Skip to main content

12 posts tagged with "Policies"

View All Tags

Clearer policy settings and a redesigned Discovery

This week is about making setup clearer: you can see exactly when an Enforcement policy warns or blocks, and adding a Discovery connection is simpler.

See exactly when a device is warned or blocked

Setting up an Enforcement policy no longer means guessing what will happen. The policy settings now show a threshold timeline and a live timing summary as you edit, plus suggestion chips for common warn and block windows. You can see precisely when a device would be warned, and when it would be blocked, before you save. Enforcement stays configurable: a policy can warn or block, with or without an Awareness notification. Set up a policy

A simpler way to connect Discovery

Discovery has a redesigned two-column overview and a clearer way to add a connection. Selecting Add connection now opens a provider picker for Microsoft, Google or Okta and takes you straight to a step-by-step setup page for the one you chose. Discovery reads the devices in your organization from a connected identity provider, so adding one is the first step to seeing every device in use. Connect Discovery

  • Dashboard: the Devices table now shows whether a device's Last Seen came from the XFA agent or from Discovery.
  • Dashboard: billing details and the change-address flow moved into a redesigned Subscription section, and adding a payment method now asks you to pick a plan first when none is active.
  • Dashboard: an account blocked for billing can still open Settings to download its invoices.
  • Dashboard: the Overview shows its shell and skeletons immediately for a faster first load, removing the blank white first paint.
  • Dashboard: the onboarding language switcher now uses the shared dropdown for a consistent look.
  • Integrations: you can now disconnect a Microsoft Teams connection from the Integrations page, the same as Slack.
  • Web app: the install and MFA screens have a refreshed layout and clearer copy.
  • Dashboard: the app now reloads itself once after a deploy instead of erroring on a stale page chunk.
  • Dashboard: the device-notify popup hides right away after you choose Don't show again.
  • Integrations: reconnecting Vanta no longer fails with a 500 error.

Compliance Status Bar

The dashboard now includes a clearer compliance status bar for policy-based device security.

The new view helps administrators quickly understand how devices are progressing against their security policy:

  • See which devices are already compliant and which still need attention.
  • Distinguish devices that are warned, blocked, or not yet covered by an action.
  • Identify devices with missing information that may need verification before their status is complete.

This gives teams a faster way to review policy health and decide where to focus next.

Open the dashboard

Policy Compliance Summary

Policy detail pages now include a compliance summary next to the policy settings.

The summary helps administrators understand the current state of a policy while editing it:

  • See how many devices are compliant, non-compliant, or missing information for the selected policy.
  • Keep the compliance overview visible while reviewing or updating policy settings.
  • Quickly understand whether a policy is already broadly satisfied or still needs attention.

Review your policies

Claude Code 'Auto' mode flagged as unsafe AI configuration

XFA's unsafe AI mode check now recognises Claude Code's newer persisted permission modes alongside the legacy dangerouslySkipPermissions flag, so administrators get accurate reporting whenever an agent is configured to auto-approve every tool call.

The following values of permissions.defaultMode in ~/.claude/settings.json (or ~/.claude/settings.local.json) are now flagged as unsafe because they auto-approve every tool call, including shell commands and network requests:

  • bypassPermissions — persisted equivalent of running with --dangerously-skip-permissions. Treat this as 'agent has full local user privileges'.
  • auto — the new Claude Code 'Auto' mode. Same risk class: skips permission prompts via a classifier and is intended for sandboxed CI, not for personal devices.

Both modes are unsafe to run on machines with credentials or production access. Safe values (default, plan, acceptEdits) remain unflagged. Devices configured with either flagged mode are now reported in the Unsafe AI Mode check, and end users see remediation steps in the in-app guide.

Review your AI policies

Intune and Vanta Checks

Two new MDM and compliance checks are now available for the desktop app:

  • Microsoft Intune — Verify whether a device is enrolled in Microsoft Intune. Supports both macOS and Windows.
  • Vanta — Detect whether the Vanta compliance monitoring agent is installed and running. Supports macOS, Windows, and Linux.

Both checks can be configured in your organization's policy with warning and blocking actions, just like all other security checks.

These checks are currently available on desktop only.

Configure your policies

AI Checks

Three new AI-related security checks are now available in your policies:

  • Secrets in environment — Detect and prevent exposed secrets in environment variables or runtime context to reduce credential leakage risk.
  • Autonomous agents — Detect autonomous agents and require approved controls before allowing access.
  • Unguarded elevation — Detect and prevent unguarded privilege elevation that can lead to unauthorized high-privilege actions.

Each check can be configured with warning and blocking actions, just like all other policy checks.

Configure your policies

Compliance Goals

Policies now support compliance goals, giving you granular control over how and when devices are warned or blocked.

For each security check, you can now configure three separate actions:

  • Set your compliance goal — Define the time period in which devices should become compliant (e.g., 30, 60, or 90 days). This goal is only visible to administrators.
  • Warn users — Choose when users are informed about a risk: before the compliance goal or on the due date.
  • Block a device — Determine when non-compliant devices are blocked from access: before the compliance goal or on the due date.

For version-based checks (OS, browser, reboot), the device detail page now shows timeline badges with the configured goal, warning, and blocking thresholds in days, so you can see at a glance how close a device is to each deadline.

Configure your policies

Windows Recall Policy

We've added Windows Recall as a check

We're excited to announce that XFA now includes Windows Recall validation as a new security check to enhance data protection on Windows devices.

Windows Recall is a feature that automatically captures screenshots and stores sensitive information from your screen. Our new security check ensures that this feature is properly disabled to protect your organization's confidential data.

This security check allows administrators to:

  • Detect when Windows Recall is enabled on managed devices
  • Warn users about the potential security risks
  • Block access to applications until Windows Recall is disabled

By adding this validation, XFA helps organizations maintain better control over data privacy and prevents sensitive information from being inadvertently captured and stored by Windows Recall.

Policy filter on overview

Policy filter

You can use the policies filter now on the top right of your dashboard. This will show you your statistics based on the policy you have selected.

Get started in the XFA Dashboard.

Policies

Policy page

You can create and manage device security policies to enforce specific security rules for your organization’s devices.

You have the flexibility to customize these rules and add Enforcement integrations to ensure that devices comply with your organization’s security standards.

Get started in the XFA Dashboard and create your own policy.

Exclude mobile or desktop devices

Excluding mobile or desktop devices

It's now possible to exclude a specific device type (mobile or desktop devices) from device verification. You can find this setting in the application policy.

This might be useful when you want to slowly onboard your devices or want to add XFA for a limited usecase to cover a blind spot.

Filtering on email

Filtering on email

To scope your policies to specific (groups of) users, you can now use an email whitelist to specify email or domain for users that should be included. Useful during during your first onboarding when you want to try out XFA with a small set of people!

Note: leaving the field empty will apply the policy to all users (which is the default).