Browser Restrictions

Browser restrictions let you control what managed browsers can do and where they can go. This guide explains the approach and its privacy-preserving design.

Managed browser policy

CtrlOne applies restrictions through the managed-policy mechanisms that Chromium-based browsers support, such as URL blocklists. Note that some policies are vendor-specific - a setting available in one browser may not exist in another - so validate the controls you need against the browsers in your fleet.

The block page

When a blocked address is requested over plain HTTP, CtrlOne can serve a branded block page locally through a loopback sinkhole. HTTPS destinations are handled by the browser's own URL blocklist enforcement.

Combining controls

Browser restrictions work best alongside application blocking - block unmanaged browsers so users can't sidestep your policy - and desktop lockdown to keep the shell tidy. Pilot the set on a representative PC before fleet rollout.

Frequently asked questions

Does CtrlOne decrypt HTTPS traffic?

No. There is no root CA and no TLS interception. HTTPS blocking relies on the browser's own managed URL blocklist.

Will restrictions apply to any browser?

They apply to browsers that honour managed policy. Some policies are vendor-specific, so confirm coverage for the browsers you run, and block unmanaged browsers to avoid gaps.

See every restriction

Browse the full restriction catalogue to compose the exact browser, application, and device controls your fleet needs.