Configuration

In addition to enabling sandbox security in the ColdFusion Administrator, the application server must be running a security manager (java.lang.SecurityManager) and you must define the following JVM arguments:

-Djava.security.manager  
-Djava.security.policy="cf_webapp_root/WEB-INF/cfusion/lib/coldfusion.policy"  
-Djava.security.auth.policy="cf_webapp_root/WEB-INF/cfusion/lib/neo_jaas.policy"

You configure these settings by using a text editor to modify the jrun_root/bin/jvm.config file. or through the Settings panel of the JRun Management Console (JMC).

 community help (adobe.com)