be updated automatically. This safeguard is in place to ensure that users always enjoy a functional Workplace experience.

IMPORTANT  While we encourage you to use Silent installation, we recommend that you allow Datto to maintain user versions through the auto-update mechanism. This will ensure that users always have an up-to-date version of our Workplace app. Please do not enable this policy unless you have an exceptionally good reason.

Select the check box.
Disable Remote Access Disable remote access to devices running Workplace. Select the check box.

Policy What it does How to use it
Prevent Mobile Editing Prevents existing Workplace content from being modified via Workplace Mobile and the Microsoft Office integration. Select the check box.
Prevent Mobile Exporting Prevents files from being exported to other apps, attached to emails, printed, etc. from Workplace Mobile. Select the check box.
Prevent Mobile Adding and Creating Prevents creation of new Workplace files, folders, and projects via Workplace Mobile. Select the check box.
Enforce Authentication* Require authentication to access Workplace Mobile.

Select check box, then select the type of authentication required, and the timeout period. Passcode is a user-created 4 digit code. Password is the user's Workplace account password. Password is more secure.

If passcode is selected, the users will have to use authentication, but can select between passcode, password or (Workplace Mobile for iOS only) TouchID. If password is selected, the users must enter their password to access their account via Workplace Mobile.

Select the number of failed authentication attempts allowed before all Workplace data on the device is wiped.

If this field is set to None, after 10 attempts, access to the account will be disabled for 10 minutes.

Allow Local Storage on Mobile Devices Users may sync projects and folders to mobile devices. Select the check box.
Restrict Offline Access Duration Set maximum number of days offline before online account validation is required for continued access to files. Select check box, then enter the number of days.

Policy What it does How to use it
Send Storage Alert Emails to Admins Only
(metered plans only)		 Emails about user quotas will be sent only to team administrators. For more information, refer to Manage team storage. Select check box.
Suppress Welcome Emails Welcome emails will not be automatically sent upon user creation. This is especially useful when deploying Workplace remotely.

You may always resend welcome emails from the User details page, or from the right-click menu on the Users page.		 Select check box.

How to...

Clear the Show selected policies check box at the top of the list.

The policies already included in the profile will be hidden. Only the policies that are not already included in the policy will display.

To locate a specific policy, you can:

  • Filter policies by group, using the dropdown menu

  • Begin typing the name of the policy you wish to find in the Search in Policies field

  • Use the filter and search field together, as illustrated below. The policies list will automatically update to match your query, and any search terms will be highlighted in the results:

  1. Select the check box corresponding to the policy.
  2. If necessary, adjust any available policy settings as needed.

NOTE  Some policies can be further managed on the Policy Profile Detail page once they have been added to the policy profile.

  1. Click Save.