The research capability offers several ways to handle research findings using application and content policies to allow or restrict access to specific objects such as mobile apps, or communications with remote systems.

When you determine an app is unsafe or unwanted due to its capabilities or other non-malicious characteristics, you can manually add it to the Denylist which is visible on both the App Details page and the Research page. Devices where the application is already installed prompt the user to remove the application once the application denylist entry is processed.

Adding or removing an app from the denylist affects only the specific version of the app currently being viewed.

When your investigation reveals an unsafe domain (FQDN), top level domain, or hostname, you can add it to the denylist. The Phishing and Content Protection policy allows up to 100 entries, per device group, for the denylist, allowlist, and skiplist, respectively.

Protections > Phishing and Content Protection has an allowlist, denylist, and skiplist for web content and application communications. Domains in this denylist are handled in accordance with the denylisted content policy. Enter the URL’s domain to block access. Example: example.io.

All PCP denylist, allowlist, or skiplist domain entries implicitly include all subdomains of an entry.

Research > Behaviors > Observations allows you to manage an application’s connections to remote hosts using the allowlist, denylist, and skiplist options directly from the Research area by selecting an entry’s checkbox on the left and clicking the ellipsis … button at the upper-right of the page.