Skip to content
Contact us
  • There are no suggestions because the search field is empty.

User Risk: App Usage Policies

Overview

App usage policies define how (or if) your users can engage with individual applications. How app usage policies work:

  • Every app must have an assigned app usage policy. Apps can have one of four base policies: approved, tolerated, nudged, or blocked.
  • Default app rule. An organization-wide default policy ensures every app has a policy. This policy is set to ‘tolerate’ by default, but you can update it.
  • Base rules. Override the default policy by updating an app’s base policy. Set base rules to the policy that applies to the most (or all) users.
  • Custom rules. Give individual teams or roles more or less access to apps as needed. Ex: If only your Finance team should have access to Xero, set the app's base rule to blocked and then create a custom rule that approves Xero for the Finance team.

UpGuard's browser extension enforces policies in real time so the experience users see in the browser matches what's been set in UpGuard.

App usage policy options

You must be an admin, or have admin rights, in UpGuard to update app usage policy.

All apps must have a base rule applied, the table below shows what each policy means and what users experience in the browser.

Policy

When to use

What users experience

Approve

App is approved for business use without restrictions.

No intervention. Users are able to access and use the app.

Tolerate

App is accessible, but not officially approved for use.

No intervention. Users are able to access and use the app. The extension lists the app as ‘unsupported’ so that users know it’s not approved.

Nudge

App is accessible but users are encouraged to stop usage or to use another app instead.

A banner warns the user that the app isn't approved, advises against sharing sensitive data, and may suggest approved alternatives. Users can dismiss the banner and continue.

Block

App is restricted and users are blocked from accessing it.

The page is replaced with a full-page blocking overlay. The user cannot access the app. Approved alternatives are shown if configured.

If applicable, browser defense policies (block file uploads and copy/paste, personal OAuth login restriction, and password detection) layer on top of these outcomes.

Rules of engagement: policies

Organization defaults, base rules, and custom rules allow you to create a strong default policy while still giving everyone the exact access they need.

Policy

Impact

Organization default policy

Every app has a policy. Unless you change an app’s policy, it will use your organization's default base rule. All apps are automatically given the organization default rule when they are first detected and stay in the default unless you update the app’s base rule or create a custom rule.


The default base policy is set to ‘Tolerate’ but you can update this.

Individual app base rule

Change an individual app’s base rule anytime you want its base rule to be different than the org’s default. Set an app’s base rule to the policy that applies to the most (or all) users.


Base rules can be more or less restrictive than the org’s default policy.

Custom rules

Use custom rules to give teams and/or roles a different policy from the base rule. If a user matches multiple custom rules associated with the same app — say they're in Finance (an Approve rule) and have a Sales Rep role (a Block rule) — the most restrictive outcome applies.


Custom rules can be more or less restrictive than the base rule, the custom rule takes precedence.

🧠 Apps that have been admin-consented through Microsoft Entra are automatically assigned an Approved policy in UpGuard. New base rules and custom rules can’t be applied within UpGuard, to change app access, manage permissions in Entra.

Update the organization's default policy

Update the organization’s default policy to update the policy applied to all new apps, and all apps currently using the org’s default policy.

  1. Click the Settings (gear) icon in UpGuard's upper right-hand corner.
  2. Click Policies under User Risk in the left panel.
  3. In the Organization default policy section, click the pencil icon next to the current default policy.
  4. Select the new policy.
  5. Click Save.
  6. A confirmation modal appears, it tells you how many apps will be impacted by the change.
  7. Click Update.

User Risk’s browser UI immediately updates and new apps detected after this change immediately inherit the new default policy. Your user’s browser extensions will update within an hour.

Update an app's base policy

Update an app’s base policy to assign it a policy different from the organization’s default. Set an app’s base rules to the policy that applies to the most (or all) users.

  1. Click the User Risk icon from UpGuard’s left-hand navigation.
  2. Click Applications.
  3. Click the app whose policy you want to update.
  4. Click Manage usage policy in the page’s upper-right corner.
  5. Click the pencil icon next to the app’s current base rule.
  6. Select the new policy.
  7. (Optional) Add custom rules for specific teams or roles.
  8. Review the Impact preview sidebar on the right side of the manage-policy page to see how many current users will fall into each outcome or if users match multiple custom rules.
  9. Click Update usage policy.
  10. (optional) Add a note explaining why you made the change(s) — this will help if reviewing settings later.
  11. Click Save.

User Risk’s browser UI immediately updates and your user’s browser extensions will update within an hour.

Create custom rules

Use custom rules to override the app’s base rule for specific teams or roles. Example: block an app for the whole organization (base rule) but approve it for the team that needs it (custom rule).

  1. User Risk > Applications > select an application.
  2. Click Manage usage policy.
  3. Scroll to the Custom rule section under the base rule. To assign a policy to a team or role, you’ll find the outcome you want them to have and add the team or role to it.
  4. Click the pencil icon next to the appropriate policy.
  5. Click the dropdown next to Roles or Teams to create an exception for that group.
  6. (Optional) Repeat steps 4 and 5 for additional rules you want to create for this app.
  7. Click Update usage policy at the bottom of the page.

A given team or role can only be assigned to one custom rule per app. Teams and roles that are already assigned to a different rule are greyed out in the dropdowns.

🧠 When a user matches multiple custom rules — for example, they're in Finance (an Approve rule) and have a Sales Rep role (a Block rule) — the most restrictive outcome wins. The Impact preview sidebar flags these conflicts before you save.

Bulk-update app usage policies

Use bulk updates to change multiple app’s base rule at the same time or to add, remove, or edit attributes.

Before you continue:

  • Custom rules are deleted for any app whose base policy is updated via bulk update.

  • Updating an app’s attributes via bulk actions overwrites all of its previous attributes with the bulk action selection.

  • Admin-consented (Microsoft Entra) apps cannot be included in a bulk policy update.

  1. User Risk > Applications
  2. Click the checkboxes next to the apps you want to update.
  3. In the action bar at the bottom of the page, click
    1. Manage usage policy and click the outcome you want to apply (Approve, Tolerate, Nudge, or Block).
    2. Manage attributes and add label(s) and value(s). To remove attributes, simply leave the modal blank.
  4. Click Update or Save.