Application Control
This page refers to an older version of the product.View the current version of the online Help.
Configuration ObjectThe Application Control Object Types include the Configuration object and the Configuration Helper object. The Configuration object represents the Application Control configuration. It is solely concentrated on data and contains no business logic.
In this section:
Generic Base Types for Collections
Map
Methods:
Add(ValueType item)
Description: Adds a new item into the collection.
Parameters: item - The value to be added.
Remove(KeyType kt)
Description: Removes the value with the given key from the collection.
Parameters: kt - The key of the value to remove from the collection.
Item(KeyType kt)
Description: Accessor for a value within the collection
Returns: The item (value) with the given key.
Parameters: kt - The key of the requested value.
Array
Methods:
Add(ValueType item)
Description: Adds a new item into the collection.
Parameters: item - the value to be added.
Remove(LONG index)
Description: Removes the item at the given position within the collection.
Parameters: index - The 0-based index of the value to remove.
Item(LONG index)
Description: Accessor for the item (value) at the given position within the collection.
Parameters: index - The 0-based index of the requested value.
Strongly Typed Collections
Collection: ArchiveFolderCollection
BaseType: Array
ValueType: ArchiveFolder
Collection: AuditEventFilterDictionary
BaseType: Map
ValueType: AuditEventFilter
Key: File
Collection: ApplicationGroupDictionary
BaseType: Map
ValueType: ApplicationGroup
Key: Path
Collection: CustomRuleDictionary
BaseType: Map
ValueType: CustomRule
Key: Name
Collection: DeviceDictionary
BaseType: Map
ValueType: Device
Key: Host
Collection: DeviceRuleDictionary
BaseType: Map
ValueType: DeviceRule
Key: Name
Collection: DriveCollection
BaseType: Map
ValueType: Drive
Key: Path
Collection: EngineeringKeyCollection
BaseType: Array
ValueType: EngineeringKey
Collection: FileCollection
BaseType: Map
ValueType: File
Key: CommandLine
Collection: FileExtensionDictionary
BaseType: Map
ValueType: FileExtension
Key: Name
Collection: FolderCollection
BaseType: Map
ValueType: Folder
Key: Path
Collection: GroupRuleDictionary
BaseType: Map
ValueType: GroupRule
Key: DisplayName
Collection: NetworkConnectionCollection
Base Type: Map
Value Type: NetworkConnection
Key: Path
Collection: ProcessRuleDictionary
Base Type: Map
Value Type: ProcessRule
Key: Name
Collection: ScriptedRuleDictionary
BaseType: Map
ValueType: ScriptedRule
Key: Name
Collection: SignatureFileCollection
BaseType: Map
ValueType: SignatureFile
Key: CommandLine
Collection: TimeRangeCollection
BaseType: Array
ValueType: TimeRange
Collection: TrustedApplicationCollection
BaseType: Array
ValueType: TrustedApplication
Collection: TrustedOwnerDictionary
BaseType: Map
ValueType: TrustedOwner
Key: DisplayName
Collection: UserRuleDictionary
BaseType: Map
ValueType: UserRule
Key: DisplayName
Collection: URMPolicyDictionary
BaseType: Map
ValueType: URMPolicy
Key: Name
Collection: URMGroupBehaviourDictionary
BaseType: Map
ValueType: URMGroupBehaviour
Key: DisplayName
Collection: URMPrivilegeDictionary
BaseType: Map
ValueType: URMPrivilege
Key: Name
Collection: URMRuleItemDictionary
BaseType: Map
ValueType: URMRuleItem
Key: KeyPath
Collection: URMRuleItemPolicyDirectory
BaseType: Map
ValueType: URMRuleItemPolicy
Key: KeyPath
Object Definitions
Object: Access Times
Property | Type | Description |
---|---|---|
MondayTimeRangeCollection | TimeRangeCollection | A collection of time ranges that are applied on Mondays. |
TuesdayTimeRangeCollection | TimeRangeCollection | A collection of time ranges that are applied on Tuesdays. |
WednesdayTimeRangeCollection | TimeRangeCollection | A collection of time ranges that are applied on Wednesdays. |
ThursdayTimeRangeCollection | TimeRangeCollection | A collection of time ranges that are applied on Thursdays. |
FridayTimeRangeCollection | TimeRangeCollection | A collection of time ranges that are applied on Fridays. |
SaturdayTimeRangeCollection | TimeRangeCollection | A collection of time ranges that are applied on Saturdays. |
