Application Control powered by AppSense

Ivanti Application Control is the new name for AppSense Application Manager

Reference

In this section:

Citrix XenApp

To set up Citrix XenApp streaming applications to work with certain elements of Application Control, you need to specify certain exclusions, as follows:

  1. Navigate to Citrix Streaming Profiler for Windows.
  2. Open the Application Profile.
  3. Highlight the relevant Target and select the Edit menu.
  4. Select Target Properties.

    The Target Properties screen displays.

  5. Select Rules.

    The Rules work area displays.

  6. Click Add in the Rules work area.

    The New Rule Select Action and Objects dialog displays.

  7. In the Action section leave the default setting as Ignore.
  8. In the Object section select Named Objects and click Next.

    The New Rule Select Objects dialog displays.

  9. Select Some Named Objects and click Add.

    The Choose Named Object dialog displays.

  10. Add\??\pipe\Appsense* and click OK.

    This displays in Named Objects on the New Rule Select Objects dialog.

  11. Click Next to display the New Rule Name Rule dialog.
  12. Enter a name for the rule or accept the default and click Finish.
  13. Click OK.

    The Target Properties screen displays and the Ignore all named objects rule is listed in the work area.

  14. Save the Profile.

Repeat for each Application Profile as required.

Web Services Configuration

Prerequisites

The system requirements for Application Manager Web Services are:

  • Microsoft .NET Framework 4.0 Full (x86 and x64)
  • Microsoft Visual C++ 2015 x86 Redistributable package. This is required for both x64 and x86 versions of Application Control.

For further information on required utilities and components, see the User Workspace ManagerInstall and Configure Guide.

Web Services Port Configuration

The Application Manager Web Service provides two communication routes:

  • With machines hosting the Application Control Agent to allow reporting of data.
  • With the Application Control Console to allow querying of collected data.

Communication with the Application Manager Web Service is via HTTP or optionally Secure HTTP (HTTPS), defaulting to the standard TCP ports 80 for HTTP and 443 for HTTPS. It is recommended that you use the default values, as these ports are already well known by firewall products and should provide the most trouble-free installation.

However, should you find you have port conflict with other software, follow the steps to configure the Application Manager Web Service to use ports that are free.

Configure Application Manager Web Services to use SSL

This process describes how to configure the Application Manager Web Services to use secure sockets for communication.

  1. Click Start > Run and enter MMC.

    The Microsoft Management Console displays.

  2. Click File > Add/Remove Snap-in... 

    The Add or Remove Snap-ins dialog displays.

  3. Select Certificates and click Add.
  4. From the Certificates snap-in dialog, select Computer account and click Next.

  5. Click Finish and then OK.

    The snap-in is added to the MMC.

  6. From the navigation tree, select Certificates (Local Computer) > Personal.
  7. Right-click Personal and select All Tasks > Import...

    The Certificate Import Wizard displays.

  8. Click Next.
  9. Click Browse and change select All Files in the Open dialog.

  10. Navigate to, and select, the required PFX file and click Open.
  11. Click Next.
  12. Enter the password for the private key and click Next.

  13. Select Automatically select the certificate store based on the type of certificate option and click Next.

  14. Click Next then OK to complete the import and close the wizard.
  15. Refresh the MMC.

    The certificate displays in the Personal > Certificates store.

  16. Right-click on the machine certificate and select Open.
  17. Select the Details tab.
  18. Select Thumbprint to display the value in the text box below.

  19. Copy the value and paste it into a text editor, such as Notepad.
  20. Remove any spaces from the value. This will be used for the certhash value in the commands entered in step 26.

  21. Click OK to close the certificate.
  22. Close MMC without saving.
  23. Stop Application Manager Web Services.
  24. From an elevated Notepad, open the following file:

    %ProgramFiles(x86)%\AppSense\ApplicationManager\AnalysisService\AnalysisServiceCore.dll.config

  25. In the file, change http://localhost:80/ondemand to https://localhost:443/ondemand and save.
  26. From an elevated CMD on the server, run the following commands, replacing the certhash values with your thumbprint value from step 20: 
    • netsh http add sslcert hostnameport=localhost:443 certhash=d3a081a09fbde478ecf58b22387955a5daeb87e4 appid={00000000-0000-0000-0000-000000000000} certstorename=my
    • netsh http add sslcert hostnameport=lb-svr2012-r2-5:443 certhash=d3a081a09fbde478ecf58b22387955a5daeb87e4 appid={00000000-0000-0000-0000-000000000000} certstorename=my
  27. Start Application Manager Web Services.
  28. From a browser, text the connection to the web service using https: https:// lb-svr2012-r2-5/ondemand 

  29. Authenticate with a valid user.

Configuring TCP port numbers used for Communication

For the two communication routes you can independently configure the ports used for HTTP and HTTPS, meaning up to four different port numbers could be configured.

