Application Control powered by AppSense

Ivanti Application Control is the new name for AppSense Application Manager

What's new in Application Control?

Version 10.1 FR3

URL Redirection Whitelist

The URL Redirection feature is used to automatically redirect users when they attempt to access a specified URL. By defining a list of prohibited URLs, you redirect any user attempting to access a listed URL to a default warning page or a custom web page.

This feature has been enhanced in 10.1 FR3 with the ability to whitelist specific URLs to address the following use cases:

  • Control access within a single domain - access to a domain can be prohibited whilst access to certain of its sub-domains is permitted. For example, you could deny access to www.company.com whilst allowing access to www.company.com/resources.

    URL Allow video

  • Implement a whitelist approach to controlling internet access for your organization. By creating a redirection that prohibits access to all internet sites, you can add items to allow access to the web sites you want to be available for your staff.

    URL Whitelist video

For more information about this feature, see Browser Control

255-character message limit removed

The 255-character message limit for messages that get displayed to end users has been removed.

In the Message Settings & Application Termination dialogs within the Application Control Console, the administrator can configure the text that gets displayed to end users for the different message types. With 10.1 FR2 and earlier releases, this text was limited to 255 characters. For this release, the limit has been removed so more information can be included.

For more information, see Message Settings.

Support for additional environment variables in the Application Denied message box

Additional environment variables can be displayed in the Application Denied message box. From 10.1 FR3, all of the information that is included in the Application Denied log event can be used.

For more information, see Access Denied.

PowerShell scripts in Custom Conditions

In addition to VBScript and JScript, Powershell scripts can now be created and used within Custom Conditions.

For more information, see Scripted Conditions.

Auditing of elevated child processes for User Privilege Management

Audit logs now capture details for elevated child processes. If the “apply to child processes” option is selected in the configuration, once the primary process has been elevated, this elevation also applies to any child processes. However, in 10.1 FR2 and earlier releases, there was no auditing of those child processes so there was a lack of visibility to the associated activity. 10.1 FR3 audit logs now capture the details for both the primary process as well as any child processes to provide increased audit visibility.

For more information about where the Apply to child processes option is used, see Rule Items and Self-Elevation.

Version 10.1 FR2

There are no new features in this release.

Version 10.1 FR1

Console Rebrand and Renaming

The Application Manager Console has been updated to reflect the new company name of Ivanti - see here for more details. As well as the change of branding from AppSense to Ivanti, Application Manager is now known as Application Control as of this release.

The Application Control console, as well as components on the endpoint have been updated to reflect these changes.

You may still see the AppSense Application Manager name used in certain areas, such as the registry or services. This is to make the transition as least disruptive as possible for existing users of Application Control.

Icon Refresh

Having made significant changes to the design of the User Workspace Manager consoles in version 10, we have listened to feedback and added a splash of color back into the consoles by refreshing and updating some of the icons used in the Application Control console

Version 10.1

Extended Audit Logging

Application Control Event Logging has been extended to include the following:

  • New event for stopped and started services by a user
  • Parent process name now included in 9000 events
  • File owner now included in 9000 events
  • Determining rule now included in events

Windows Operating System Condition

The Microsoft update model now uses build numbers to identify feature releases and service packs. When you are creating a computer operating system rule, the target build number can be specified and configured to match the specific build number entered or to use it as the maximum or minimum build release.

Extended Metadata with Digital Certificate checking

When verifying a file using metadata, administrators can compare the entire certificate to determine the authenticity of the file and whether the metadata can be trusted. The feature also includes real-time certificate verification that helps you diagnose any issues by selecting different combinations or verification settings. As you configure the settings, the certificate status is updated.

Self-Elevation Enhancements

Self-Elevation has been extended to support all file types. Administrators can also specify that certain file extensions can be elevated only when open with certain applications. For example, you can specify that VBS files can be elevated only with wscript.exe.

Command Line Matching

Application Control can now apply rules based not just on the application being launched, but also any command line arguments. This is useful if full access to an application is not required but specific users need to launch certain files or run applications under certain conditions. Command line arguments can be added for File and Signature rule items.

This feature also includes two new advanced settings - Validate PowerShell scripts and Validate Java archives. When these settings are turned on, powershell.exe, powershell_ise.exe, and java(w).exe are blocked and PS1 and JAR files are subject to trusted ownership checking. Specific files can then be added to rules which do not require a trusted owner. Add powershell.exe or java(w).exe to a rule to allow them for specific users, while blocking them for all other users. For example, you may want to allow powershell.exe for your developers so they can launch any PowerShell script.

Process Protection

The System Controls feature of Application Control has been extended to include the protection of processes. Using this enhancement, a specified process - such as antivirus software - can be protected from termination by all users, including administrators.

Enhanced Windows Store App Support

Further support has been added to the control of Windows Store Applications. Applications can be blocked or allowed based on the application's publisher. Using the publisher for sideloaded apps means multiple apps can be controlled. This makes it possible to configure a restriction for all Store Apps while allowing those sideloaded by an organization or IT department.

Policy Change Request per Rule

Administrators can enable the Policy Change Request feature on a per-rule basis. This allows the type of change request and the available request methods to be configured differently for different users or groups of users. Some aspects of the feature, such as specifying the email address and shared key, remain global.


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other