SundayTimeRangeCollection | TimeRangeCollection | A collection of time ranges that are applied on Sundays. |
Object: ApplicationGroup
Property |
Type | Description |
---|---|---|
Path | BSTR | The name of the Application Group. |
Description | BSTR | The description of the group. |
Files |
FileCollection |
Collection of files contained in this group. |
Folders |
FolderCollection
|
Collection of folders contained in this group. |
SignatureFiles |
SignatureFileCollection |
Collection of signature files contained in this group. |
NetworkConnections |
NetworkConnectionCollection |
Collection of network connections contained within this group. |
Drives | DriveCollection | Collection of drives contained within this group. |
Object: ArchiveFolder
Property | Type | Description |
---|---|---|
Path | BSTR | Full path to folder. |
Object: ArchivingSettings
Description | Type | Description |
---|---|---|
ArchivingEnabled | VARIANT_BOOL | Specify whether to use archiving. Default = False |
NoAdminOwnedFiles | VARIANT_BOOL | Enable administrator-owned files to be ignored. Default = False |
OverwriteExistingFiles | VARIANT_BOOL | Specify whether files copied to the archive should overwrite existing files. Default = True |
AnonymousEnabled | VARIANT_BOOL | Specify whether file should have any user information stripped. |
TotalLimit | LONG | The maximum size of the archive in MB. Default = 50. |
UserLimit | LONG | The maximum size of a user’s archive in MB. Default = 25. |
ArchiveLessThanEnabled | VARIANT_BOOL | Specify whether only files smaller than a certain size will be archived. Default = False. |
ArchiveLessThanAmount | LONG | The maximum size of a file that will be copied to the archive. Default = False |
OverwriteOldest | VARIANT_BOOL | Specify whether the oldest file in the archive are overwritten when the archive is full. Default = False. |
ArchiveFolders | ArchiveFolderCollection | A list of archive folder locations, the first location in the list will be given preference, the last location given the lowest preference. |
Object: AuditEventFilter
Property | Type | Description |
---|---|---|
File | BSTR | The file name/extension to which this filter will be applied. |
Events | BSTR | A semi-colon delimited list of events. For example, 9005;9006;9007. |
Object: AuditEventFiltering
Property | Type | Description |
---|---|---|
Enabled | VARIANT_BOOL | Specify whether event filtering is enabled. Default = True. |
Files | AuditEventFilterDictionary | The list of event filters. |
Object: Configuration
Description | Type | Description |
---|---|---|
Info | ConfigurationInfo | Configuration metadata |
DefaultRules | DefaultRules | Default rules settings. |
MessageSettings | MessageSettings | Settings to allow customization of Application Control generated message boxes. |
ArchivingSettings | ArchivingSettings | Options for files that are archived. |
UserRules | UserRuleDictionary | Collection of configured user rules. |
ApplicationGroups | ApplicationGroupDictionary | Library of Application Groups. |
ProcessRules | ProcessRuleDictionary | Collection of configured Process Rules |
GroupRules | GroupRuleDictionary | Collection of configured group rules. |
DeviceRules | DeviceRuleDictionary | Collection of configured device rules. |
CustomRules | CustomRuleDictionary | Collection of configured custom rules. |
ScriptedRules | ScriptedRuleDictionary | Collection of configured scripted rules. |
EngineeringKeys | EngineeringKeyCollection | Collection of engineering keys. |
URMPolicies | URMPolicyDictionary | Library of User rights policies. |
AuditEventFilteringSettings | AuditEventFiltering | Options relating to which audit events are reported. |
OnDemandConfigChangeSettings | OnDemandConfigChangeSettings | Options relating to Policy Change Requests |
Object: ConfigurationInfo
Property | Type | Description |
---|---|---|
Name B | STR | The name of the configuration. |
UniqueIndentifier | BSTR | The unique ID for the configuration. |
Version | LONG | The configuration version. |
Notes | BSTR | Any appropriate notes. |
RevisionLevel | LONG | The configuration |
Object: CustomRule
Description | Type | Description |
---|---|---|
