SECURITY Full Access or Team Access
NAVIGATION
Policy profiles allow you to control the behavior of Workplace on as broad or as granular a scale as you require. Once you've created your policy profiles, you'll apply them to groups or users in whatever way best supports your company's internal collaboration workflows and processes, as well as your security needs.
The Policy Profile Detail page allows you to edit the name or description of the policy profile, add or remove individual policies, edit individual policies in the policy profile, delete the profile, assign the policy profile to users or groups, and remove users or groups from the policy profile.
NOTE Policies that govern backup functionality are only available to metered plan Workplace teams.
The page is comprised of two views:
The Policies view displays the individual policies associated with the profile:
The Assigned to view displays the users and groups to which the profile is assigned and allows you to remove users or groups from the profile:
Understanding, applying, and configuring individual default policies
The areas below describe how to enable and configure specific policies, and how those policies will affect users who are only associated with the default policy set.
Policies must be added to the policy profile before they can be configured. Additional settings for policies are usually available when policies are enabled, but some setting require that you save the profile before they can be configured. Those policies are noted in the tables below.
Too add policies to a policy profile, please refer to Add policies
Security policies
| Policy | What it does | How to apply it |
| IP Address Whitelist | Restricts log in via a web browser, Workplace Mobile or Workplace Desktop to specified IP addresses. |
Toggle the switch to On. By default, users will be able to log in to any component of Workplace from an IP address on this list. To exclude login to some Workplace components, you may clear the Workplace Online, Workplace Mobile and/or Workplace Desktop check boxes for any IP address. You can use wildcard symbol * to include a range of IP addresses. NOTE Wildcards are implemented in a very simple way. Just use one or more asterisks in the pattern. An asterisk will replace 0 or more characters
|
| Public Sharing | Allow users with the correct permissions to create |
Select check box. When this policy is added to the policy profile, you can choose to enable any or all of the following additional settings: Enforce Email Validation Public share recipients will be prompted to enter their name (optional) and email address (required) when they access the share. Enforce Password Requires that public share recipients enter a password before accessing the file. Maximum Expiration Length Determines the maximum amount of time that the share is available. You may select a duration. Users to whom this policy profile applies will be able to adjust the duration downward, but they will not be able to increase it. |
| Watermark Preview |
Places a watermark on files are viewed with View Only permissions. The watermark consists of the user's full name and email address. This only applies to converted files, not images or videos. Refer to File conversion limits for more information on which file types are converted. |
Toggle the switch to Enable. |
| Require Device Approval | Devices require approval by a team administrator before the user may connect to the service. | Toggle the switch to Enable, then select the type of device that requires approval (mobile or desktop), or select all to require approval for all devices. |
| Wipe Data when Account Disabled |
Remotely erase all data synced via the Workplace service from the user's devices when their account is disabled. If this policy is enabled, the Disable and Wipe Devices option is selected by default when you disable a user. When a device is wiped, it is also purged. NOTE If Active Directory integration is enabled and a user is disabled via Active Directory, the synced data in the Workplace Folderwill be automatically wiped from all their devices. |
Toggle the switch to On. |
| Wipe Data when Account Deleted |
Remotely erase all data synced via the Workplace service from the user's devices when their account is deleted. When this policy is enabled and a user account is deleted, the default Don’t Wipe option next to each device is changed to Wipe. When a device is wiped, it is also purged. NOTE If Active Directory integration is enabled and a user is deleted via Active Directory, the synced data in the Workplace Folder will be automatically wiped from all their devices. |
Toggle the switch to On. |
| Session Timeout | Number of minutes after which a web session will expire. | Toggle the switch to On, then enter the number of minutes. The default value for this field is 60. |
| Allow "Remember Me" | Users are allowed to select the "Remember Me" option on the Log In page. | Toggle the switch to On. |
| Display IP Address in Web UI | IP address of user currently logged in is shown in UI. | Toggle the switch to On. |
| Automatically Disable and Recycle Devices | Automatically disables devices that have not connected to Workplace for a specified number of months, and recycles devices the have been disabled for a specified number of months. |
If this policy has been disabled, toggle the switch to On. An email notification will be sent to team administrators |
Password policies
| Policy | What it does | How to apply it |
| Password Strength | Minimum strength required when users create their passwords. | Toggle the switch to On, then select a minimum password strength. |
| Password Expiration | Number of days after which the password will expire. Optionally allows prevention of password expiration for password with a strength of 5, even when password expiration is enabled. |
Toggle the switch to On, then enter the number of days. Optionally select the Strength score 5 passwords do not expire check box. |
| Recent Password Cycle | Number of times that a password must be changed until it can be reused. | Toggle the switch to On, then enter the number of cycles. |
| Recent Password Interval | Number of days for which recent password cannot be reused. | Toggle the switch to On, then enter the number of days. |
| Password Length Requirements | Sets the minimum and maximum length of passwords. | Toggle the switch to On, then enter a minimum number and/or a maximum number. The range is 6-30. The default value for the Minimum field is 6. The default value for the Maximum field is 30 |
