This page refers to an older version of the product.
View the current version of the online Help.

Maintain Configurations

In this section:

• Create Configurations
• Import Configurations
• Export Configurations
• Save Configurations
• Test Configurations
• Group Policy Configurations
• Search Configurations

Create Configurations

To create a new configuration, click File > New.

A new configuration displays and automatically provides the following protection by default:

• Applications not stored on local hard drives are prohibited. For example, applications on network drives and removable media are prohibited. Applications that are not owned by the administrator are prohibited. For example, any applications copied onto the computer's hard drives by a non-administrator are prohibited.
• All administrators can run any applications.

You must save a new configuration before the default settings are implemented.

Import Configurations

Configurations can be imported in to Application Control.

1. Click File > Import & Export > Import Configuration from MSI.

   The Open dialog displays.

2. Navigate to the location of the MSI, select it and click Open.

The configuration opens in the Application Control console.

Export Configurations

Configurations can be exported from Application Control.

1. Click the File > Import & Export > Export Configuration as MSI.

   The Save As dialog is displayed.

2. Navigate to the location to where you want to save the MSI and click Save.

Save Configurations

The following options for saving configurations are available from the File menu.

Save

• Save and continue editing - Saves the configuration and keeps it locked whilst open for editing. Any changes that have been made are not committed to the configuration and it cannot be deployed while locked.
• Save and unlock - Save the configuration and unlock it ready for deployment.
• Unlock without saving - Unlocks the configuration without saving any changes.

Save As

• Live configuration on this computer - Replace/update the configuration on the local computer with the currently open configuration.
• Configuration in the Management Center - Save the configuration in the package store on the selected Management Server.
• Configuration in System Center Configuration Manager - Saves your configuration to the specified System Center Configuration Manager server.
• Configuration in Group Policy - Allows you to create the configuration in a selected Group Policy store.
• Configuration file on disk - Save the configuration to disk.

Test Configurations

Set up a test user set up before proceeding with this task. The test account must not be one of the Trusted Owners in the configuration.

1. Log on, as the administrator, to an endpoint with the relevant Application Control configuration installed.
2. Start Application Control.
3. In the navigation tree, navigate to Rules > User.

4. Click Add Rule on the Rules ribbon and select User Rule.

   The Add User Rule dialog displays.

5. Click Browse.

   The Active Directory Select Users dialog displays.

6. Click Advanced.

7. Click Find Now.

   The search results display in the bottom part of the dialog.

8. Scroll down to locate the test user, select and click OK.

   The Select Users dialog displays with the test user displayed in the object name.

9. Click OK.

   The User rule work area displays the newly created test user.

10. Save the configuration.
11. Log off as the administrator.
12. Log on as the test user to see Application Control working.

Group Policy Configurations

Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. Application Control uses Group Policy functionality to save and deploy configurations to any machine in a specified organizational unit (OU) in a domain without the need for additional infrastructure. To use Group Policy you must first install the Remote Server Administration Tools.

For more information see Installing or Removing the Remote Server Administration Tools Pack.

To add an Application Control configuration file to a GPO, you must first add a Domain to the selectable list accessed from the Select Domain dialog. For more information, see Adding Selectable Domains to Your List.

If required, you can use the following command to install the Group Policy Management Console using PowerShell:

Import-Module ServerManager (2008 Server and above)

Add-WindowsFeature -Name GPMC

Add Selectable Domains to Your List

Add a domain to your list of selectable domains using the Select Domain dialog. Once the domain has been added you can then apply the Configuration to a GPO (Group Policy Object) on that domain.

1. From the File menu, choose Save As or Open and select Configuration in Group Policy.

   The Select Domain dialog displays.

2. Select the Add icon from the toolbar.

   The Add Domain dialog displays.

3. Enter the name of the domain to be added to the list. You must have the appropriate rights on the domain that you are adding.
4. Click the Add button.

The domain is added to your list and is ready to be selected.

Deploy Configurations Using Group Policy Objects

When a configuration is complete and deployed, the Client Side Extension copies the configuration into the Application Control %ProgramData% structure together with a merge_manifest.xml file. The Application Control Agent is notified of the update and the merge_manfest.xml file copied into the merge folder so merging can occur. The configuration is then applied to your endpoints.

Once the configuration is saved to the Group Policy Object (GPO), the deployment of that configuration is dependent on your organization's Group Policy settings.

Application Control supports the merging of multiple configurations deployed using Group policy. Each GPO may hold only one configuration; for multiple configurations to be deployed you need the same number of GPOs. If all GPOs reside in the same level in Active Directory, link order affects how configurations are merged, with the lowest number being the Base Configuration.

By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.

Save Configurations to a GPO

To save configurations to a Group Policy object, you must have an account that has read and write permissions in the area within the Active Directory (AD) you are working in. You can only save to that area and the policy applies only to the computers in it.

A configuration must be created with the Application Control console and a GPO must have been created within an Organizational Unit (OU) in the selected domain.

1. Create your Ivanti Application Control Configuration file (AAMP).

2. Select File > Save As > Configuration in Group Policy.

   The Select Domain dialog displays.

3. Highlight your selected Domain and click Connect.

   If the domain you are saving to is not available from the list, the domain needs to be added.

   See Add Selectable Domains to Your List.

4. Navigate to your OU. You must have the appropriate rights on the OU you select.
5. Select the GPO and click Save.

6. If a GPO does not exist, right-click on the target OU and select Create a GPO in this domain, and link it here.

   On some endpoints, you can experience a delay when saving the GPO to your Active Directory (AD). This is because AD replication is required to run across multiple Domain Controllers and Application Control will be unable to find the GPO until replication has been completed.

   The GPO containing the configuration is stored in the following location and can be identified by its unique GUID.

   \\<Domain Controller>\SysVol\<domain.fqdn>\Policies\<guid for GPO>\Machine\AppSense

   If more than one configuration is deployed to an endpoint using Group Policy, Endpoint Configuration Merging occurs and the merged_configuration.aamp takes precedence over any existing configuration. For further information.

See Endpoint Configuration Merging.

Search Configurations

Configurations can grow quite large as groups and rule sets are added. To help navigate to a required area of the configuration you can carry out a text search to locate where in the configuration the item is configured.

How to Search a Configuration

Let's take widget.exe as an example. You have configured rules for widget.exe, but can’t remember in which group or rule set.

1.Navigate to the Edit > Options menu, select Search Configuration.

The Search Configuration dialog displays.

2. In the Search field enter the text you want to search for, for example widget.

3.All Groups and Rule Sets in the configuration are searched for the text widget and all instances display in the results list.

4.Click on any of the results listed to open the location in the configuration.

You can work in the Configuration Editor with the Search dialog open. If you want to retain the search results, but want to temporarily remove the dialog from view, select Close, to re-display select Search Configuration.

Related topics

Global Settings

Configuration