DisplayName | BSTR | The account name. |
SID | BSTR | The account SID. |
Devices | DeviceDictionary | Collection of devices to which this rule applies. |
Name | BSTR | The name of the rule. |
SecurityLevel | SecurityLevel | The level of restriction applied to this rule. |
AccessibleApplicationGroups | ApplicationGroupReferenceDictionary | Collection of allowed Application Groups. |
AccessibleFiles | FileCollection | Collection of allowed files |
AccessibleFolders | FolderCollection | Collection of allowed folders. |
AccessibleDrives | DriveCollection | Collection of allowed drives. |
AccessibleSignatures | SignatureFileCollection | Collection of allowed signatures. |
AccessibleNetworkConnections | NetworkConnectionCollection | Collection of accessible network connections. |
ProhibitedApplicationGroups | ApplicationGroupReferenceDictionary | Collection of denied Application Groups. |
ProhibitedFiles | FileCollection | Collection of denied files. |
ProhibitedFolders | FolderCollection | Collection of denied folders. |
ProhibitedDrives | DriveCollection | Collection of denied drives. |
ProhibitedSignatures | SignatureFileCollection | Collection of denied signatures. |
ProhibitedNetworkConnections | NetworkConnectionCollection | Collection of denied network connections. |
TrustedVendors | DigitalCertificateCollection | Collection of trusted vendors’ digital certificates. |
UserRightsRules | URMRules | Configured settings for user privileges rules. |
Object: DefaultRules
Description | Type | Description |
---|---|---|
TrustedOwnershipChecking | VARIANT_BOOL | Enable trusted ownership checking. Default = True |
ChangeFileOwnershipOnOverwriteOrRename | VARIANT_BOOL | Enable a change of file ownership when a file is overwritten or renamed. Default = True |
TrustedOwners | TrustedOwnerDictionary | A collection of configured Trusted Owners. |
LocalDrivesAccessible | VARIANT_BOOL | Specify whether the local drives are allowed by default. Default = True |
IgnoreRestrictionsDuringLogon . | VARIANT_BOOL | Allows restrictions to be ignored until the logon process is complete |
AllowCMDForBatchFiles | VARIANT_BOOL | Allows cmd.exe to run if it is run via execution of a batch file. Default = True |
ExtractSelfExtractingZIPFiles | VARIANT_BOOL | Specify whether Application Control should extract self-extracting .ZIP files. Default = True |
ValidateSystemProcesses | VARIANT_BOOL | Specify whether system process will be subject to Application Control rules processing. Default = False |
ValidateMSI | VARIANT_BOOL | Specify whether Windows Installer (.MSI) packages are validated. |
ValidateWSH | VARIANT_BOOL | Specify whether Windows Script Host (.WSH) files are validated. Default = True |
ValidateREG | VARIANT_BOOL | Specify whether Windows Registry (.REG) files are validated. Default = True |
DoExtensionFiltering | VARIANT_BOOL | Enable extension filtering. Default = False |
ExtensionFilteringScope | FileExtensionFilteringScope | Specify whether the file extensions in the FileExtensions property are included or excluded from rules processing. Default = Exclude |
FileExtensions | FileExtensionDictionary | A list of extensions used for extension filtering. |
ApplicationAccessEnabled | VARIANT_BOOL | Specify whether Application Access Control is enabled. Default = True. |
ANACEnabled | VARIANT_BOOL | Specify whether Application Network Access control is enabled. Default = True. |
URMEnabled | VARIANT_BOOL | Specify whether User Privileges Management is enabled. Default = True. |
IgnoreRestrictionsDuringActiveSetup | VARIANT_BOOL | Ignore restrictions during active setup. Default = False. |
ProhibitFilesOnRemovableMedia | VARIANT_BOOL | Prohibit files on removable media. Default = True. |
Object: Device
Property | Type | Description |
---|---|---|
Host | BSTR | The host address. |
HostType | DeviceType | Specify whether the address refers to a computer or a connecting device. Default = Computer |
NameType | HostNameType | Specify whether the address is a host name of IP address. Default = HostName |
Object: DeviceRule
Description | Type | Description |
---|---|---|
Devices | DeviceDirectory | Collection of devices to which this rule applies. |
