Built-in policy templates

Three starter templates ship out of the box. Apply one to a fresh policy to skip the first 30 minutes of authoring; tune from there.

Standard Office

The safe default for most SMB workspaces. Allows printers, audio, video, security keys, and common HID peripherals. Blocks mass storage class.

  • Allow class: Printer, Media, Image, Camera, SmartCardReader
  • Allow vid_pid: YubiKey 5, YubiKey 4, Google Titan, common FIDO2 keys
  • Block class: USBSTOR (mass storage)
  • Default-deny everything else

Engineering

Standard Office plus storage from known vendors. Designed for teams that legitimately need to move files via thumb drives with specific approved devices.

  • Everything from Standard Office
  • Allow vendor_name: SanDisk, Kingston, Samsung (subject to tenant override)
  • Recommended: pair with serial-specific allow rules for individual approved drives

Kiosk / Locked Down

For shared / public terminals. HID only — mouse and keyboard. Everything else, including printers and security keys, is blocked.

  • Allow class: HIDClass
  • Block: everything else (default-deny does this; the rule list is short by design)

Why no Audit-Only template

Earlier drafts had one. We removed it because the right way to do audit-only is discovery mode on a per-endpoint-group basis — a time-windowed coercion of all rule actions to audit. That's cleaner than bloating a policy with a parallel set of audit-only rules you have to remove later.

Applying a template

From Policies, open any policy and click "Apply template." This replaces the rule list with the template's rules. Existing endpoint group assignments stay intact, so nothing else has to change.

The welcome wizard applies a template automatically on signup; you don't have to do this step manually unless you want a different starting point.

Templates — PermitUSB docs