Policy Change Requests
In this section:
- About Policy Change Requests
- Configure Change Requests for a Rule
- Configure Request Types and Methods
Desktop and mobile users can use the Policy Change Request feature to request an update to an Application Control configuration via email or telephone. Endpoint users can make requests from a link on the Application Control Access Denied dialog or by using the Application Control Policy Change Request executable installed on their desktop.
Policy Change Request settings are configured per rule and are evaluated at session connect and when a configuration changes. The email address, telephone number, and text for change requests is set globally and used for all groups with the appropriate settings applied.
The Policy Change Request feature is only compatible with 32-bit and 64-bit versions of Internet Explorer 9, 10 and 11.
Upgrading Policy Change Request Settings
In 10.1, Policy Change Request behavior changed from being a global setting to being applied for each rule. This change prevents 10.1 agents processing change requests from endpoints with pre-10.1 configurations. To ensure the Policy Change Request feature continues to function correctly in 10.1, upgrade all configurations in the 10.1 Application Control console and redeploy.
The Application Control Agent and the Application ControlWeb Services must be at the same version.
Configure which request types and features are available to users for each rule. Policy Change Request settings are available for all rule types, apart from Process rules.
- Select a rule in the navigation pane.
- Select the Policy Change Requests tab.
- Select how Policy Change Requests can be made:
- Telephone (Immediate Policy Change)
- Select the methods by which users can initiate Policy Change Requests:
- Access Denied message box - Users click a link in the message box that displays when a user attempts to access a prohibited application.
- Application context menu - Users select an option from the context menu of prohibited applications.
- Desktop icon - Users use a desktop shortcut icon to raise change requests from the Policy Request dialog.
The detail for each setting is configured using the Policy Change Requests dialog, accessed from the Global Settings ribbon.
To configure request types and methods, select Policy Change Request Op[tions from the Global Settings ribbon.
Configure email and immediate policy change requests in the Request Types tab on the Policy Change Requests dialog.
When a user is prompted to elevate their privileges to run an application, they can click a link in the Access Denied message box to request a permanent configuration change. When the user clicks the link, they are prompted to enter the reason for the change request, which is sent to the email address configured in the Application Control console.
The Email Request function uses Messaging Application Programming Interface (MAPI) to send emails. An Application Control administrator reviews the request, and if the request is granted, updates the configuration and deploys the AAMP file.
To set up email change requests, enter the email address to which change requests are sent in the Mail To field.
You can only add one email address. You could create a group email if you want the request to go to multiple email addresses.
Immediate requests allow users, typically mobile users, to request a permanent or temporary configuration change. When users click the immediate request link, they are provided with a phone number to call and issued with details of the request and a request code. The request code and the configuration change request are relayed to IT Support, who enter the details in the Help Desk Portal. IT Support generate a response code and send it to the user to enter in the Policy Change Request dialog.
Users get three attempts to enter a response code. After three incorrect attempts the dialog closes and the changes are not applied. If configured, when the dialog closes, a 9091 event is raised. If the user requires further configuration changes, they must restart the process. If the code is entered correctly, users have elevated access to the application. Upon confirmation, users are presented with details of the elevation.
Configure the following fields in the Request Types tab:
- Helpdesk Phone Number - The number users are prompted to call to request the immediate configuration change.
Shared Key - The shared key is an integral part in processing Immediate requests and is embedded in the configuration. The shared key must match in both the Application Control Console and the Help Desk Portal. If the shared keys do not match, a response code cannot be created and configuration change will not be authorized for deployment to the user's endpoint.
The shared key can be changed using the Help Desk Portal, however if the shared key is amended in the Portal, the same key must also be entered in the Application Control Console.
Once you have configured the Immediate Request settings in a configuration file, deploy it to your endpoints. Before the feature is fully activated, the Help Desk Administrator and Help Desk Operator roles must be assigned to members of your Support Team. Once you have deployed the configuration and assigned Help Desk Administrator role, the Help Desk Administrator can assign or remove additional Help Desk Operators and/or Administrators.
In the Request Methods tab, configure the text for policy change request items:
- Message Box Link Text - The text for the request link in the Link from Access Denied Message Box. The default text is Click here to request access to this application.
- Menu Item Text - The text for the menu item, displayed when a user right-clicks an item that is eligible for policy change requests.
- Desktop Icon Text - The name of the Policy Change Request desktop icon. Users can use the icon to open the Application Control Policy Change Request dialog and create change requests.