Name | BSTR | The name of the rule. |
SecurityLevel | SecurityLevel | The level of restriction applied to this rule. |
AccessibleApplicationGroups | ApplicationGroupReferenceDictionary | Collection of accessible Application Groups. |
AccessibleFiles | FileCollection | Collection of allowed files. |
AccessibleFolders | FolderCollection | Collection of allowed folders. |
AccessibleDrives | DriveCollection | Collection of allowed drives. |
AccessibleSignatures | SignatureFileCollection | Collection of allowed signatures. |
AccessibleNetworkConnections | NetworkConnectionCollection | Collection of allowed network connections |
ProhibitedApplicationGroups | ApplicationGroupReferenceDictionary | Collection of denied Application Groups. |
ProhibitedFiles | FileCollection | Collection of denied files. |
ProhibitedFolders | FolderCollection | Collection of denied folders |
ProhibitedDrives | DriveCollection | Collection of denied drives. |
ProhibitedSignatures | SignatureFileCollection | Collection of denied signatures. |
ProhibitedNetworkConnections | NetworkConnectionCollection | Collection of denied network connections. |
Object: DigitalCertificate
Property | Type | Description |
---|---|---|
Path | BSTR | Unused for this object. |
Description | BSTR | The description of the digital certificate. |
EnforceExpiryDate | VARIANT_BOOL | Specify whether the expiry date verification will be applied to this certificate. Default = False |
RawCertificateData | BSTR | The base64 encoded digital certificate. |
ExpiryDate | BSTR | The certificate expiry date. |
ErrorIgnoreFlags | LONG | A bitwise OR operation of the ErrorIgnoreFlags values below. Default = 0 |
ErrorIgnoreFlags
CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG 0x00000001
CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG 0x00000002
CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG 0x00000004
CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG 0x00000008
CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG 0x00000010
CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG 0x00000020
CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG 0x00000040
CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG 0x00000080
CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG 0x00000100
CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG 0x00000200
CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG 0x00000400
CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG 0x00000800
Object: Drive
Property | Type | Description |
---|---|---|
Path | BSTR | Full path to drive. |
Description | BSTR | The drive description. |
Object: File
Property | Type | Description |
---|---|---|
Path | BSTR | Full path to file. |
Description | BSTR | The file description. |
Arguments | BSTR | The command line arguments used for spawning a process. |
CommandLine | BSTR | The full command line (Path + Arguments) when a file is run. |
ApplyAccessTimes | VARIANT_BOOL | Specify whether access times are to be applied. Default = False |
AccessTimes | AccessTimes | Collection of access times to be applied. |
TrustedOwnershipChecking | VARIANT_BOOL | Specify whether the file is subject to Trusted Ownership checking. Default = True |
ApplicationLimit | LONG | The number of concurrent instances of this file that can be executed (0 means unlimited). Default = 0 |
Object: FileExtension
Property | Type | Description |
---|---|---|
Name | BSTR | File Extension. |
Object: FileMetaData
Description | Type | Description |
---|---|---|
ProductVersionMaximum | BSTR | The maximum product version number to match. |
ProductVersionMaximumEnabled | VARIANT_BOOL | Enables/Disables the use of the ProductVersionMaximum property. |
ProductVersionMinimum | BSTR | The minimum product version number to match. |
ProductVersionMinimumEnabled | VARIANT_BOOL | Enables/Disables the use of the ProductVersionMinimum property. |
FileVersionMaximum | BSTR | The maximum file version number to match. |
FileVersionMaximumEnabled | VARIANT_BOOL | Enables/Disables the use of the FileVersionMaximum property. |
FileVersionMinimum | BSTR | The minimum file version number to match. Format is <major>.<minor>.<build>.<revision> where each element is a number or the '*' wildcard character to match anything. |