However, for simplicity it is recommended that if you are changing port configuration that you make the same changes to both communication routes. If you are choosing to change the port used for HTTP, then make the change for HTTP on both routes and similarly if changing the Secure HTTP port.

Any firewalls on the machines participating in communication must allow connections over the configured ports.

Quick Setup

Use the following procedure to configure your ports.

  1. Open an administrator level Command Prompt and type: netsh http show urlacl

    A list of the reserved URLs displays.

  2. Verify that the following entries exist:

Reserved URL: https://+:443/AmAnalysisService/

User: NT AUTHORITY\LOCAL SERVICE

Listen: Yes

Delegate: No

SDDL: D:(A;;GX;;;LS)

Reserved URL : https://+:443/AmAnalysisQueryDataService/

User: NT AUTHORITY\LOCAL SERVICE

Listen: Yes

Delegate: No

SDDL: D:(A;;GX;;;LS)

Reserved URL : https://+:443/OnDemand/

User: NT AUTHORITY\LOCAL SERVICE

Listen: Yes

Delegate: No

SDDL: D:(A;;GX;;;LS)

  1. Using a text editor, open the AMAnalysisServiceCore.dll.config located in:

    C:\Program Files(x86)\AppSense\ApplicationManager\AnalysisService\AMAnalysisServiceCore.dll.config

  2. In the text document search for the following statement:

    <add key="ON_DEMAND_SERVICE_URI" value="https://localhost:80/OnDemand/"/>

  3. Replace the statement with following:

    <add key="ON_DEMAND_SERVICE_URI" value="https://localhost:443/OnDemand/"/>

  4. Save and close the text document.
  5. Using Internet Explorer, navigate to https://localhost:443/OnDemand.

The text editor must be elevated to save the document.

Configuring the Windows HTTP Subsystem

The Application Manager Web Service uses the Port Sharing feature of Windows HTTP (HTTP.SYS), allowing it to co-exist with other applications making use of the same mechanism. At a basic level this is achieved by an application registering a portion of a URL, including a port number, for which it will be responsible for servicing requests.

The Application Manager Web Service runs under the account of Local Service, so you need to grant access to the port for that account. You can do this using the httpcfg.exe or netsh.exe tool, depending on the OS Version on which you have installed the Application Manager Web Services:

Running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 7, Windows 8, and Windows 8.1

Use the Netsh.exe tool to configure and display the status of various network communications server roles and components.

Do the following:

Open an administrator level Command Prompt and type: netsh http add urlacl sddl=D:(A;;GX;;;LS) url=<URL>

<URL> is the URL containing the port you wish to grant access to.

Configuring the Application Manager Web Services for Agent Configuration

Use the netsh.exe or httcfg.exe tool with the following URLs and commands to configure each of the ports. The examples shown here use the netsh.exe tool but the same command parameters are used with httcfg.exe:

HTTP Port

Enter http://+:<HTTP_PORT>/AmAnalysisService/

The <HTTP_PORT>in this example, is to represent the port number you have chosen for standard HTTP communication.

For example, to use port 81 enter the command:

netsh http add urlacl sddl=D:(A;;GX;;;LS) url= http://+:81/AmAnalysisService/

Secure HTTP (HTTPS) Port

Enter https://+:<HTTPS_PORT>/AmAnalysisService/

The <HTTPS_PORT> in this example, is to represent the port number you have chosen for Secure HTTP communication.

For example, to use port 444 enter the command:

netsh http add urlacl sddl=D:(A;;GX;;;LS) url= https://+:444/AmAnalysisService/

Configuring the Application Manager Web Services for Console Communication

Use the netsh.exe or httcfg.exe tool with the following URLs and commands for each of the ports. The examples shown here use the netsh.exe tool but the same command parameters are used with httcfg.exe:

HTTP Port

Enter http://+:<HTTP_PORT>/ AmAnalysisQueryDataService/

The <HTTP_PORT> in this example, is to represent the port number you have chosen for standard HTTP communication.

