Standardizing Endpoint Security for a Government Agency with CtrlOne
A government agency ran two very different sets of Windows machines: public-access terminals in service centers used by citizens all day, and staff PCs handling sensitive records. Policy required strong, provable controls and, in this case, keeping management inside the agency's own network. Here is how CtrlOne standardized both - self-hosted on-premises.
- On-prem - self-hosted on the agency network
- Public + staff - terminals on one standard
- Audit-ready - tamper-evident activity log
The problem
Public terminals are used by a stream of anonymous visitors, so they had to be tightly locked to a single purpose while resisting tampering. Staff PCs handled sensitive records that must never leave on a USB drive.
Agency policy also required that device management stay on its own network rather than a public cloud, and that controls be demonstrable during audits.
- Public-access terminals exposed to anonymous, untrusted users
- Staff machines holding sensitive records at risk of USB data loss
- A requirement to keep management on the agency's own network
- Inconsistent configuration across service centers and offices
- A need for controls that resist tampering and can be evidenced in audits
The deployment
The agency ran CtrlOne on its own network using the self-hosted LAN console and deployed the agent to every machine, with separate hardened policies for public terminals and staff PCs. Role-based operator accounts kept duties separated, including a read-only auditor role.
- The self-hosted LAN console keeps device management inside the agency's network
- Public terminals are locked to their single purpose, with system tools, settings, and USB storage disabled
- Staff PCs block USB storage and unapproved apps while keeping the tools employees need
- Offline fail-closed enforcement keeps machines locked down through network interruptions
- Role-based access (including a read-only auditor role) and a tamper-evident audit log support oversight and reviews
We can't hand citizen data to a public cloud, and we have to prove our controls. CtrlOne runs on our own network and gives us one locked-down standard for public terminals and staff PCs alike.
The results
The agency replaced inconsistent, hard-to-prove setups with one enforceable standard it fully controls.
- Public and staff machines each enforce a consistent, purpose-built policy
- Device management stays entirely on the agency's own network
- USB data-loss paths on staff machines are closed by default
- Public terminals resist tampering and stay locked to their intended use
- A tamper-evident log provides audit-ready evidence of the controls in place
The benefits
CtrlOne gave the agency strong, self-controlled endpoint governance that stands up to scrutiny.
- Full control of device management inside the agency's own network
- A provable, consistent standard across public and staff machines
- Reduced risk of sensitive data leaving on USB storage
- Separation of duties through role-based operator access
- Audit-ready evidence packs and logs to support compliance reviews
Frequently asked questions
Can CtrlOne run without using a public cloud?
Yes. The agency ran the self-hosted LAN console on its own network, so device management and data stay inside the organization's infrastructure.
How are public terminals kept locked to one purpose?
Public terminals get a hardened kiosk-style policy that disables system tools, settings, and USB storage, so anonymous users can only do the one task the terminal is meant for.
Does CtrlOne help with audit evidence?
Yes. Role-based operator access - including a read-only auditor role - a tamper-evident activity log, and compliance evidence packs give reviewers demonstrable proof of the controls in place. CtrlOne supports audit-readiness rather than issuing certifications.
Standardize endpoint security on your own network
See how CtrlOne locks down public terminals and staff PCs from a self-hosted console - with USB control, kiosk lockdown, and audit-ready logs.
This is a representative deployment scenario that illustrates how CtrlOne is used in this industry. Figures are illustrative of typical outcomes, not a verified named-customer result.