FileVersionMinimumEnabled | VARIANT_BOOL | Enables/Disables the use of the FileVersionMinimum property. |
VendorName | BSTR | The Vendor Name to match against. Wildcard characters '*' and '?' are supported to match any substring or single character. |
VendorNameEnabled | VARIANT_BOOL | Enables/Disables the use of the VendorName property. |
ProductName | BSTR | The Product Name to match against. Wildcard characters '*' and '?' are supported to match any substring or single character. |
ProductNameEnabled | VARIANT_BOOL | Enables/Disables the use of the ProductName property. |
CompanyName | BSTR | The Company Name to match against. Wildcard characters '*' and '?' are supported to match any substring or single character. |
CompanyNameEnabled | VARIANT_BOOL | Enables/Disables the use of the CompanyName property. |
FileDescription | BSTR | The File Description to match against. Wildcard characters '*' and '?' are supported to match any substring or single character. |
FileDescriptionEnabled | VARIANT_BOOL | Enables/Disables the use of the FileDescription property. |
ObjectFolder
Property | Type | Description |
---|---|---|
Path | BSTR | Full path to folder. |
Description | BSTR | The folder description. |
ApplyAccessTimes | VARIANT_BOOL | Specify whether access times are to be applied. |
AccessTimes | AccessTimes | Collection of access times to be applied. |
TrustedOwnershipChecking | VARIANT_BOOL | Specify whether the folder is subject to Trusted Ownership checking. Default = True |
Recursive | VARIANT_BOOL | Whether rules are applied to sub-folders. Default = True |
Object: GroupRule
Description | Type | Description |
---|---|---|
DisplayName . | BSTR | The account name |
SID. | BSTR | The account SID |
Name | BSTR . | The name of the rule |
SecurityLevel | SecurityLevel | The level of restriction applied to this rule. |
Groups | ApplicationGroupReferenceDictionary | Collection of allowed Application Groups. |
AccessibleFiles | FileCollection | Collection of allowed files. |
AccessibleFolders | FolderCollection | Collection of allowed folders. |
AccessibleDrives | DriveCollection | Collection of allowed drive. |
AccessibleSignatures | SignatureFileCollection | Collection of allowed signatures. |
AccessibleNetworkConnections | NetworkConnectionCollection | Collection of allowed network connections. |
ProhibitedApplicationGroups | ApplicationGroupReferenceDictionary | Collection of denied Application Groups. |
ProhibitedFiles | FileCollection | Collection of denied files. |
ProhibitedFolders | FolderCollection | Collection of denied folders. |
ProhibitedDrives | DriveCollection | Collection of denied drives. |
ProhibitedSignatures | SignatureFileCollection | Collection of denied signatures. |
ProhibitedNetworkConnections | NetworkConnectionsCollection | Collection of denied network connections. |
TrustedVendors | DigitalCertificateCollection | Collection of trusted vendors’ digital certificates. |
UserRightsRules | URMRules | Configured settings for User Privileges rules. |
Object: MessageSettings
Property | Type | Description |
---|---|---|
DisplayInitialWarningMessage | VARIANT_BOOL | Determines whether the user should be warned that an application is about to be closed due to its allowed time having expired. |
CloseApplication | VARIANT_BOOL | Determine whether an application with an expired allowed time should be sent a WM_CLOSE to allow the user chance to save work. |
TerminateApplication | VARIANT_BOOL | Determine whether an application with an expired allowed time should be forcefully terminated. |
WaitTime | LONG | The delay period between warning the user, sending a WM_CLOSE and terminating the application. This value is in seconds. |
AccessDeniedMessageCaption | BSTR | The caption for the denied message box. |
AccessDeniedMessageBody | BSTR | The text for the denied message box. |
ApplicationLimitsExceededMessageCaption | BSTR | The caption for the message box that is displayed when an application has reached its application limit. |
ApplicationLimitsExceededMessageBody | BSTR | The text for the message box that is displayed when an application has reached its application limit. |