| Must Contain Letters | Password must contain at least one letter. | Toggle the switch to On, then select the type of letter requirement you want to enforce: any, upper case, lower case, both. |
| Must Contain Digits | Passwords must contain at least one digit. | Toggle the switch to On. |
| Disallow Characters | Characters that passwords cannot contain. | Toggle the switch to On, then enter the characters you do not want to allow users to include in passwords. '|' cannot be a rejected character. |
| Restrict Number of Failed Login Attempts | Number of failed login attempts required to deactivate the account. | Select the check box, then enter a number. The default value for this field is 5. |
| Two-Factor Authentication |
Use two-factor authentication in the login process. For more information, refer to Manage Two-Factor Authentication |
Toggle the switch to On, then click Save and proceed to Additional 2FA Settings, below. |
| Additional 2FA Settings | ||
| Enforce (only available when Two-Factor Authentication check box is selected) |
2FA is mandatory unless explicitly disabled for that user. Refer to Manage Two-Factor Authentication. There will be no grace period during which users may skip 2FA. New users added to the team will also have 2FA enforced. |
After you enable the 2FA policy and save, a Manage link will appear next to this setting. Click the Manage link to open the Manage Two-Factor Authentication page and complete configuration of this policy.
|
| IP Address Whitelist (only available when Two-Factor Authentication check box is selected) |
Allow IP addresses that can log in without two-factor authentication. *Workplace Desktop installations will always ask for 2FA even when coming from a whitelisted IP. |
After you enable the 2FA policy and save, a Manage link will appear next to this setting. Click the Manage link, which will open this popup window: NOTE Wildcards are implemented in a very simple way. Just use one or more asterisks in the pattern. An asterisk will replace 0 or more characters
When you have added all the addresses you want, click Update. |
User policies
| Policy | What it does | How to apply it |
| Exclude Groups from Sharing | Specify the groups to be hidden when users share projects or folders. |
Toggle the switch to On. Once you have enabled this selection, click the Manage link to open the Manage Restricted Groups popup window:
|
| Restrict Unlock Override to Project Owner | Only the owner of a project can override another user's lock. By default, all users with modify or higher permissions to the file may override (unlock) other user's lock. | Toggle the switch to On. |
| Prevent Project Creation | Users or groups or users to whom this policy is applied will not be able to create new projects. | Toggle the switch to On. |
Workplace for Windows and Mac policies
| Policy | What it does | How to apply it |
| Lock Settings | Prevents users from being able to make changes to settings and quitting. Users with this policy applied will not be able to control their sync preferences, backups, and networks settings via Workplace Desktop. | Toggle the switch to On. |
| Local Storage Defaults | Set the volume name, drive letter, and file path where users will access Workplace files on their device. |
Toggle the switch to On. Then click the Manage link for this policy to set the default location for the Workplace folder on the Manage Workplace Location page. |
| Workplace v10 Storage Settings |
Specifies the location in which v10 stores files, and the maximum amount of storage that can be used by the automatic sync process when a user opens a file. Files that are opened on the device will automatically be retained in this cache and will be available while offline until the cache is full. Files opened the longest time ago will be automatically cleared from the cache. NOTE All files are stored in the cache location. Files that have been synced to the device to make them available offline are not included in the cache size. |
Toggle the switch to On. Then, for cache size, enter a value of 10 GB or greater in the corresponding field. To manage the cache location, you must first click the Save button at the bottom of the page. Then click the Manage Location link. This will open the Manage Cache Location interface. |
| Enforce Project Sync |
Specify projects or folders that will automatically sync to the device. If this policy is enabled, the Project list controlled by administrator check box on the Workplace Desktop Sync tab will be selected by default upon installation, but users may clear the check box to customize the projects they wish to sync. If they select the check box again, only projects designated in this policy will be synced. |
Toggle the switch to On, then click the Manage link for this policy to open the Manage Projects to Sync page and designate which projects and/or folders will sync. |
| Restrict Offline Access Duration | Sets the maximum number of days that files can be accessed without a connection to the Workplace service. Requires Workplace v10.3 or higher. | Toggle the switch to On, then select a time period from the Deny access after dropdown. |
| SmartBadge | Displays SmartBadge on Microsoft Office documents, allowing for enhanced collaboration. | Toggle the switch to On. The Auto-lock Microsoft Office Files check box enables automatic locking of Microsoft Office files when edited and automatic unlocking when closed. This check box is selected by default, but you may clear it if you wish. |
| Outlook Plugin | Determines whether the Workplace Outlook plugin is enabled by default upon installation. |
Toggle the switch to On. |
| Disallow Remote Access | Disable remote access to devices running Workplace. | Toggle the switch to On. |
| Throttle Control | Enable to set the maximum speeds at which Workplace devices can upload to and download from the Workplace service. Leave a field blank to use the maximum speed. Users can, via the Workplace app Network tab, reduce transfer speed, but they cannot increase it beyond the limit you've set here if this policy is enabled. NOTE Throttle control settings apply to Workplace Desktop 7.2 and later only. These settings do not affect Workplace Server. |
Toggle the switch to On, then enter the maximum download and upload speeds in the fields provided. |
| File Backup (metered plans only) |
Allows backup of files using Workplace for Windows and Mac. |
Toggle the switch to On. |
| Backup Folders (metered plans only) |
Allows you to specify the folder paths to back up using Workplace for Windows and Mac.
