Application Control powered by AppSense

Ivanti Application Control is the new name for AppSense Application Manager

Browser Control

In this section:

About Browser Control

In the Browser Control node, you can:

  • Configure URL redirection
  • Add elevated websites
  • Add web installations
  • Import snippets

When a new configuration containing Browser Control items, such as URL Redirection, is deployed to endpoints, users need to close and re-open browsers before the configuration can take effect. Closing and re-opening the browsers enables the browser extensions. If an existing configuration with Browser Control is updated with additional Browser Control items, the updated configuration takes effect as soon as it is deployed. The browser extensions are already enabled, so it's not necessary to close and reopen browsers.

Configure URL Redirection

Use this feature to automatically redirect users when they attempt to access a sensitive URL. By defining a list of denied or sensitive URLs, you redirect any user attempting to access a listed URL to a default warning page or a custom page.

Before you configure this feature for Internet Explorer, you must enable third-party browser extensions using Internet Options for each of your endpoints. Alternatively, this can be applied via Group Policy.

URL Redirection is compatible with Internet Explorer 8, 9, 10, and 11. When using Chrome, all managed endpoints must be part of a domain.

URL Redirection is configured in the Add URL to Redirect dialog accessed from the Browser Control ribbon. The URL Redirection functionality is enabled or disabled for the application in Advanced Settings, accessible via the Manage ribbon.

In versions prior to Application Control 10.0, URL Redirection was a global setting accessed via the Manage ribbon. Configurations containing URL Redirections that were created in versions 8.8 and 8.9 of the product can be opened in the console and automatically upgraded in version 10.0. The URL Redirections are converted to Custom rules that contain the following:

  • Matching conditions for connection types, IP addresses, and port numbers.
  • Browser Control items for the sensitive URLs (listed on the URL Redirection tab).

If you don't upgrade the configuration, the version 10.0 agent still reads the configuration, but the URL Redirection and Custom rules are ignored. The rest of the configuration still applies.

Enable or Disable URL Redirection

  1. In the Manage ribbon, click Advanced Settings.

    The Advanced Settings dialog displays.

  2. In the Policy Settings tab, go to the Functionality section and either select or deselect the Enable URL Redirection checkbox.
  3. Click OK.

Add URL Redirection to a Rule

  1. In the Application Control navigation pane, select the Browser Control node for the rule to which you want to add URL redirection.
  2. In the Browser Control ribbon, select Add Item > Add URL.

    The Add URL to Redirect dialog displays.

  3. Enter the denied URL.
  4. Choose the response when a user attempts to access the prohibited URL:
    • Display the default warning page when a URL is redirected - the user is directed to the default "Access is denied" page.
    • Display a custom page when a URL is redirected -specify an alternative location instead of displaying the default warning page. For example, this could be a location within your organizations network, a file on a disk, your intranet or another website.
  5. Enter an optional description for your future reference.
  6. Click Add.

The prohibited URL, the redirection URL, and any description you added are now listed in the columns on the URL Redirection tab of the Browser Control work area.

An AAMP configuration is created with the Elevated Website feature configured and can be deployed to your endpoints. When a User accesses the specified webpage, the original browser will be redirected to a warning page and a new instance of IE is spawned. The new browser with have full administrative rights and permit any components to be run.

Add a Web Installation

A number of Web Installations require the end user to have administrative rights. For example, an ActiveX control such as Adobe Flash Player or a web download such as Microsoft Silverlight.

The Web Installation feature of Browser Control allows the elevation to administrative privileges for ActiveX installers from a particular domain. You can create a basic configuration whereby you enter the name of the domain only, or you can create an advanced configuration and specify the CAB file for an item, its Class ID, and the minimum and maximum versions. You can also specify that only signed controls from the domain can be installed.

  1. Navigate to the Browser Control node under your selected rule.
  2. In the Browser Control ribbon, select Add Item > Add Web Installation.

    The Add New Web Installation dialog displays.

  3. Enter a descriptive Name for the web installation.
  4. If you want to allow only signed controls, select the relevant checkbox.
  5. Enter the Website URL for the installation. For example, enter adobe.com to allow installations from all of adobe.com.
  6. Click Add.

The Websites tab in the Browser Control work area displays the name of the new web installation.

Add a Web Installation (Advanced Settings)

  1. Navigate to the Browser Control node under your selected rule.
  2. In the Browser Control ribbon, select Add Item > Add Web Installation.

    The Add New Web Installation dialog displays.

  3. Enter a descriptive Name for the web installation.
  4. If you want to allow only signed controls, select the relevant checkbox.
  5. Select Use advanced settings.

    The Advanced Settings section becomes active.

  6. Enter the Installer URL, for example http://www.example.com/control.cab.
  7. Complete the following fields, or leave them blank to be ignored: Class ID, Minimum Version, and Maximum Version
  8. Click Add.

The Websites tab in the Browser Control work area displays the name of the new web installation.

Import Snippets

Snippets give Application Control the ability to import and merge partial configurations into a currently open configuration in the console.

This is particularly useful for web installations because, along with creating the web installation part of the configuration, a number of other configurable items need to be considered. These include Process Rules, Allowed Items, Trusted Vendors, any Digital Certificates, Elevated items, and so on.

The latest snippets can be downloaded by logging onto the Support Portal.

Download Recent Snippets from MyAppSense

  1. Select a rule.
  2. In the Browser Control ribbon, select Import Snippet.

    The Import Snippet dialog displays.

  3. Click the Support Portal link in the dialog.

    The most recent snippets are displayed.

  4. Select a snippet and save it to C:\Program Files\AppSense\Application Control\Console\Snippets. This is the default location.

    The snippet is now available in the Import Snippet dialog.

  5. Select the snippet and click Add.
  6. To view what is included in the snippet click the View the items that will be added to the configuration link.

    A configuration report displays.

  7. Click Continue.

The snippet is imported and you can view the items in the various nodes in the console.

Add Elevated Websites

This feature is only supported in 32-bit versions of Internet Explorer 8, 9, 10 and 11.

The Elevated Website feature allows you to define a particular URL which opens in a separate secured, but elevated, instance of Internet Explorer. When elevated, the user is granted administrative privileges allowing them to install and execute components such as additional software or ActiveX controls specific to the site.

Before you configure this feature, you must enable third-party browser extensions using Internet Options for each of your endpoints, alternatively this can be applied via Group Policy.

It is recommended that this feature is only used for internal websites which require elevation to run content such as diagnostic tools or a moderated portal containing administrator approved software.

You should not elevate websites that may allow users to obtain software which may pose a security risk to your network; such as pop-ups, search bars or external links.

  1. Select the Browser Control node under your selected group.
  2. Select the Browser Control ribbon.
  3. Click Add Item and select Add Elevated Website.

    The Add New Elevated Website dialog displays.

  4. Enter a meaningful description for your reference.
  5. Enter the web address in the Website URL field.

    You can use regular expressions to define websites. To use this functionality, select Use regular expression and enter the website URL criteria. For example, https://.+\.com$ elevates and redirects any secure websites with the .com extension - such as https://www.cisco.com, but does not elevate and redirect http://www.cisco.com

  6. Click Add.
  7. Save the AAMP file.

Related topics


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other