TimeLimitsWarningMessageCaption | BSTR | The caption for the message box that is displayed when an application has reached the end of its allowed time. |
TimeLimitsWarningMessageBody | BSTR | The text for the message box that is displayed when an application has reached the end of its allowed time. |
TimeLimitsDeniedMessageCaption | BSTR | The caption for the message box that is displayed when an application is denied due to a time restriction. |
TimeLimitsDeniedMessageBody | BSTR | The text for the message box that is displayed when an application is denied due to a time restriction. |
SelfAuthorizationMessageCaption | BSTR | The caption for the message box that is displayed when user authorization is required to run a file. |
SelfAuthorizationMessageBody | BSTR | The text for the message box that is displayed when user authorization is required to run a file. |
SelfAuthorizationResponseCaption | BSTR | The text for the message box that is displayed when the user has previously self-authorized a file to run. |
SelfAuthorizationResponseBody | BSTR | The caption for the message box that is displayed when the user has previously self-authorized a file to run. |
Object: NetworkConnection
Property | Type | Description |
---|---|---|
Path | BSTR | Full path to network resource. |
Description | BSTR | The description of the network resource. |
Address | BSTR | The address of the network resource, for example, www.bbc.co.uk. |
Resource | BSTR | The resource path, for example \weather. |
Port | BSTR | The port to which this network connection applies, if appropriate. |
UseWildcards | VARIANT_BOOL | Specify whether any part of the whole network location contains wildcards. |
AddressType | NetworkConnectionType | The connection type. Default = False |
Recursive | VARIANT_BOOL | Specify whether child resources are included as part of this connection. |
Object: OnDemandConfigChangeSettings
Property | Type | Description |
---|---|---|
OnDemandEnabled | VARIANT_BOOL | Global On/Off for Policy Change Request. Default = False |
EmailRequestsEnabled | VARIANT_BOOL | Enables the Email Request functionality for Policy Change Requests. Default =True. |
MailToAddress | BSTR | BSTR Specifies the Recipient Email Address |
EmergencyRequestsEnabled | VARIANT_BOOL | Enables the Immediate Change Request functionality. Default = True. |
HelpDeskPhoneNumber | BSTR | Specifies the phone number for the Help Desk. |
SharedKey | BSTR | Specifies the salt for use in encryption algorithms. Must use ASCII characters and match the key used by the Help Desk. This is to be used in conjunction with the ConfigurationHelper object. For further information, see Policy Change Request. |
RequestMethods | OnDemandConfigChangeUserInteractionSetup | Configures the request methods. |
Object: OnDemandConfigChangeUserInteractionSetup
Property | Type | Description |
---|---|---|
AllowLinkFromAMDenied | VARIANT_BOOL | Enable link through from AMDenied Message. Default = True. |
AMDeniedLinkText | BSTR | Specify the text displayed in the AMDenied. Message dialog link. |
ShowShellMenu | VARIANT_BOOL | Enables the right-click context option menu. Default = True. |
ShellMenuText | BSTR | Specify the text displayed in the right-click context menu. |
ShowDesktopIcon | VARIANT_BOOL | Enables the Policy Change Request desktop icon. Default = True. |
DesktopIconText | BSTR | Specify the text displayed on the Policy Change Request desktop icon. |
Object: ProcessRule
Property | Type | Description |
---|---|---|
SecurityLevel | SecurityLevel | The level of restriction applied to this rule. |
AccessibleApplicationGroups | ApplicationGroupReferenceDictionary | Collection of allowed Application Groups. |
AccessibleFiles | FileCollection | Collection of allowed files. |
AccessibleFolders | FolderCollection | Collection of allowed folders. |
AccessibleDrives | DriveCollection | Collection of allowed drive. |
AccessibleSignatures | SignatureFileCollection | Collection of allowed signatures. |
AccessibleNetworkConnections | NetworkConnectionCollection | Collection of allowed network connections. |
