What's new in Application Control?
2021.3
In addition to code enhancements and bug fixes the following features are included:
Policy Change Request integration with Ivanti Neurons for ITSM
The existing Policy Change Request feature enables end users to request specific policy changes from their system service desk or administrators using email or telephone communication. Application Control 2021.3 extends that capability to integrate with Ivanti Neurons for ITSM. The integration enables the request to be logged directly with the Service Desk and managed through optimized service desk workflows automatically. It ensures that policy change requests are processed according to best practice in your organization and all requests are audited enabling future review of the policy alterations. Once the request has been confirmed, the policy can be actioned, approved and deployed to the appropriate device via automation.
Refer to Policy Change Requests for further information.
Event Viewer enhancements
The Event Viewer feature was introduced in Application Control 2021.1 and provides a powerful query tool for audited event data. The 2021.3 release delivers a number of enhancements ranging from minor changes to pre-configured views; to the ability to specify a Deployment Group as part of the query and the ability to save the results of a query for working offline.
Refer to Event Viewer for further information.
UAC Replacement enhancement
The UAC user message box can now be configured to prompt users to provide a reason for their elevated privilege requirement. In addition, the value of the reason supplied is saved as an audit event enabling further analysis of user actions. Refer to UAC Replacement.
Advanced Settings updates
In response to feedback and to improve usability, the following advanced settings changes are included:
The DisableSESecondDesktop custom setting is now off by default. Refer to Advanced Settings
BrowserInPrivatePolicyManage custom setting has been added to disable the management of private browsing policy setting in Application Control. The use of this setting enables private browsing policy to be manged by an external source. Refer to Advanced Settings.
Telemetry
Telemetry data can help us measure the quality, scalability, reliability, and capabilities of our products. It can provide us with a wide view of deployment and adoption data and so enable us to make the best-informed decisions on future developments of our products.
Application Control 2021.3 introduces telemetry for license data. Information supplied by the agent is in-line with our existing EULA agreement and does not include any sensitive or personally-identifiable data.
Refer to Telemetry for further information.
Previous Versions
In addition to code enhancements and bug fixes the following features are included:
Event Viewer feature
The Event Viewer is a powerful new query tool that allows you to view, filter, search and group events based upon their event type. The query results can be used to modify or create configuration rules instantly using simple drag or copy gestures.
Query results are available in a summary view which include user count and frequency totals, or as a simple grid listing each event separately. The summary view provides immediate visibility of any specific issues impacting your users.
All queries can be easily customized to focus on specific time periods, users or machines and then filtered or searched to identify specific event attributes.
Refer to Event Viewer for more information.
The following videos provide an introduction to Event Viewer feature:
Example use-case: Privilege Discovery (4m)
Quick access toolbar
Additional buttons are now included in the Quick Access toolbar. These enable you to:
• Open Configuration from the Management Center
• Save the current configuration to an alternative destination.
In addition to code enhancements and bug fixes the following features are included:
Allow custom tokens for self-elevation
Application Control now offers even greater control over the access token used when self elevating. Administrators can define custom tokens and these are available for selection from the Self-Elevation Options dialog. Refer to Self-Elevation for further information.
Configurable prompt when elevating applications
Rule items for files, folders, signatures, and groups can now be configured to prompt the user before elevating application privilege. This allows the user to choose whether to run the application (or item) elevated or normally. Refer to Rules Items for further information.
For auditing purposes, it is recommended the user is prompted to supply a reason for the elevation. Monitoring auditing events enables administrators to easily distinguish between automatic elevations and those initiated by a user.
Medium integrity level custom token
Administrators can now configure custom tokens to run at medium integrity. Refer to User Privileges for further information.
Rules Analyzer enhancements
The Application Control Rules Analyzer now includes a checkbox that allows the filtering out of file overwrite and rename requests. The Rules Analyzer request summary view includes the rules Type field value. This shows at-a-glance the type (or category) of request type made, and prevents the analyst having to open and review individual requests to view the result. Refer to Rules Analyzer for further information.
