Browse Policies & Filtering
- Application categories (Zero Trust app management)
- Active Directory group policies
- Content categories
- Custom block pages
- Don't mix DNS providers
- Prevent DNS bypass
- Safe Search explained
- Safe Search supported search engines
- Security categories
- Working with policies
- Working with allow and block lists
- YouTube Restricted Mode explained
Application categories (Zero Trust app management)
Block whole categories of web applications while allowing specific apps through an allow list. Useful for zero-trust deployments: deny all VPN except the corporate one, deny all remote-access except your sanctioned tool, etc.
The Applications sub-tab of a policy blocks whole groups of web applications by name. It covers tens of thousands of underlying domains and is built for zero-trust patterns: deny a category outright, then allow only the specific apps you’ve sanctioned.
Common patterns:
- Block every VPN except your approved corporate VPN.
- Block every remote-desktop / RMM tool except the one your team uses.
- Block all peer-to-peer software on managed networks.
- Block AI and ML apps except the one with a contract.
This reduces attack surface and undermines common social-engineering paths (e.g. “install AnyDesk so I can help you”).
Categories
AI & ML
Generative AI and machine-learning tools that create or analyze text, images, or data.
- Anthropic
- ChatGPT / OpenAI
- Copilot
- Gemini
- Grok
Educational Games
Interactive learning apps designed primarily for children.
- Khan Academy Kids
- Toca Life World
- Pok Pok
Games
Online games that can consume bandwidth and distract users.
- Epic
- Fortnite
- Roblox
- Steam
Instant Messaging
Real-time text and media chat services.
- Discord
- Facebook Messenger
- Skype
- Slack
Online Storage
Cloud file-storage and synchronization platforms.
- Google Drive
- Dropbox
- OneDrive
- SharePoint
- iCloud
Peer-to-Peer (networking and VPN)
- BitTorrent / μTorrent
- qBittorrent
- Transmission
- NordVPN
- Surfshark
- Cloudflare WARP (1.1.1.1)
- OpenVPN
Remote Access Tools
Software that allows remote control or screen sharing, including RMMs.
- TeamViewer
- AnyDesk
- Chrome Remote Desktop
Social Networking
Platforms for sharing posts, media, and messages with broad audiences.
- TikTok
Streaming Media
On-demand video and audio services (formerly included iTunes).
- Netflix
- Amazon Prime
- Twitch
- Spotify
- Apple Music
- YouTube Music
Voice over IP
Voice and video-calling applications that operate over IP networks.
- Discord
- Skype
- Zoom Phone
Web Chat
Browser-based team or customer-service chat platforms.
- Intercom
Web Email
Email services accessed through the cloud via browser or desktop client.
- Gmail
- Office 365
- Outlook.com
- Yahoo Mail
Web Proxy
Sites and domains that attempt to bypass network controls or hide identity.
- Blocks all known DoH domains
- Disables Apple DNS Proxy Service
- Hide.me
Windows Update
Windows OS updates. Sometimes blocked on guest networks to preserve bandwidth on metered links.
Deprecated categories
These category names still appear in some older configurations but have been consolidated:
| Old category | New home |
|---|---|
| Web Email | |
| iTunes | Streaming Media |
Allow specific apps inside a blocked category
A typical zero-trust setup blocks a category broadly and uses a custom allow list to permit one or two apps inside it.
Example: block the Remote Access Tools category, then add an allow-list entry for your sanctioned RMM’s domains.
[!TIP] Allow entries always win over category blocks. See the evaluation order for the full precedence rules.
Related
- Working with policies, where Applications fits in the policy editor
- Working with allow and block lists, allow-list overrides for category blocks
- Content categories, adjacent category set for general content filtering
- Security categories, threat-focused categories like malware and phishing