Policy: File Access Allow Policy for Visual Studio Code

This example shows a File Access policy that explicitly allows file access for a specific application (Visual Studio Code) on targeted endpoints. It’s useful for demonstrating how to ensure a trusted developer tool keeps working when other File Access policies might otherwise block or require approval.

What This Policy Does

Applies a File Access rule in enforce mode.
Targets:
- Any user (*)
- A specific application (one App ID, representing Visual Studio Code)
- One specific endpoint (one Machine ID)
On a match, it applies an ALLOW control.
Does not require the user to acknowledge the notification.

Why It Behaves This Way

Application-Scoped Allowlist: Because the application targeting is a single App ID (not *), only Visual Studio Code (as identified by that App ID) is covered.
Broad User Scope: The wildcard user targeting means any user on the targeted endpoint can benefit from the allow rule.
Enforced Allow: The policy is set to enforce and the success control is ALLOW, so matching activity is permitted.
Standard Checks With No Extra Constraints: Date/Time/Day/Certificate restrictions are empty, so the behavior mainly depends on whether the user, machine, and application match.

Revise To Apply To Multiple Endpoints

Right now, machine targeting includes a single endpoint identifier. To apply this same allow behavior across multiple endpoints, update machine targeting so it includes more than one endpoint identifier. For example:

Before: Machine targeting lists one endpoint.
After: Machine targeting contains multiple endpoint identifiers.

No other changes are required to broaden endpoint coverage.

What The User Experiences

When users run Visual Studio Code on an in-scope endpoint, they should not see blocks or approval prompts caused by File Access restrictions—because this policy explicitly allows it (assuming your policy precedence/conflict handling permits the allow to take effect).
The policy includes a notification message, but acknowledgement is not required, so it should not interrupt the workflow.

Important Notes And Common Adjustments

Fix The Notification Message: The current notification text references “monitor mode” and mentions MFA/justification/request to run as administrator, but this is a File Access policy that is enforced and applies ALLOW. Update or remove the message so it accurately reflects what the policy does.
Narrow The User Scope If Needed: Replace * with specific users/groups if Visual Studio Code should only be allowed for a subset of users.
Add Certificate Constraints For Higher Assurance: If supported in your environment, restrict the allow rule to a known signer/publisher or certificate hash so only trusted builds are permitted.
Consider File-Path Scoping: If the goal is to allow Visual Studio Code only for certain folders or file types, add folder/file pattern constraints rather than allowing broadly for the app.

Example JSON

{
	"PolicyName": "_10_FileAccess_VSCode",
	"PolicyType": "FileAccess",
	"PolicyId": "N0N1N2N3N4N5N6N7N8N9N",
	"Status": "enforce",
	"Actions": {
		"OnSuccess": {
			"Controls": [
				"ALLOW"
			]
		},
		"OnFailure": {
			"Command": ""
		}
	},
	"NotificationMessage": "A policy has been set to monitor mode.  When this policy is enabled, [mfa, justification, request] will be required to run this process as an administrator.",
	"NotificationRequiresAcknowledge": false,
	"RiskLevel": 50,
	"Operator": "And",
	"Rules": [
		{
			"RuleName": "UserCheck",
			"ErrorMessage": "This user is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckUser()"
		},
		{
			"RuleName": "MachineCheck",
			"ErrorMessage": "This Machine is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckMachine()"
		},
		{
			"RuleName": "ApplicationCheck",
			"ErrorMessage": "This application is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckFile(false)"
		},
		{
			"RuleName": "DateCheck",
			"ErrorMessage": "Current date is not covered by this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckDate()"
		},
		{
			"RuleName": "TimeCheck",
			"ErrorMessage": "Current time is not covered by this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckTime()"
		},
		{
			"RuleName": "DayCheck",
			"ErrorMessage": "Today is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckDay()"
		},
		{
			"RuleName": "CertificateCheck",
			"ErrorMessage": "Certificate hash is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckCertificate()"
		}
	],
	"UserCheck": [
		"*"
	],
	"MachineCheck": [
		"NSBYFNaHnhkIgVIazYhFXA"
	],
	"ApplicationCheck": [
		"x7QJZrcYIeuq-QA6D0VrCQ"
	],
	"DayCheck": [],
	"DateCheck": [],
	"TimeCheck": [],
	"CertificationCheck": [],
	"Extension": {}
}

PreviousPolicy: File Access Allow Policy for Cursor NextPolicy: File Access Approval Policy for pgAdmin Application

Last updated 2 hours ago

Was this helpful?

hashtagWhat This Policy Does

hashtagWhy It Behaves This Way

hashtagRevise To Apply To Multiple Endpoints

hashtagWhat The User Experiences

hashtagImportant Notes And Common Adjustments

hashtagExample JSON