These settings let you control user activities within Workspace Environment Management.
To control which applications users can run, you can use either the Windows AppLocker interface, or Workspace Environment Management to manage Windows AppLocker rules. You can switch between these approaches at any time but we recommend that you do not use both approaches at the same time.
These settings allow you to control the applications users are permitted to run by defining rules. This functionality is similar to Windows AppLocker. When you use Workspace Environment Management to manage Windows AppLocker rules, the agent processes (converts) Application Security tab rules into Windows AppLocker rules on the agent host. If you stop the agent processing rules, they are preserved in the configuration set and AppLocker continues running by using the last set of instructions processed by the agent.
This tab lists the application security rules in the current Workspace Environment Management configuration set. You can use Find to filter the list according to a text string.
When you select the top-level item “Application Security” in the Security tab, the following options become available to enable or disable rule processing:
Process Application Security Rules. When selected, the Application Security tab controls are enabled and the agent processes rules in the current configuration set, converting them into AppLocker rules on the agent host. When not selected, the Application Security tab controls are disabled and the agent does not process rules into AppLocker rules. (In this case AppLocker rules are not updated.)
This option is not available if the Workspace Environment Management administration console is installed on Windows 7 SP1 or Windows Server 2008 R2 SP1 (or earlier versions).
Process DLL Rules. When selected, the agent processes DLL rules in the current configuration set into AppLocker DLL rules on the agent host. This option is only available when you select Process Application Security Rules.
If you use DLL rules, you must create a DLL rule with “Allow” permission for each DLL that is used by all the allowed apps.
If you use DLL rules, users may experience a reduction in performance. This happens because AppLocker checks each DLL that an app loads before it is allowed to run.
The Overwrite and Merge settings let you determine how the agent processes application security rules.
- Overwrite. Lets you overwrite existing rules. When selected, the rules that are processed last overwrite rules that were processed earlier. We recommend that you apply this mode only to single-session machines.
- Merge. Lets you merge rules with existing rules. When conflicts occur, the rules that are processed last overwrite rules that were processed earlier. If you need to modify the rule enforcement setting during merging, use overwrite mode because merge mode will keep the old value if it differs.
Rules belong to AppLocker rule collections. Each collection name indicates how many rules it contains, for example (12). Click a collection name to filter the rule list to one of the following collections:
- Executable Rules. Rules which include files with the .exe and .com extensions that are associated with an application.
- Windows Rules. Rules which include installer file formats (.msi, .msp, .mst) which control the installation of files on client computers and servers.
- Script Rules. Rules which include files of the following formats: .ps1, .bat, .cmd, .vbs, .js.
- Packaged Rules. Rules which include packaged apps, also known as Universal Windows apps. In packaged apps, all files within the app package share the same identity. Therefore, one rule can control the entire app. Workspace Environment Management supports only publisher rules for packaged apps.
- DLL Rules. Rules which include files of the following formats: .dll, .ocx.
When you filter the rule list to a collection, the Rule enforcement option is available to control how AppLocker enforces all rules in that collection on the agent host. The following rule enforcement values are possible:
Off (default). Rules are created and set to “off,” which means they are not applied.
On. Rules are created and set to “enforce,” which means they are active on the agent host.
Audit. Rules are created and set to “audit,” which means they are on the agent host in an inactive state. When a user runs an app that violates an AppLocker rule, the app is allowed to run and the information about the app is added to the AppLocker event log.
You can import rules exported from AppLocker into Workspace Environment Management. Imported Windows AppLocker settings are added to any existing rules in the Security tab. Any invalid application security rules are automatically deleted and listed in a report dialog.
In the ribbon, click Import AppLocker Rules.
Browse to the XML file exported from AppLocker containing your AppLocker rules.
The rules are added to the Application Security rules list.
Select a rule collection name in the sidebar. For example, to add an executable rule select the “Executable Rules” collection.
Click Add Rule.
In the Display section, type the following details:
- Name. The display name of the rule as it appears in the rule list.
- Description. Additional information about the resource (optional).
In the Type section, click an option:
- Path. The rule matches a file path or folder path.
