> For the complete documentation index, see [llms.txt](https://docs.stepsecurity.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stepsecurity.io/developer-machines/device-policy.md).

# Device Policy

{% hint style="info" %}
Device Policy is currently in **Beta**.
{% endhint %}

Device Policy lets you control which IDE extensions developers can install on their machines. You define reusable policies, bundle them into profiles, and deliver those profiles to devices through your MDM.

Unapproved or compromised IDE extensions are a growing supply chain risk: they run with the developer's privileges and can access source code, credentials, and internal systems. Device Policy gives security teams a way to enforce an approved extension set across the fleet, using the IDE's own policy mechanism.

**Follow this interactive demo to see how this feature works:**

{% embed url="<https://app.storylane.io/share/uivtaxit0ole>" %}

### How It Works

Device Policy has two building blocks:

* [**Policies**](/developer-machines/device-policy/policies.md): reusable rules that define which extensions and versions are allowed or blocked for a specific IDE. Policies can be built from the extension inventory Dev Machine Guard already observes across your fleet, added manually, or imported from an existing configuration file.
* [**Profiles**](/developer-machines/device-policy/profiles.md): bundles of policies that you assign to devices or export to your MDM. Create a policy first, then compose it into a profile and deliver it.

Each policy compiles into the IDE's native policy format. For VS Code, this is the `extensions.allowed` setting, which the OS and IDE enforce directly on the device. A live compiled preview is shown while you build the policy, so you can see exactly what will be delivered.

### Supported IDEs

VS Code is supported at launch. Policies target the IDE extensions category and compile to the VS Code `extensions.allowed` policy format.

### Enforcement

Profiles can be enforced in two ways:

* **Your MDM enforces**: download a per-OS artifact from the profile's Delivery tab, import it into your MDM (Intune, Jamf, or Kandji), and assign it to the target device group. The operating system enforces the policy, making it tamper-proof for the developer.
* **The DMG agent enforces**: assign the profile to devices directly, with no MDM required. The agent installs and continuously enforces the profile. Requires DMG agent version 1.13.0 or later.

### Getting Started

1. Go to **Developer Machines** > **Device Policy** > **Policies** and create a policy. See [Policies](/developer-machines/device-policy/policies.md).
2. Go to **Device Policy** > **Profiles**, create a profile, and add the policy to it.
3. Open the profile's **Delivery** tab, download the artifact for each OS in your fleet, and deploy it through your MDM. See [Profiles](/developer-machines/device-policy/profiles.md).
4. Track rollout status on the profile's **Compliance** tab.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.stepsecurity.io/developer-machines/device-policy.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
