Policies enable you to organize computers running the Carbon Black App Control Agent into groups with common security requirements.

For example, you can create policies based on departmental affiliations like sales, marketing, or other organizational relationships. You might also create policies specific to a computer’s purpose, such as a special domain controller policy. A single policy may be appropriate if you want a single, company-wide operating standard for all computers, but typically you will create multiple policies.

Policies normally are assigned to computers, not users, although Active Directory data can be used to assign policy by user. Each computer has only one policy at a time, regardless of the number of users currently logged on.

Once a policy is created, you can assign computers to it through a variety of methods, including automatic assignment based on Active Directory group. See Managing Computers for more details on policy assignment.

When you create a policy, Carbon Black App Control attempts to create an agent installer that assigns the policy to computers that use the installer. If you have not yet uploaded agent installer packages and a rules file to your server, or if agent installer creation is disabled for all operating systems, creating a policy generates error events indicating that the agent installers for that policy cannot be created. You can still create the policy, but to avoid populating the Events log with errors each time you create a policy, the best practice is to upload agent and rule installers before creating policies. See "Uploading Agent Installers and Rules to the Server" in the VMware Carbon Black App Control Agent Installation Guide for more information.


Policy names can use alphanumeric characters and certain symbols in the ISO-8559-1 set. Characters in the 32-126 range in the ISO-8559-1 set are legal, with the following exceptions: < > : " / \ | ? * # @ `

If you enter Unicode characters or reserved symbols in a policy name, the console displays a warning dialog. You must remove the illegal characters from the name before you can save the policy.

Some characters that are allowable in policy names might cause problems when running the agent installer for the policy. For policies that will be applied to Mac computers, avoid parentheses and spaces in the name, or be prepared to “escape” these characters when you run the installer.

Create a Policy

Use this procedure to create a new policy.


  1. On the console menu, choose Rules > Policies. The Policies page appears:
    The Policies page
  2. On the Policies page, click the Add Policy button. The Add Policy page appears (shown below for a Control policy):
    The Add Policy Page
  3. On the Add Policy page, enter a policy name and define the other policy parameters as you choose (see Policy Definitions) – the parameters you see may vary depending upon other policy settings and configuration choice.
  4. After you have provided the policy configuration parameters on this page, click the Save button. The new policy appears in the table on the Policies page.
  5. To modify the Device Settings or Advanced Settings for this policy, click the View Details button next to the new policy name, make your modifications, and click Save. See for detailed instructions on editing these settings. Note that Device and Advanced Settings do not appear on the Add Policy page – you must save the policy first to see them.
    • For more information about the Device Settings and other device monitoring and control features in Carbon Black App Control, see Managing Devices
    • For information about customizing the notifier displayed on a client computer when policy and ban settings are enforced, see Endpoint Notifiers and Approval Requests