# Configuring Installation Policies

You can set installation policies for each ecosystem independently. This lets you control what happens when someone on your team tries to install a new package.

## Accessing policy settings

Go to [Device Protection and open the Settings tab](https://app.aikido.dev/endpoint-protection/settings). You will see a list of all supported ecosystems with their current policy status. Click on any ecosystem to configure its settings.

<figure><img src="/files/whleAZ0MqkBs6ZkC4EcI" alt=""><figcaption></figcaption></figure>

## How Aikido decides to block or allow a package

When a package is installed, Aikido checks it against a set of rules in order. The first rule that matches decides the outcome.

<table data-full-width="true"><thead><tr><th width="102">Priority</th><th>Rule</th><th>Outcome</th></tr></thead><tbody><tr><td>1</td><td>Package is identified as <strong>malware</strong></td><td>Always <mark style="color:$danger;">blocked</mark>. No exceptions.</td></tr><tr><td>2</td><td>Your group has an exception that <strong>blocks</strong> this package</td><td><mark style="color:$danger;">Blocked</mark></td></tr><tr><td>3</td><td>Your group has an exception that <strong>allows</strong> this package, or an admin previously approved it</td><td><mark style="color:$success;">Allowed</mark></td></tr><tr><td>4</td><td><strong>Block All Installs</strong> is enabled for this ecosystem</td><td><mark style="color:$danger;">Blocked</mark></td></tr><tr><td>5</td><td><strong>Force Requests</strong> is enabled and the package has not been requested yet (or was previously denied)</td><td>Held for <mark style="color:orange;">approval</mark>. A request is sent to the Inbox.</td></tr><tr><td>6</td><td>No rules match</td><td><mark style="color:$success;">Allowed</mark></td></tr></tbody></table>

{% hint style="info" %}
Group exceptions always take priority over default settings. If you're unsure why an install was blocked or allowed, check your group exceptions first.
{% endhint %}

## Available controls

<figure><img src="/files/kDseq36ygGC3jrbjIr9V" alt=""><figcaption></figcaption></figure>

### Block All Installs

When enabled, all installations from that ecosystem are blocked on connected devices. No new packages can be installed until you turn this off or create an exception.

Use this when you want to fully lock down an ecosystem for your organization.

### Force Requests for New Packages

When enabled, team members cannot install new packages on their own. Instead, their install attempt is sent to the **Inbox** for admin approval. The admin can then approve or reject it.

This is a good middle ground when you want oversight without completely blocking installs.

### Minimum Package Age

Sets how long a package must have existed before it can be installed. For example, if set to 24 hours, any package published less than 24 hours ago will be blocked.

This helps protect against supply chain attacks, where an attacker publishes malicious code to a public registry and tries to get people to install it before the community can flag it.

## Exceptions

Exceptions let you override your default policies for specific packages or user groups. This is useful when your default policy is strict but certain teams need access to specific tools.

For example, you might block all Chrome extensions by default but allow a set of approved extensions for your Product team. Or you might require approval for all NPM installs but let your engineering group install trusted libraries without waiting.

### Adding an exception

1. Go to **Device Protection** and open the **Settings** tab.
2. Click on the ecosystem you want to configure.
3. Scroll down to the **Exceptions** section.
4. Click **Add Exception**.
5. Choose a policy type, specify the packages or values it applies to, and select the user groups it targets.

{% hint style="warning" %}
Package identifiers vary by ecosystem. [Double-check the correct identifier before adding an exception](/aikido-device-protection/miscellaneous-aikido-endpoint/package-identifiers.md).
{% endhint %}

<figure><img src="/files/OeIV78GzRAvljX3nT6Qo" alt="" width="556"><figcaption></figcaption></figure>

### Exception types

**Allow specific package(s)** allows specific packages to be installed, even if the ecosystem is set to "Block All Installs" or "Force Requests." You can list one or more packages and assign the exception to specific user groups.

**Block specific package(s)** blocks specific packages for the selected user groups, even if the default policy would allow them. Use this to prevent known risky packages from being installed.

**Block all installs** blocks all installs from the ecosystem for specific user groups, even if the default policy allows them. Use this when you want to lock down a group without changing the setting for the whole organization.

**Force requests for new packages** requires admin approval for new installs within the selected user groups, even if the default policy does not require it. This lets you add an approval step for specific teams without turning it on for everyone.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.aikido.dev/aikido-device-protection/using-aikido-endpoint/configuring-installation-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.