v1 scope

Explicit list of what's in v1 and what's not. Honesty about scope is a positioning pillar; this page is the source of truth.

What's in v1

Enforcement

Block-by-default whitelisting on USB devices
User-mode enforcement via Configuration Manager APIs
Match types: vid_pid, serial, device_group, vendor_name, class
Actions: allow, block, audit
Hardcoded HID-class guardrails

Cloud / management

Multi-tenant SaaS with RLS isolation
Email/password authentication
TOTP MFA (WebAuthn in v1.1+)
RBAC: owner / admin / operator / auditor
User invitations
Endpoint groups with per-group policies
Per-group discovery mode (default 14 days)
Built-in templates: Standard Office / Engineering / Kiosk
Curated VID/PID device library

Operations

WPF tray app with toast notifications
Service ACL self-protection
Watchdog re-disable
Stale-policy fail-closed
Tamper event reporting

Deployment

Signed MSI installer
PowerShell one-liner from the dashboard
Group Policy + Intune deployment guides

Billing / lifecycle

Stripe Checkout + Customer Portal
14-day no-card trial
Trial expiry with 30-day grace + fail-open enforcement
Capability flags per tenant

Compliance / observability

Admin audit log
Event CSV / JSON export
NIST 800-171 control mapping doc
Email + webhook alerts

Deferred to v1.1

Native Slack / Teams integrations
Syslog / SIEM forwarding
SMS / PagerDuty native
RMM platform native templates (NinjaOne, ConnectWise, Datto, Action1)
Bulk CSV enrollment
Full-text search across events
Saved searches + views
Multi-tier pricing breakpoints
Hardware ID matching
WebAuthn MFA factor

Deferred to v2

Kernel-mode enforcement driver
Read-only enforcement on mass storage
macOS agent
SAML SSO + SCIM provisioning
File-copy auditing
BitLocker-required policy
Per-endpoint policy overrides
Policy inheritance

Deferred to v3

Linux agent
Network device control
Bluetooth control

Permanently out of scope

Full DLP suite
EDR / XDR functionality
Password management
Backup / asset inventory
SIEM replacement

v1 scope — PermitUSB docs