ProhibitedApplicationGroups | ApplicationGroupReferenceDictionary | Collection of denied Application Groups. |
ProhibitedFiles | FileCollection | Collection of denied files. |
ProhibitedFolders | FolderCollection | Collection of denied folders. |
ProhibitedDrives | DriveCollection | Collection of denied drives. |
ProhibitedSignatures | SignatureFileCollection | Collection of denied signatures. |
ProhibitedNetworkConnections | NetworkConnectionsCollection | Collection of denied network connections. |
TrustedVendors | DigitalCertificateCollection | Collection of trusted vendors’ digital certificates. |
UserRightsRules | URMRules | Configured settings for User Privileges rules. |
FileProcessItems | FileCollection | Collection of processes to which this rule applies. |
SignatureProcessItems | SignatureProcessItems | Collection of processes to which this rule applies, defined by signature. |
Object: ScriptedRule
Property | Type | Description |
---|---|---|
EntryFunction | BSTR | The function that will be executed when the script is launched. |
Script | BSTR | The body of the script. |
Context | ExecutionContext | The context in which the script executed. Default = PerSessionAsUser. |
WaitForLogin | VARIANT_BOOL | Specify whether the execution of the script will be delayed until the login process is complete. Default = False |
Timeout | LONG | The timeout period a script is given before being terminated. |
Name | BSTR | The name of the rule. |
SecurityLevel | SecurityLevel | The level of restriction applied to this rule. |
AccessibleApplicationGroups | ApplicationGroupReferenceDictionary | Collection of allowed Application Groups. |
AccessibleFiles | FileCollection | Collection of allowed files. |
AccessibleFolders | FolderCollection | Collection of allowed folders. |
AccessibleDrives | DriveCollection | Collection of allowed drive. |
AccessibleSignatures | SignatureFileCollection | Collection of allowed signatures. |
AccessibleNetworkConnections | NetworkConnectionCollection | Collection of allowed network connections. |
ProhibitedApplicationGroups | ApplicationGroupReferenceDictionary | Collection of denied Application Groups. |
ProhibitedFiles | FileCollection | Collection of denied files. |
ProhibitedFolders | FolderCollection | Collection of denied folders. |
ProhibitedDrives | DriveCollection | Collection of denied drives. |
ProhibitedSignatures | SignatureFileCollection | Collection of denied signatures. |
ProhibitedNetworkConnections | NetworkConnectionsCollection | Collection of denied network connections. |
TrustedVendors | DigitalCertificateCollection | Collection of trusted vendors’ digital certificates. |
UserRightsRules | URMRules | Configured settings for User Privileges rules. |
FileProcessItems | FileCollection | Collection of processes to which this rule applies. |
SignatureProcessItems | SignatureProcessItems | Collection of processes to which this rule applies, defined by signature. |
Object: SignatureFile
Property | Type | Description |
---|---|---|
Path | BSTR | Full path to the file. |
Description | BSTR | The file description. |
Arguments | BSTR | The command line arguments used for spawning a process. |
SHA1 Hash | BSTR | The SHA1 hash of the file. |
CommandLine | BSTR | The full command line (Sha1Hash + Arguments) when a file is run. |
Version | BSTR | The file version information. |
ApplyAccessTimes | VARIANT_BOOL | Specify whether access time are to be applied. Default = False |
AccessTimes | AccessTimes | Collection of access times to be applied. |
Object: TimeRange
Property | Type | Description |
---|---|---|
StartHour | LONG | The hour at which the time range starts. |
EndHour | LONG | The hour at which the time range ends. |
Object: TrustedOwner
Property | Type | Description |
---|---|---|
DisplayName | BSTR | The account name. |
SID | BSTR | The account SID. |
Description | BSTR | The account description. |
Object: URMGroupBehaviour
DisplayName B | STR | The name of the group. |
---|---|---|
SID | BSTR | The group's SID. |
Action | URMGroupAction | The action to perform with this group. Default = Add |
Object: URMPolicy
Property | Type | Description |
---|---|---|
Name | BSTR | Name of the policy. |