For example, to use Port 81 enter the command:

netsh http add urlacl sddl=D:(A;;GX;;;LS) url= http://+:81/AmAnalysisQueryDataService/

Secure HTTP (HTTPS) Port

Enter https://+:<HTTPS_PORT>/ AmAnalysisQueryDataService/

The <HTTPS_PORT> in this example, is to represent the port number you have chosen for Secure HTTP communication

For example, to use Port 444 enter the command:

netsh http add urlacl sddl=D:(A;;GX;;;LS) url= https://+:444/AmAnalysisQueryDataService/

Editing the Application Manager Web Services Configuration

Editing the Application Manager Web Service configuration requires manual editing of its XML configuration file - AMAnalysisServiceCore.dll.config - located in the directory where the Application Manager Web Services are installed.

Default Installation Directories:

  • 32Bit OS - C:\Program Files\AppSense\Application Manager\AM Web Services
  • 64Bit OS - C:\Program Files (x86)\AppSense\Application Manager\AM Web Services

Caution: Before starting it is highly recommended that you take a backup copy of this file because an incorrect configuration can prevent the Application Manager Web Services from starting.

In the process below, <HTTP_PORT> is the port number you have chosen for standard HTTP communication.

  1. Using the Windows Services Administrative tool, stop the Application Manager Web Service.
  2. Open the AMAnalysisServiceCore.dll.config file in a text editor such as Notepad and navigate to the <services> XML tag.
  3. If required, do the following:
    • To reconfigure the Agent to Service communication, go to Step 4.
    • To reconfigure the Console to Service communication, go to step 9.
  4. To change the HTTP Port, navigate to the following the XML tag:

    <service name="AmAnalysisServiceCore.AmAnalysisWebService">

  5. Select the webHttpNonSecureBinding attribute and replace the address value using the following format:

    address="http://localhost:<HTTP_PORT>/AmAnalysisService

  6. To change the Secure HTTP Port, navigate to the following XML tag:

    <service name="AmAnalysisServiceCore.AmAnalysisWebService">

  7. Select the webHttpSecureBinding attribute and replace the address value using the following format:

    address="http://localhost:<HTTPS_PORT>/AmAnalysisService

  8. To change the HTTP Port, navigate to the following the XML tag:

    <service name="AmAnalysisServiceCore.AmQueryDataWebService">

  9. Select the wsHttpNonSecureBinding attribute and replace the address value using the following format:

    address="http://localhost:<HTTP_PORT>/AmAnalysisQueryDataService

  10. To change the Secure HTTP Port, navigate to the following XML tag:

    <service name="AmAnalysisServiceCore.AmQueryDataWebService">

  11. Select the wsHttpSecureBinding attribute and replace the address value using the following format:

    address="http://localhost:<HTTP_PORT>/AmAnalysisQueryDataService

  12. Save and close the AMAnalysisServiceCore.dll.config file.

    The text editor must be elevated to save the document.

  13. Using a text editor, open the AMAnalysisServiceCore.dll.config located in:

    C:\Program Files(x86)\AppSense\ApplicationManager\AnalysisService\AMAnalysisServiceCore.dll.config

  14. In the text document search for the following statement:

    <add key="ON_DEMAND_SERVICE_URI" value="http://localhost:80/OnDemand/"/>

  15. Replace the statement with the following:

    <add key="ON_DEMAND_SERVICE_URI" value="http://localhost:443/OnDemand/"/>

  16. Save and close the text document.
  17. Using the Windows Services Administrative tool, start the Application Manager Web Service.

    If there are any problems starting the Service, refer to the Windows Event Log under AppSense for error data.

Wildcards and Regular Expressions

Application Control uses regular expressions when you select the Use regular expressions option when adding filenames, folder paths, command line arguments and metadata strings. Regular expressions are not supported for Groups and User Name Rules.

When using regular expressions, you need to check the expression fully before committing it. If the criteria are incorrectly entered, both complete and partial matches are returned.

Metacharacter Matches

^[a-f]+

"alice" matches because her name starts with a letter between a and f

"john" does not match because his name starts with a letter greater than f

"Alice" does not match because her name does not start with a lowercase letter

^[a-fA-F]+

"Alice" matches because with this expression uppercase letters are allowed
[a-zA-Z]+\d\d\d$ "UserWithThreeNumbers123" matches because the user name is made up of letters followed by three numbers.

"UserWithFourNumbers1234" does not match because the user name has four numbers in it

(notepad)|(winword)|(calc).exe notepad.exe matches because it is in the list

wordpad.exe does not match because it is not in the list

The information below shows examples of how regular expression and wildcards can be used in Application Control.

Example Description
^chkdsk((?!/[f|x]).)*$ Used to allow users to run the check disk utility and view the result, but prevent fixing any errors on the disk using a /f (fix) parameter.