- Publisher. The rule matches a selected publisher.
- Hash. The rule matches a specific hash code.
In the Permissions section, click whether this rule will Allow or Deny applications from running.
To assign this rule to users or user groups, in the Assignments pane, choose users or groups to assign this rule to. The “Assigned” column shows a “check” icon for assigned users or groups.
- You can use the usual Windows selection modifier keys to make multiple selections, or use Select All to select all rows.
- Users must already be in the Workspace Environment Management Users list.
- You can assign rules after the rule is created.
Specify the criteria the rule matches, depending on the rule type you choose:
- Path. Specify a file path or folder path the rule to match. When you choose a folder, the rule matches all files inside and below that folder.
- Publisher. Specify a signed reference file, and then use the Publisher Info slider to tune the level of property matching.
- Hash. Specify a file. The rule matches the hash code of the file.
Add any exceptions you require (optional). In Add exception, choose an exception type then click Add. (You can Edit and Remove exceptions as required.)
To save the rule, click Create.
Select one or more rules in the list, then click Edit in the toolbar or context menu. In the editor, select the rows containing the users and user groups you want to assign the rule to, then click OK. You can also unassign the selected rules from everyone using Select All to clear all selections.
Note: If you select multiple rules and click Edit, any rule assignment changes for those rules are applied to all users and user groups you select. In other words, existing rule assignments are merged across those rules.
Click Add Default Rules. A set of AppLocker default rules is added to the list.
Select one or more rules in the list, then click Edit in the toolbar or context menu. The editor appears allowing you to adjust settings which apply to the selection you made.
Select one or more rules in the list, then click Delete in the toolbar or context menu.
You can back up all application security rules in your current configuration set. Rules are all exported as a single XML file. You can use Restore to restore the rules to any configuration set. In the ribbon, click Backup then select Security Settings.
You can restore application security rules from XML files created by the Workspace Environment Management backup command. The restore process replaces the rules in the current configuration set with those rules in the backup. When you switch to or refresh the Security tab, any invalid application security rules are detected. Invalid rules are automatically deleted and listed in a report dialog, which you can export.
During the restore process, you can choose whether you want to restore rule assignments to users and user groups in your current configuration set. Reassignment only succeeds if the backed-up users/groups are present in your current configuration set/active directory. Any mismatched rules are restored but remain unassigned. After restore, they are listed in a report dialog which you can export in CSV format.
1. In the ribbon, click Restore to start the restore wizard.
2. Select Security settings, then click Next twice.
3. In Restore from folder, browse to the folder containing the backup file.
4. Select AppLocker Rule Settings, then click Next.
5. Confirm whether you want to restore rule assignments or not:
Yes. Restore rules and reassign them to the same users and user groups in your current configuration set.
No. Restore rules and leave them unassigned.
6. To start restoring, click Restore Settings.
These settings allow you to whitelist or blacklist specific processes.
Enable Process Management. This toggles whether process whitelists/blacklists are in effect. If disabled, none of the settings on the Process BlackList and Process WhiteList tabs are taken into account.
This option only works if the session agent is running in the user’s session. To do this use the Main Configuration Agent settings to set the Launch Agent options (at Logon/at Reconnect/for Admins) to launch according to the user/session type, and set Agent Type to “UI”. These options are described in Advanced Settings.
These settings allow you to blacklist specific processes.
Enable Process Blacklist. This enables process blacklisting. You must add processes by using their executable name (for example, cmd.exe).
Exclude Local Administrators. Excludes local administrator accounts from the process blacklisting.
Exclude Specified Groups. Allows you to exclude specific user groups from process blacklisting.
These settings allow you to whitelist specific processes. Process blacklists and process whitelists are mutually exclusive.
Enable Process Whitelist. This enables process whitelisting. You must add processes by using their executable name (for example, cmd.exe). Note If enabled, Enable Process Whitelist automatically blacklists all processes not in the whitelist.
Exclude Local Administrators. Excludes local administrator accounts from the process whitelisting (they are able to run all processes).
Exclude Specified Groups. Allows you to exclude specific user groups from process whitelisting (they are able to run all processes).