Workspace Environment Management

Security

Application security

Application security feature allows you to define rules to control which applications and files the users can run. You can configure application security rules in the web console and provide a tool to retrieve information needed for rule configuration. Also, you can use this feature to create assignment groups with security rules. When the Process application rules and Process DLL rules are enabled, the Overwrite mode is turned on by default. In Overwrite mode, the rules that are processed in the end overwrite rules that were processed earlier. We recommend that you apply this mode to only single-session machines. This feature also allows you to create the following rules:

  • Executable rules
  • Windows installer rules
  • Script rules
  • Packaged app rules
  • DLL rules

Note:

Before creating rules, we recommend that you first add the default rules to ensure that important system files can run.

Create Windows installer rule

This includes two menu items, Basic information and Exceptions. To create a Windows installer rule, complete the following steps under Basic information and Exceptions:

  • Selecting Create rule leads you to the Create Windows installer rule page.
  • Enter the name and an optional description.
  • Choose the desired Action.
  • Select the Criteria type such as Path, Publisher, or File hash from the drop-down list.
  • Selecting Open File info Viewer directs you to the WEM Tool Hub. Use the WEM Tool Hub** to quickly get the required information. For more information, see File Info Viewer.
  • Optionally, you can add exceptions to include files that are normally included in the rule based on the primary criteria. To perform this task, select Add exception.
  • Go to WEM Tool Hub to copy data from one of the specified criteria under File Info Viewer and then click Paste from File Info Viewer.
  • Click Done.
  • Select Continue to assignment to update the assignments as required in the Manage assignments page.
  • Select Assignment targets (users and groups) to assign this item to. Use filters to contextualize the assignment. Filters you specify are effective only in the Overwrite mode and are supported only on agent versions 2406 or later.
  • Enter an asterisk if you need a specific rule to be applied to all files.

Privilege elevation

This feature defines rules to run certain programs with administrator privileges. You can elevate the privileges of non-administrative users to an administrator level necessary for some executables. As a result, the users can start those executables as if they are members of the administrators group.

Privilege elevation options

  • Process privilege elevation rules: When selected, enables agents to process privilege elevation settings and other options on the Privilege Elevation tab become available.

  • Apply to Windows Server OSs: Controls whether to apply privilege elevation settings to Windows Server operating systems. If selected, rules assigned to users work on Windows Server machines. By default, this option is disabled.

  • Enforce RunAsInvoker: Controls whether to force all executables to run under the current Windows account. If selected, users are not prompted to run executables as administrators.

This pane also displays the complete list of rules that you have configured. Click Executable Rules, Windows Installer Rules, or Self-elevation to filter the rule list to a specific rule type. You can use Find to filter the list. The assigned column displays a check mark icon for assigned users or user groups.

Supported rules

You can configure privilege elevation using two types of rules: executable rules and Windows installer rules.

  • Executable Rules: Rules that include files with .exe and .com extensions associated with an application.

  • Windows Installer Rules: Rules that include installer files with .msi and .msp extensions associated with an application. When you add Windows installer rules, consider the following scenario:

    • Privilege elevation applies only to Microsoft’s msiexec.exe. Make sure that the tool you use to deploy .msi and .msp Windows installer files is msiexec.exe.
    • Suppose that a process matches a specified Windows installer rule and its parent process matches a specified executable rule. The process cannot get elevated privileges unless the Apply to Child Processes setting is enabled in the specified executable rule.
  • Self-elevation: When enabled, the Run with administrator privileges option is available in the context menu when you right-click a file. After selecting this option, you are prompted to provide a reason for the elevation. The elevation is then either allowed or denied, based on the criteria you specify. To configure the rule, you can use the WEM Tool Hub > File Info Viewer to quickly get the information required such as, path, publisher, and hash values. You can also specify the time period, choose the day of the week, and also optionally set the criteria to determine the machines on which the rule is effective. When the Self-elevation toggle is enabled for the first time in a configuration set, the self-elevation rule is created and can be found in the rule list when managing assignments for an assignment target. The rule is never removed after creation.

You can specify the time period during which the rule is effective. Also, you can optionally set the criteria to determine on which machines the rule applies. You can choose to match all or any of the following criteria:

  • Machine catalog name
  • Delivery group name
  • Device name
  • IP address
  • OS platform type
  • OS version
  • Persistent machine status

After you select the Executable Rules, the Windows Installer Rules, or the Self-elevation rules, the Actions section displays the following actions available to you:

  • Edit. Lets you edit an existing executable rule.

  • Delete. Lets you delete an existing executable rule.

  • Create Rule. Lets you create an executable rule. To create an executable rule, follow the wizard instructions.

Security