Distributed File Systems

A distributed file system or network file system allows access to files from multiple hosts sharing via a computer network. This makes it possible for multiple users on multiple machines to share files and storage resource. Using DFS, System administrators can make it easy for users to access and manage files that are physically distributed across a network.

There are two ways of implementing DFS on a server:

  • Standalone DFS Namespaces
  • Domain-Based DFS Namespaces

For Application Network Access Control (ANAC) rules using a network share and files or folders that refer to items on a DFS share, you must specify the target server, rather than the namespace server in the UNC path. Application Control Agent substitutes the namespace server path with the target server path, so the namespace server path never gets passed through the rules engine.

App-V5.0 Support

App-V 5.0 allows applications to be streamed in real-time to any client from a virtual application server. With a streaming-based implementation, the App-V client needs to be installed on the client machines. Application packages are presented on the App-V server and then streamed to the endpoint cache. At the first application package launch request, the package is streamed to the endpoint. For any subsequent application launch requests made on that specific endpoint the application package will be run from the local App-V client cache.

By default, App-V 5.0 applications are inherently trusted, which means they will not fail the Trusted Ownership check. The Application Control Agent caches any published App-V 5.0 applications at session startup. If any application is published mid-session it will not pass Application Managers Trusted Ownership check until that user logs off and logs on again.

Components

The following table lists the Windows Control Panel components that can be elevated using the User Privilege Management Components feature.

Component Name Type Operating System
Add and Remove Programs/Programs and Features
  • Uninstall an Update
  • Uninstall or Change Program
Control Panel All O/S
Add Hardware Control Panel All O/S
Automatic Updates/Windows Control Panel All O/S
Backup and Restore Center Control Panel W7, W8, W10
BitLocker Enable Control Panel  W7, W8, W10
Calibrate Color Control Panel Server 2008, W7, W8, Server 2012, W10
Certificate Manager Management Snapin All O/S
Clear Type Text Control Panel W7, W8, W10
Component Services Management Snapin All O/S
Computer Management Management Snapin All O/S
Data Sources Control Panel All O/S
Date and Time Control Panel All O/S
Default Location Control Panel Windows Server 2008, W7, W8, Windows Server 2012
Defragment Management Snapin All O/S
Desktop DPI Control Panel Windows Server 2008, W7, W8, Windows Server 2012
Device Manager Management Snapin All O/S
Disk Management Management Snapin Windows Server 2008, W7, W8, Windows Server 2012, W10
Display Control Panel All O/S
Ease of Access Center Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10
Easy Transfer Control Panel W7, W8
Event Viewer Management Snapin All O/S
Explorer
  • Advanced Security, Change Permissions
  • Show Quota Setting
  • Advanced Sharing
  • Check Drive for Errors
  • Security, Edit Users or Groups
Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10  
Indexing Options
  • Advanced Indexing Options
  • Pause Indexing
  • Show All Locations
Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10
Install/Uninstall Languages Management Snapin Windows Server 2008, W7, W8, Windows Server 2012, W10
Internet Options Control Panel All O/S
iSCSI Initiator Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10
Local Security Policy Management Snapin Windows Server 2008, W7, W8, Windows Server 2012, W10
Network Connections
  • Advanced Sharing Settings
  • Local Area Connection Properties
  • Manage Local Area Connection (Disable/Delete/Rename/Bridge)
  • Manage Wireless Profile
  • Wireless Network Properties, Copy Profile to USB Flash Drive
  • Wireless Network Properties, Show Characters
Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10
Offline Files Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10
Performance Monitor Management Snapin All O/S
Power Options Control Panel All O/S
Printers Control Panel All O/S
Problem Reporting Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10
Recovery Disc Control Panel W7, W8, W10
Recovery Restore Control Panel W7, W8, W10
Regional Options Control Panel All O/S
Server Manager Management Snapin Windows Server 2008, Windows Server 2012
Services Management Snapin Al O/S
System Control Panel All O/S
System Configuration Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10
Task Scheduler Management Snapin Windows Server 2008, W7, W8, Windows Server 2012, W10
Troubleshoot Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10
Trusted Platform Management Snapin W7, W8, W10
User Accounts
  • Manage User Accounts
  • User Account Control Settings
Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10
Windows Defender Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10
Windows Features Control Panel W7, W8, W10
Windows Firewall Advanced Settings Management Snapin Windows Server 2008, W7, W8, Windows Server 2012, W10
Windows Firewall Settings
  • Action Center Firewall Settings
  • Control Panel Firewall Settings
Control Panel Windows Server 2008, W7, W8, Windows Server 2012, W10

Related topics


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other