Documentation
Product documentation for CtrlOne - install the agent, deploy across a Windows fleet, run the console, configure policies, and control USB, apps, and browsers.
Get Started
Install CtrlOne, deploy the Windows agent to your fleet, and get your first devices checking in.
- Getting Started with CtrlOne - Understand the CtrlOne pieces - cloud or on-prem console, Windows agent, agent-console desktop, and installer - and how a lockdown rollout flows end to end.
- Installation Guide - Install the CtrlOne Windows agent: download the signed installer with your claim key, run it interactively or silently, and confirm the device checks in.
- Agent Deployment - Deploy the CtrlOne agent across a Windows fleet: claim keys, silent mass deployment, first check-in, and applying policy templates with the onboarding wizard.
Console & Policies
Run the admin console, understand roles and tenants, and build, version, and roll back policies.
- Endpoint Console Guide - Tour the CtrlOne admin console: the dashboard, devices, policies, operator roles, multi-tenant management, and the local agent-console desktop app.
- Policy Configuration - Build and manage CtrlOne policies: the policy-only enforcement model, applying and reassigning policies, versioning and rollback, templates, and scheduling.
Restrictions
Configure the lockdown surfaces - device and USB control, application blocking, and browser restrictions.
- Device Control Overview - An overview of CtrlOne's lockdown surfaces - USB and device-class control, application blocking, browser restrictions, and desktop lockdown - all policy-only.
- USB Control - Control removable devices with CtrlOne: per-device-class allow and deny for USB data-loss prevention, applied through Windows policy and fully reversible.
- Application Blocking - Stop specific applications from launching on managed Windows PCs with CtrlOne - enforced through Windows policy, never by deleting or modifying application files.
- Browser Restrictions - Apply managed browser policy with CtrlOne - URL blocklists and browser controls enforced through Windows policy, with a loopback block page and no root certificate.
Operations
Keep the agent healthy in production: service management, troubleshooting, upgrades, and release notes.
- Service Management - How the CtrlOne agent runs in production: the Windows service and companion watchdog, tamper resistance, offline fail-closed enforcement, and silent self-update.
- Troubleshooting - Fix common CtrlOne issues: devices not checking in, restrictions that don't apply, the desktop console showing offline, WebView2 runtime, and uninstall problems.
- Upgrade Guides - Keep CtrlOne current: how the Windows agent self-updates, how the desktop Agent Console updates separately, and how to move a fleet to a newer build safely.
- Release Notes - How CtrlOne ships changes - continuous console improvements and agent builds that roll out through silent self-update - and where to find what's new.
Reference
Answers to common questions plus API tokens and automation for service accounts.
- Frequently Asked Questions - Answers to common CtrlOne questions - what it is, how enforcement works, supported Windows versions, multi-tenancy, offline behaviour, and how to get help.
- API Documentation - Automate CtrlOne with API tokens: bearer authentication for service accounts, role- and tenant-scoped access, and how automation fits your security model.