How to enforce policies in Dropbox Protect

Bring order to shared data

Today, companies share more data across more tools than ever before. The Policies feature in Dropbox Protect helps admins gain visibility and control across connected apps such as Dropbox, Microsoft 365, and Google Drive.

They turn awareness into action so you can spot exposure, automate cleanup, and stay audit-ready with less manual work.

Think of policies as always-on rules that keep data where it should be. They quietly enforce consistency, freeing you from chasing checking every file yourself.

Why it matters

Policies help teams simplify governance and prove compliance without slowing collaboration so you can:

• See who has access to company files across all connected apps
• Identify and close risky exposure points like public links or personal accounts
• Automate cleanup to reduce repetitive manual work
• Enforce consistent sharing rules across tools
• Track and audit every change with detailed logs for compliance
• Keep data secure and governance effortless over time

When applied well, policies do more than protect, they build trust. Colleagues can share confidently, knowing sensitive data stays contained.

This guide walks you through the full workflow, from spotting exposure to enforcing policies at scale with automation. Learn how to use Policies in Dropbox Protect.

Before you begin

Take five minutes to verify these items before you start setting up your policies.

• You’re logged into your Protect account at dropbox.com/protect/app. Learn how to manage Protect and Control in Dash.
• You’ve added the apps (Dropbox, Google Workspace, Microsoft 365) you want to connect. Learn how to add apps to Dropbox Protect.
• Dropbox content appears on the Protect page.

It helps to know what “good” looks like for your organization. Decide which sharing behaviors are acceptable and which require action.

Step 1. See everything that’s shared

The first thing you should do is take a look at what content is shared. Think of this as an X-ray of your content. The goal is to identify high-risk sharing patterns that could expose company data.

On the Protect page, you’ll see a table showing file ownership, document details, and sharing permissions  for all connected apps.

You can use filters to narrow your view and quickly find documents based on specific criteria, such as last modified date, file type, application, sharing status, and more. Learn how to use filters in Dropbox Protect.

When you've finished this step, you'll have a clear view of how and where data is shared across your connected apps. Use this baseline to decide which areas need policies first.

Step 2. Set up your first policy

Policies are shown as preset cards you can customize to fit your organization’s needs. Each card starts with predefined rules, such as detecting public links or external collaborators. You can open any card, adjust the filters, choose to alert or to automate, and activate it when ready.

Keep in mind that each card includes a built-in automatic fix that can’t be changed. Make sure your filters align with the action that’s already set so you can automate effectively in the future.

Learn what automatic fixes are available.

1. In the admin console, click Set up on an inactive policy card.
   • Tip: Pick a name that indicates what the rule actually remediates. For example, “Public links not modified in 5+ years.”
2. Click Edit mode.
3. If needed, select filters to define what you’ll monitor.
4. Click Save and close.
5. Select Send an alert. This lets you test the results before automating the policy. Once you trust the results, switch to Automatically fix it to enforce at scale.
   Note: Every 24 hours at 8:00 UTC, admins receive an email that summarizes policy matches requiring manual review. The email includes a View matches link and shows which admin created the alert. Policies without matches don’t trigger alerts or actions. Learn how alerts work.
6. Type CONFIRM.
7. Click Activate.

Learn how to manage policy requirements.

Step 3. Test your policy and automate at scale

Before automating your policy, test it to make sure it works as expected. This step helps confirm your filters identify the right files and your chosen actions produce the correct results.

1. Open the alert email you received and click View matches. You’ll see the list of items that meet your policy’s conditions. 
2. Select the matches you want to take action on (individually or in bulk).
3. If applicable, choose the action details or enter the collaborator’s name. Once you’re confident the alert results look right, you can move from testing to automation. This ensures your policy performs as expected before it starts making real changes.
4. When you are satisfied, select Automatically fix it.
5. Type CONFIRM, then click the action button to complete the change.
6. Click Update.

Step 4. Monitor and adjust

Policies are living rules. Review them at least once a week to confirm they’re running as expected and update the criteria as your security needs change.

Look for these types of patterns and then adjust the filters or set up new policies to address them:

• Repeated external shares from one department
• Files untouched for years
• Many public links in a specific app
• Adjust filters to reduce false positives.
• Watch for a week-over-week drop in public links or external shares.
• Confirm automation completes without errors.

Try building a review rhythm, set a reminder once a month to scan Action history and tweak filters. That habit keeps policies relevant without extra effort.

Wrap up

The policies feature in Dropbox Protect helps admins gain visibility across connected apps and lets you automate enforcement without extra work. Start small, test manually, then automate once you trust the results.

When you do, exposure trends decline, audits run cleaner, and admins spend less time chasing access levels.