5.1 Application Control Policy

The following instructions assume that you are on the Configure Application Control Settings page in the Create New Application Control Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing Application Control policy (see Editing a Policy’s Details).

The Application Control policy lets you control file execution and Internet access for applications. Control extends beyond standard executable files (.exe) to include other file types such as .bat, .txt, .pdf, .mpg, and so forth.

5.1.1 Configure Application Control Settings

Configuration is done through application controls. An application control identifies one or more applications and assigns a behavior to the applications. The supported behaviors are: 1) block file execution, 2) block Internet access, and 3) no restrictions (allow execution and Internet access). The behavior controls all instances of the listed applications, regardless of location (fixed disk, removable storage device, CD/DVD, or network drive).

For example, assume that App1.exe, App2.exe, and App3.exe are instant message applications that you don’t want users to run. You could create an application control called Messaging Applications, assign the three applications to the control, and set the behavior to block execution of the applications.

Or, assume that App4.exe and App5.exe are media applications that access music and video from the Internet. You don’t want bandwidth consumed by these types of activities, so you create an application control called Internet Media Applications, assign the two applications to the control, and set the behavior to block Internet access.

NOTE:Application controls are not enforced on files in the %WINDIR% and %ZENSERVER_HOME% directories.

Wildcard usage: The wildcard option provides the capability to implement a control on multiple applications or files with a single entry in the Application Control List or to implement a control on a single application or file without providing the full file name. The asterisk * is the only wildcard option supported in the Application Control policy. A few examples of using the asterisk wildcard for application or file names are provided below. In these examples, the Application Control List is configured for No Execution.

CAUTION:Careful consideration should be used when implementing the wildcard for applications in a way that could impede critical system files and processes from running. For example, using the “No Execution” control with a *.exe wildcard or wildcards with dll, bin, or lib file extensions could put a device in non-functional state.

Wildcard Example

Enforced Policy Outcome

*.bat

Blocks execution and opening of all files according to the configured enforcement behavior that have .bat as the file extension.

*setup*.exe

Blocks execution and opening of programs and files according to the configured enforcement behavior that have setup as part or all of the file name when using the .exe file extension.

notepad.*

Blocks execution of the Notepad program or any files named notepad regardless of the file extension, according to the configured enforcement behavior.

iexplore.*

Blocks execution of the Internet Explorer program or any files named iexplore regardless of the file extension, according to the configured enforcement behavior.

*calc*

Blocks execution and opening of programs and files with calc in the file name according to the configured enforcement behavior.

Before applying any policy that blocks file execution or Internet access for an application, you should test the policy on a single workstation or server to ensure that no adverse or unexpected results occur. For example, blocking a Microsoft Office application could result in repeated attempts to reinstall the application, which could affect system operation or performance.

The following table provides instructions for managing the policy’s application controls:

Task

Steps

Additional Details

Create a new application control

  1. Click Add > Create New.

  2. Fill in the following fields:

    Name: Specify a unique name for the control. The name must be different than any other application control. For information about valid characters, see Naming Conventions in ZENworks Control Center.

    Description: This information is optional. You can provide text that helps identify the purpose, creator, or owner of the control.

    Default Behavior: Select one of the following behaviors:

    • No Execution: Blocks the application from executing. Blocks a non-executable file from opening.

    • No Internet Access: Blocks the application from accessing Internet content.

    • No Restrictions: Removes any restrictions (No Execution or No Internet Access) from the application. This enables you to override any restrictions for the application that might be inherited from another Application Control policy.

    Applications: Specify the applications or files to control. To do so, click New, type the name of the application or file, then click OK to add it to the list.

    You must specify the full name of the application or file. Partial names and wildcards are not supported. For example, to specify Notepad, you must enter notepad.exe, not just notepad.

    Do not specify a path. The control behavior is applied to all instances of the application regardless of location.

    Define Another Application Control: Select this option to create another application control after you finish with this one.

  3. Click OK to save the control.

    By default, the application control is enabled. If you do not want it enabled at this time, deselect the Enabled box. Disabling the application control leaves it in the policy but excludes it from being enforced when the policy is applied to a device.

