Endpoint Restriction Software
CtrlOne is endpoint restriction software that lets a small team enforce a consistent set of rules across every Windows PC. Decide what apps, ports, sites, and settings each endpoint may use, push it from one console, and trust a tamper-proof agent to keep it enforced.
What is endpoint restriction software?
Endpoint restriction software governs what the computers in your organization are allowed to do. Rather than trusting every user to leave a machine configured correctly, you define restrictions centrally - which applications may run, whether USB storage is usable, which websites are reachable, and which system settings are locked - and apply them uniformly across the fleet. The result is a predictable, hardened baseline that reduces data loss, malware, downtime, and the drift that creeps in when each PC is managed by hand.
CtrlOne makes those restrictions a policy you manage from a browser. A lightweight, tamper-proof agent runs as a protected system service on each Windows 10 and Windows 11 endpoint and checks in about every 30 seconds. From the console you assign restriction sets to devices or groups, and the agent applies them through Windows policy and service control. Application control layers AppLocker or WDAC on Enterprise and Education with an SRP and IFEO fallback on Home and Pro, so a restriction lands on every edition, not just the ones with the enterprise tooling.
The point of endpoint restriction is that it cannot be optional. CtrlOne enforcement lives in the agent, so restrictions hold when a device is offline and fail closed after a configurable window, and the protected service blocks documented disable vectors so a local user cannot revert them. Every policy is versioned with one-click rollback and written to a tamper-evident audit log, and the auto-scheduler can vary restrictions by time of day. CtrlOne never renames executables, deletes files, or patches binaries - it restricts through policy, service control, and, where a feature genuinely is not supported, an honest 'unsupported' rather than a risky workaround.
Why enforce endpoint restrictions with CtrlOne
- One consistent baseline - Assign the same restriction set to every endpoint or group from one console, eliminating the configuration drift that comes from hardening each PC by hand.
- Restrictions land on every edition - Application control uses AppLocker or WDAC on Enterprise and Education and falls back to SRP and IFEO on Home and Pro, so a rule applies fleet-wide, not just on premium editions.
- Cannot be quietly reverted - The protected agent blocks documented disable vectors and re-applies policy on startup, so restrictions are enforced rather than merely suggested to the user.
- Enforced off the network - Because rules live on the device, they hold offline and fail closed after a configurable window, so a laptop that leaves the office keeps its restrictions.
- No domain or server needed - CtrlOne works on standalone and domain-joined machines with no Active Directory or Group Policy Editor, so lean teams get fleet restrictions without heavy infrastructure.
- Time-aware restrictions - The auto-scheduler tightens or relaxes restrictions on a daily timetable, so an endpoint can follow different rules during and outside working hours.
- Provable and reversible - Every change is versioned with one-click rollback and recorded in a tamper-evident log, so you can demonstrate the enforced state and undo a mistake instantly.


Endpoint restriction features
- Application launch restrictions - Block unwanted or risky apps - or restrict endpoints to an approved set - with layered enforcement that covers Home and Pro as well as Enterprise and Education.
- USB and peripheral restrictions - Set removable storage to off, read-only, or blocked and allow or deny device classes, closing the data-exfiltration path while keeping input devices working.
- Web and browser restrictions - Restrict browsing to approved destinations, block content categories, and stop risky downloads across Chromium browsers from the central policy.
- Settings and system-tool restrictions - Disable Settings, the Control Panel, Task Manager, Run, and the registry editor so endpoints cannot be reconfigured by their users.
- Group-based assignment - Apply restriction sets to device groups so a lab, a call center floor, and executive laptops each get the rules that fit them, all from one place.
- Scheduled restriction windows - Use the auto-scheduler to apply and lift restrictions automatically by time of day, matching shifts, lessons, or after-hours lockdown.
- Versioned policy with rollback - Every restriction change snapshots the prior state, so you can roll an endpoint or group back to a known-good policy with a single click.
- Tamper-evident audit log - All restriction changes and applications are recorded in an append-only log, giving you a defensible record of what each endpoint enforces and when it changed.
Who uses CtrlOne endpoint restrictions
- Lean IT teams - Enforce a hardened baseline across the whole fleet from a browser without scripting, a domain controller, or per-machine visits.
- Call centers & BPOs - Restrict apps, USB, and browsing on shared agent PCs to protect customer data and keep floors focused on work.
- Schools & labs - Apply lesson-appropriate restrictions to shared computers while allowing the specific tools each class needs.
- Distributed workforces - Keep restrictions enforced on laptops that spend most of their time off the corporate network, with offline fail-closed protection.
- Regulated industries - Reduce insider and malware risk on sensitive workstations and produce a tamper-evident record of the enforced configuration.
CtrlOne vs Group Policy restrictions
| Capability | CtrlOne | Group Policy restrictions |
|---|---|---|
| Central web console | Yes - assign sets to devices and groups | GPMC plus domain join required |
| Every Windows edition | AppLocker/WDAC with SRP+IFEO fallback | AppLocker limited to Enterprise/Education |
| Offline enforcement | Holds offline, fails closed | No refresh until back on domain |
| Tamper resistance | Protected agent blocks disable vectors | Local admin can edit or revert |
| Scheduling | Built-in auto-scheduler | Requires scripting or task setup |
| Rollback | Versioned, one-click | Manual GPO history at best |
| Audit trail | Tamper-evident, append-only log | Scattered event logs |
Endpoint restriction FAQs
What restrictions can I enforce on an endpoint?
You can restrict which applications launch, set USB storage to off, read-only, or blocked, limit browsing to approved sites, and disable Settings, the Control Panel, Task Manager, Run, and the registry editor. Restrictions are assigned to devices or groups and applied by the agent.
Do app restrictions work on Windows Home and Pro?
Yes. Application control uses AppLocker or WDAC on Enterprise and Education and falls back to SRP and IFEO on Home and Pro, so an app-blocking restriction applies across every edition rather than only the ones with enterprise tooling.
Can a user disable the restrictions on their PC?
No. The agent runs as a protected system service, blocks documented disable vectors, and re-applies policy on startup, so restrictions cannot be quietly removed by a standard user or reverted by a local admin editing the registry.
Do restrictions apply when the device is offline?
Yes. Enforcement lives on the endpoint, so restrictions hold without a network connection and the agent fails closed after a configurable offline window. A device off the network keeps its restrictions.
Do I need Active Directory to use this?
No. CtrlOne works on standalone and domain-joined machines with no Active Directory, server, or Group Policy Editor required, so a small team can enforce fleet-wide restrictions without that infrastructure.
Can I undo a restriction change that breaks something?
Yes. Every change snapshots the previous policy, so you can roll an endpoint or group back to a known-good state with a single click, and the change is recorded in a tamper-evident audit log.
Enforce endpoint restrictions across your fleet
See how CtrlOne applies app, USB, browser, and settings restrictions to every Windows endpoint from one console, enforced offline by a tamper-proof agent. Explore the full feature catalogue or get in touch for a walkthrough.