Description | BSTR | A description for the policy. |
GroupMembershipActions | URMGroupBehaviourDictionary | A collection of configured UPM (User Privilege Management) Group Behavior actions. |
PrivilegeActions | URMPrivilegeDictionary | A collection of configured UPM Privilege actions. |
Object: URMPrivilege
Property | Type | Description |
---|---|---|
Name | BSTR | Textual description of the privilege. |
Privilege | URMPrivilegeConstant | The privilege being set. Default = SeAssignPrimaryTokenPrivilege |
Action | URMPrivilegeAction | The action to perform on the privilege Default = NoChange. |
Object: URMRuleItem
Property | Type | Description |
---|---|---|
KeyPath | BSTR | The keypath used in collections of URMRuleItems. |
Application | RuleItem | The application for which to apply the User Rights setting. Can be of type File, Folder, Signature File or Application Group. |
ApplyToChildren | VARIANT_BOOL | Setting to specify whether the user rights setting should be applied to any child processes. Default = False. |
Object: URMRuleItemPolicy
Property | Type | Description |
---|---|---|
KeyPath | BSTR | The keypath used in collections of URMRuleItems. |
Application | RuleItem | The application to which to apply the User Rights policy. Can be of type File, Folder, Signature File or Application Group. |
ApplyToChildren | VARIANT_BOOL | Setting to specify whether the user rights policy should be applied to any child processes. Default = False. |
Policy | URMPolicyReference | The URM Policy to apply to the application. |
Object: URMRules
Property | Type | Description |
---|---|---|
URMFiles | URMRuleItemPolicyDictionary | Collection of files and User Privileges Management (UPM) policies to apply to them. |
URMSignatures | URMRuleItemPolicyDictionary | Collection of signature files and UPM policies to apply to them. |
URMFolders | URMRuleItemPolicyDictionary | Collection of folders and UPM policies to apply to them. |
URMApplicationGroups | URMRuleItemPolicyDictionary | Collection of Application Groups and UPM policies to apply to them. |
Object: UserRule
Property | Type | Description |
---|---|---|
DisplayName | BSTR | The account name. |
SID | BSTR | The account SID. |
Name | BSTR | The name of the rule. |
SecurityLevel | SecurityLevel | The level of restriction applied to this rule. |
AccessibleApplicationGroups | ApplicationGroupReferenceDictionary | Collection of allowed Application Groups. |
AccessibleFiles | FileCollection | Collection of allowed files. |
AccessibleFolders | FolderCollection | Collection of allowed folders. |
AccessibleDrives | DriveCollection | Collection of allowed drive. |
AccessibleSignatures | SignatureFileCollection | Collection of allowed signatures. |
AccessibleNetworkConnections | NetworkConnectionCollection | Collection of allowed network connections. |
ProhibitedApplicationGroups | ApplicationGroupReferenceDictionary | Collection of denied Application Groups. |
ProhibitedFiles | FileCollection | Collection of denied files. |
ProhibitedFolders | FolderCollection | Collection of denied folders. |
ProhibitedDrives | DriveCollection | Collection of denied drives. |
ProhibitedSignatures | SignatureFileCollection | Collection of denied signatures. |
ProhibitedNetworkConnections | NetworkConnectionsCollection | Collection of denied network connections. |
TrustedVendors | DigitalCertificateCollection | Collection of trusted vendors’ digital certificates. |
UserRightsRules | URMRules | Configured settings for User Privileges rules. |
Enumerations
Name: Device Type
Computer = 0
ConnectingDevice = 1
Name: ExecutionContext
PerSessionAsUser = 0
PerSessionAsSystem = 1
PerComputerAsSystem = 2
Name: FileExtensionFilteringScope
Exclude = 0
Include = 1
Name: HostNameType
HostName = 0
IPAddress = 1
Name: NetworkConnectionType
HostAddress = 0
IPAddress = 1
UNCPath = 2
Name: ScriptingLanguage
VBScript = 0
PowerShell = 1
Name: SecurityLevel
Restricted = 0
SelfAuthorizing = 1
Unrestricted = 2
AuditOnly = 3
This page refers to an older version of the product.View the current version of the online Help.
The topic was:
Inaccurate
Incomplete
Not what I expected
Other
Copyright © 2019, Ivanti. All rights reserved.