The following applications cannot be blocked:

  • winlogon.exe

  • svchost.exe

  • taskmgr.exe

  • lsass.exe

  • wmiprvse.exe

  • services.exe

  • explorer.exe

  • smss.exe

  • dllhost.exe

  • csrss.exe

Copy an existing application control list from another policy

  1. Click Add > Copy Existing.

  2. Select the Application Control policies whose lists you want to copy.

  3. Click OK.

All application controls included in the selected policies are copied. If necessary, you can edit the copied controls after they are added to the list.

Import an application control from a policy export file

  1. Click Add > Import.

  2. Click the button.

  3. Click the Browse button to display the File Upload dialog box.

  4. Select the export file containing the application controls you want to import, then click Open.

  5. In the Select File dialog box, click OK.

  6. In the Import File dialog box, click OK to import the application controls to the list.

All application controls included in the export file are imported. If necessary, you can edit the imported controls after they are added to the list.

For information about exporting controls, see Export an application control.

Edit an application control

  1. Click the application control name.

  2. Modify the fields as desired.

  3. Click OK.

 

Rename an application control

  1. Select the check box next to the application control name, then click Edit > Rename.

  2. Modify the name as desired.

  3. Click OK.

 

Export an application control

  1. Select the check box next to the application control name.

    You can select multiple controls to export.

  2. Click Edit > Export.

  3. Save the file.

    The default name given to the file is sharedComponents.xml. You can change the name if desired. Do not change the .xml extension.

 

Delete an application control

  1. Select the check box next to the application control name, then click Delete.

  2. Click OK to confirm deletion of the control.

 

Configure Enforcement Behavior on Running Processes

The enforcement behavior determines when enforcement occurs for applications that are already running when the policy is applied. Choose from the following options:

  • Ignore: Do not enforce the application control behavior. For example, if the application is not allowed to execute (No Execution setting), allow the application to continue to run. Or, if the application is not allowed to access the Internet (No Internet Access setting), allow the application to continue to access the Internet.

  • Enforce immediately: Enforce the application control behavior immediately. For example, if the application is not allowed to execute (No Execution setting), terminate the application immediately.

    With immediate enforcement, the user does not receive any warning. If you want the user to know why the application was terminated, you can use the Display message when enforcing behavior option.

  • Enforce after XX minutes: Enforce the application control behavior after the specified number of minutes. For example, is you set this option to 5 minutes (the default) and the application is not allowed to execute (No Execution setting), terminate the application after 5 minutes.

    If the application is running when the policy is applied, a Policy Violations dialog box is displayed to inform the user that the application will be terminated after the specified number of minutes. The dialog box includes the application executable name and a countdown of the time remaining until the application is terminated. If multiple applications violate the policy, all applications are listed.

    • Allow the user to delay enforcement for an additional XX minutes: Select this option if you want to allow the user to delay the enforcement beyond the time specified by the Enforce after XX minutes option. The additional time is applied only if the user clicks the Delay All button in the Policy Violations dialog box.

      For example, assume that you set the Enforce after XX minutes option to 5 minutes and this option to 10 minutes. At any time before the first 5 minutes expires, the user can click the Delay All button to delay the enforcement for an additional 10 minutes.

  • Display message when enforcing behavior: You can also display a message when enforcing the application control behavior. For example, if you select the Enforce immediately option, you can display a message informing the user why the application was terminated.

    To use a display message, select the Display message when enforcing behavior option, then fill in the following fields:

    • Title of Message Window: Specify the Message Window’s title. For example, “Application Shutdown Alert.”

    • Body: Provide the text for the message body.

    • Message Hyperlink: If you want to include a hyperlink in the message, select Include message hyperlink, then fill in the following:

      • Display Text: The text to display as the hyperlink in the message.

      • Link: The Web URL to be executed when the display text is clicked. Any link that starts with http, https, or www is treated as a Web URL and launches a Web browser.

        For example, when linking to a URL, you might include www.acme.com/appusage to a open a Web page that provides your corporate policy on authorized application usage.