Backup Policies
A backup policy defines the complete set of rules for a backup job: what data to include, when to run, how long to retain data, where to store it, and which devices it applies to. Every protected device must have at least one policy that resolves to it.
Creating a Backup Policy
- Open the Backups console → Policies → New Policy
- Choose a starting point:
- Workstation Default — Hourly incrementals, daily full, 30-day daily retention, 12-month monthly retention
- Server Default — Nightly full + hourly incrementals, longer retention, system state included
- SaaS Default — Daily sync, 12-month retention (for SaaS policies)
- Blank — Start from scratch
- Configure the policy settings (see below)
- Set the scope and assign to devices
- Click Save Policy
Policy Settings
Sources
Sources define what gets backed up. Each source has a type and optional path overrides:
| Source Type | Description |
|---|---|
user_data | User documents, desktop, downloads, and user-owned app data |
system_state | Critical OS files, registry, boot configuration (servers only) |
application_data | Application-specific paths you specify |
full_image | Full disk image (bare metal restore capable) |
custom | Explicit include/exclude path lists you define |
A single policy can include multiple sources. For example, a server policy might include user_data + system_state + application_data for a custom database path.
Schedule
| Schedule Type | Required Fields | Use Case |
|---|---|---|
interval | interval_hours (1–168) | Frequent incrementals throughout the day |
daily | time (HH:MM) | Once-per-day full or incremental |
weekly | time + days_of_week | Weekend-only or specific-day backups |
monthly | time + day_of_month | Monthly compliance snapshots |
The business_hours_only flag on any schedule type pauses the job during defined business hours and resumes it after.
Retention
Retention settings follow the Grandfather-Father-Son (GFS) model. See Retention Schedules for full details.
| Field | Default | Range |
|---|---|---|
daily_days | 7 | 0–365 |
weekly_weeks | 4 | 0–52 |
monthly_months | 12 | 0–60 |
yearly_years | 0 | 0–10 |
Destination
| Setting | Default | Description |
|---|---|---|
storage_tier | hot | Starting storage tier for new backups (hot, cool, archive) |
encryption_enabled | true | AES-256-GCM encryption at rest (cannot be disabled on SaaS policies) |
compression_enabled | true | LZ4 compression before upload |
Policy Scope
Policies have a scope that determines which devices they apply to. When multiple policies match a device, the higher-priority scope wins.
| Scope | Description | Required Fields |
|---|---|---|
global | Applies to all devices in your tenant | None |
company | Applies to all devices under a specific client company | company_id |
site | Applies to all devices at a specific site | site_id |
device | Applies to specific named devices | device_ids (at least one) |
Scope priority order (highest wins): device > site > company > global
Within the same scope level, the policy's priority field (0–1000, higher = higher priority) breaks ties.
Assigning Policies to Devices
By Scope (recommended)
Create a policy with a company or global scope. All devices under that scope are automatically covered — no per-device assignment needed. New devices enrolled under that company will pick up the policy immediately.
By Device
Assign specific devices to a device-scoped policy:
- Open the policy → Devices tab
- Click Add Devices and select from enrolled devices
- Save — the assignment takes effect on the next agent check-in
You can also use add, remove, or replace modes when updating device assignments programmatically.
Using Templates
Templates are pre-built policies that can be cloned and customized:
- Go to Policies → Templates
- Select a template and click Use as Starting Point
- Customize settings and save as a new policy
Templates themselves do not apply to devices — only activated policies do.
Policy Inheritance and Resolution
When the agent starts a backup job, it resolves its effective policy by walking the scope hierarchy:
- Check for a
device-scoped policy explicitly listing this device — highest priority - Check for a
site-scoped policy for this device's site - Check for a
company-scoped policy for this device's company - Fall back to any
globalpolicy
If multiple policies exist at the same scope level, the one with the highest priority value wins.
You can preview the effective policy for any device from Policies → Resolve Policy — enter a device ID to see the full resolution chain and the winning policy.
Updating a Policy
Changes to a policy are pushed to enrolled devices on the next agent check-in. The current in-progress backup job (if any) completes using the old settings. The next scheduled job uses the updated policy.
Deleting a Policy
Deleting a policy soft-deletes it — the policy is disabled and marked with a deletion timestamp. Existing backup data is preserved. The data is retained until each file version expires based on its own retention schedule.
Devices that were covered by a deleted policy fall back to the next-lower scope policy (if any), or become unprotected if no other policy matches.
Related Pages
- Retention Schedules — GFS retention model and storage cost implications
- Endpoint Backup Agent — What is backed up per source type
- Storage Tiering — How storage tier affects restore speed and cost