Device Security Blueprint
By CtrlOne Team ·
A one-size baseline is the enemy of device security. A shared reception PC, a locked-down kiosk, a travelling laptop, and a finance workstation face different risks and need different controls, yet many estates apply the same tired GPO to all of them and hope for the best. This blueprint takes the opposite approach: it starts from the device role, decides what that role genuinely needs, and removes everything else. The result is a set of build-ready control profiles you can apply, enforce, and prove per role, rather than a single compromise that fits none of them well.

Start from the role, not the machine
Two identical laptops can need opposite policies depending on who uses them and where. Designing from the role - what the device is for - is what lets you strip capabilities safely without breaking someone's day.
A role is defined by its job, not its hardware. Once you name the roles in your estate, the control decisions become obvious because you are asking what this role must do rather than what this model of laptop can do.
- Shared workstation: many users, minimal persistence, tight app control.
- Kiosk or single-purpose: one app, everything else locked down.
- Field laptop: removable-media control and browser restrictions.
- Finance or admin: strict USB and application policy plus evidence.
The control planes every role draws from
Rather than reinvent policy per role, the blueprint composes each profile from a common set of control planes. The role decides how tight each plane is, but the planes themselves are shared, which keeps the estate consistent.
Because CtrlOne expresses each plane as named toggles, building a role profile is a matter of choosing settings, not writing bespoke scripts. That makes profiles readable and easy to hand to a colleague.
- Removable media and USB device control.
- Application launch control.
- Browser and website restrictions.
- Device restrictions and lockdown or kiosk mode.
Removable media is the first decision
For most roles, uncontrolled USB storage is the widest and least justified opening. It is a route for data to leave and for unmanaged files to arrive, and few roles genuinely need arbitrary removable storage.
The blueprint sets removable-media policy per role rather than globally. A kiosk blocks it outright, a finance machine allows only approved device classes, and a field laptop restricts it to read-only where the role permits, all enforced through CtrlOne rather than trusted to user restraint.
Lock the surface, then narrow the applications
Once storage is handled, the next lever is what software can run. Application launch control keeps a device to its approved set, which quietly closes off a large category of risk before any detection tool is involved.
For single-purpose devices, take this to its conclusion with lockdown or kiosk mode so the machine presents exactly one function. The tighter the role, the less there is to monitor, and the clearer any anomaly becomes to the detection tools you still run.
Make each profile enforceable and provable
A blueprint that lives in a document is worthless the moment a device drifts. The value comes from profiles that are enforced continuously and can be shown to be enforced.
CtrlOne versions each profile and re-asserts it on drift, so a reset kiosk or a tampered workstation returns to its intended state. Point-in-time evidence for each role then supports your audit without a manual survey of the fleet.
Frequently asked questions
How many roles should we define?
Start with the few that dominate your estate, such as shared, kiosk, field, and finance. You can add roles later, but a handful of well-defined profiles covers most devices.
Does the blueprint block malware?
It reduces the surface malware can use by controlling media, applications, and device capabilities. Detection and removal remain the job of your antivirus or EDR; the blueprint makes their job smaller.
What if a device fits two roles?
Pick the stricter role as the base and grant only the specific capability the second role needs. It is safer to start tight and open a narrow exception than to start loose.
How do we handle a kiosk that gets tampered with?
Because the profile is versioned and re-asserted on drift, a tampered or reset kiosk returns to its locked-down state automatically rather than waiting for someone to notice.
Build devices around their role
See how CtrlOne applies role-based control profiles and keeps each device in its intended state.