Security Policies

Twingate allows you to define flexible security policies for your Network or for individual Resources on your Network. These are managed under the Policies tab.

Policy Types

Twingate has two types of Security Policies, both of which are used for different parts of the application. Different Policy types may have different rules available to them, based on what is appropriate for the use case.

  • Resource Policies: These policies are applied to Resources at the time they are accessed by a user. Use these policies to apply extra security to more sensitive Resources on your Network. There is always one Default Policy which is applied to all new Groups by default. You can create additional Resource Policies in the Admin Console.
  • Network Sign In: This policy is applied to all users of Twingate when they attempt to log into the network. Users must fulfill the criteria in this Policy before attempting to access any Resources, even if those Resources have more permissive Security Policies than the Network Sign In policy.

There's an additional Admin Console Security policy that can be configured. This is managed under the Settings tab. This policy is only applied to Twingate administrators when they attempt to sign into the Admin Console. Admins do not need to sign into Twingate to access the Admin Console, so the Network Sign In policy is not applied here. See Admin Console Security for more information.

Rule Types

The following rule types may be applied to policies:

RuleUser-basedDevice-basedAllowed Policy TypesNotes
AuthenticationResource & Network Sign InAuthentication for the Admin Console Security policy cannot be modified and is tied to your Identity Provider configuration.
Two-Factor AuthenticationAll policy typesTOTP code that can be used with any third party authenticator app.
Trusted DevicesResource & Network Sign In
Platform RestrictionsResource & Network Sign In

Policy Management

You can create a new Resource Policy by clicking the "Create Resource Policy" button under Resource Policies.

You can edit new or existing Security Policies by selecting the Policy in the Policies tab. Here you can add new requirements and edit or remove existing requirements. Some rule types may not be removable or editable, depending on the type of Policy they are in. Note that the Network Sign In policy is shown for all Resource Policies, as a way to indicate that all users must sign into the network before they can attempt to access a Resource.

Security Policies are applied to Groups, which consist of users and Resources. If a user attempts to access a Resource and are in a Group with that Resource, they will have to fulfill any requirements in the Security Policy for that Group. By default, all Groups will use the Default Policy; you can change this by editing the Group.


Do not assign the same user and Resource pair to multiple Groups, as this will create ambiguity in which Policy will be applied.

For complete details of all Security Policy rules that Twingate supports, please reference the child pages of this document.


Twingate recommends that you apply comparatively less strict policies to Network Sign In and focus more security controls on the Resource Policies, especially those that are applied to more sensitive Resources. This will reduce the number of authentication or other security controls that users must go through, focusing them only on the times when they are actually accessing a protected Resource.

What’s Next
Did this page help you?