If this policy is enabled, the Backup paths controlled by administrator check box on the Workplace Desktop Backup tab in Workplace Desktop will be selected by default upon installation, but users may clear the check box to customize the folders they wish to back up. If they select the check box again, only paths designated in this policy will be backed up. |
Toggle the switch to On. Click the Manage link for this policy to open the Manage Backup Folders page and designate which folders will be backed up. |
| Restrict Update Automation |
All updates will require manual installation or remote deployment. For Workplace for Windows and Mac v10 or later, the auto-update mechanism will be disabled. For Workplace v8.x or earlier, update notifications will be disabled. If, however, the installed version is no longer supported, it will still be updated automatically. This safeguard is in place to ensure that users always enjoy a functional Workplace experience. IMPORTANT While we encourage you to use Silent installation, we recommend that you allow Datto to maintain user versions through the auto-update mechanism. This will ensure that users always have an up-to-date version of our Workplace app. Please do not enable this policy unless you have an exceptionally good reason. |
Toggle the switch to On. |
Workplace Mobile policies
Notification policies
| Policy | What it does | How to apply it |
|
Send Storage Alert Emails to Admins Only
(metered plans only) |
Emails about user quotas will be sent only to team administrators. For more information, refer to Manage team storage. | Toggle the switch to On. |
| Suppress Welcome Emails | Welcome emails will not be automatically sent upon user creation. This is especially useful when deploying Workplace remotely. You may always resend welcome emails from the User details page, or from the right-click menu on the Users page. |
Toggle the switch to On. |
How to...
Edit the profile
- Click the Edit button. This will open the Edit Profile popup:
- Edit the name and description of the policy profile as necessary.
- Click Save.
Delete the profile
- Click the Delete button. This will open the Delete Policy Profile page:
NOTE This page will display any users or groups to which the profile is currently assigned.
- Click Delete to confirm your action.
Add policies
- Click the + Add Policies link. This will open the Select Policies page:
NOTE To see the policies already included in the profile, select the Show Selected Policies check box in the upper right corner of the list.
- Select the check box corresponding to the policies you wish to include in the profile.
- Adjust policy settings as necessary.
- Click Done.
NOTE Some policies can be further managed (for example, Manage Two-Factor Authentication) on the Policy Profile Detail page once they have been added to the profile.
Modify policy settings
- Locate the policy whose settings you wish to edit.
- Make any necessary adjustments to the policy.
- Click Update.
NOTE Some policies can be further managed or modified on policy-specific pages. For these policies, click the Manage link, then make and save any necessary adjustments. The following policies have associated management pages:
Manage Two-Factor Authentication
Manage Backup Folders (metered plans only)
Manage Projects to Sync
Manage Workplace LocationManage groups to exclude from sharingManage Backup Folders
Remove policies
- Locate the policy you wish to remove.
- Click the
icon at the far right of the policy record.
NOTE There is no confirmation message before the policy is removed from the profile. You can always add the policy again if you remove it in error, but when you add it again, it will revert to its default settings, so you may have to adjust the policy settings.
Assign the profile to users or groups
- Click the Assigned to button at the top of the list. This will open the Assigned to view:
NOTE This page will display the users or groups to which the profile is already assigned.
- Type the name or email address of a user, or the name of a group, or click the
icon to select users or groups from a data selector. - Click Done.
- Click Assign.
Remove a user or group from the policy profile
- Click the Assigned to button at the top of the list. This will open the Assigned to view:
NOTE This page will display the users or groups to which the profile is already assigned.
- Locate the user of group from which you wish to remove this profile.
- Click the icon next to that user or group. If removing the user or group from the policy profile will result in a change to their permissions and/or user experience, a "before and after" comparison page will display, showing a "before and after" snapshot of the policy changes that will be applied if you proceed.. Review the changes the user or group will experience if you remove them from the profile.
- Confirm your changes to complete the process.