In addition to code enhancements and bug fixes the following features are included:
UAC Replacement
The UAC Replacement feature complements existing Self-Elevation functionality within Application Control. With UAC Replacement turned on, the standard Windows UAC elevation prompt is replaced with a configurable Application Control consent dialog. This applies if the application is launched from the Start Menu, Explorer, the Desktop, or the command prompt.
See UAC Replacement for further information.
2020.2 Global Style update
The 2020.2 release introduces a design update for default global styles. The new style uses a larger message box format to accommodate more detailed information; and the default messages no longer use a logo, instead they feature a color-coded banner.
The update is backwards-compatible, enabling you to continue using the previous classic styling, or to apply the style update to your existing configurations as required.
See Message Settings for further information.
New Trusted Owner blocked event
Two additional event IDs have been added: 9060 and 9061. By default, both events are disabled. If required, they can enable organizations to differentiate execution requests blocked by Trusted Ownership from those blocked explicitly by a Rule Policy.
See Auditing for further information.
New Admin process started event
A further event has been added to identify processes started using full admin rights. ID 9062 can be valuable in identifying (and then assessing) the elevated rights required.
See Auditing for further information.
Edge support in URL Redirection
The new Microsoft Edge (Chromium) browser is now supported.
See for Browser Control for further information.
Launch Windows 10 Apps and Features
Assigned permissions apply within the Windows 10 Settings Apps and Features view.
See System Controls for further information.
Easier Access to Further Information
In addition to this online help system, Ivanti provides a wealth of supporting information in the form of online documents, help videos and curated community articles. In the 2020.2 release we have collated these resources into a summary table and made this available via the Release Notes and from the online Help landing page.
In addition to code enhancements and bug fixes the following features are included:
Localization
Application Control 2020.1 release has been localized and now supports the following 5 languages:
•English
•German
•Japanese
•Chinese (Simplified)
•Chinese (Traditional)
Selection of the language setting required is described in the Language Settings help topic within User Workspace Manager.
Search Configuration
Configurations can grow quite large as groups and rule sets are added. To help you navigate you can carry out a text search to locate where in the configuration a required item is configured.
For more information see Maintain Configurations
Microsoft Windows Server 2019 support
Management Server, Console, Licensing Console and Agent components are all compatible with Microsoft Windows Server 2019.
For more information on supported software see the Maintained Platforms Matrix.
Add Groups to Process Rules
You can now select to add Folders and Groups to Process Rules. This provides the added benefit of being able to update all rules within the one group rather than having to go through each one individually.
For more information see Process Rules
Per Item Auditing Support to Library
New option to ignore event filtering for Groups. This now provides the ability to log events for each group item instance, so if a group is used in multiple places each instance has its own setting. This setting overrides any event filtering that has been set.
For more information see Allowed Items and Denied Items
Make Network Share Accessible
New default setting to deny files on a network share. To allow files, you can either deselect this option, or add specific items to an Allowed list.
For more information see Advanced Settings
Rules Analyzer Command Line Information
Command line arguments included in the Rules Analyzer results for allowed, denied and elevated executables. This is useful for troubleshooting and to create targeted rules.
Policy Change Requests
Changes to Policy Change Requests compatibility now mean that the Application Control Agent and the Application Control Web Services must be at the same version.
Silently Block Executables
New option Do not show access denied message when denied on rule creation. This allows administrators to intentionally block certain executables and perform a 'silent deny' so that the end user does not receive a denied access message.
For more information see Denied Items
Disable Rule Items in a Group
New right-click option to Disable a rule, useful for troubleshooting issues and prevents the administrator from having to remove the rule. The option toggles between Disable and Enable so the rule can easily be re-enabled.
For more information see Allowed ItemsDenied Items, Rules Items
Trusted dlls for Self Authorized Items
When you self-authorize an application exe all subsequent child dlls are now automatically authorized. Whereas in previous versions of Application Control each child dll would need self-authorizing, often causing the application to crash, now self-authorization can be completed in one click.
For more information see Rules
Message Box Network Port Variable
The network port number is now shown in the Blocked Port message box, if applicable. This helps with troubleshooting issues.
For more information see Message Settings
Ignore Event Filtering per Rule Item
A new option has been added to Ignore Event Filtering. When this option is selected for a specific rule, it means that if an event ID is selected on the Auditing dialog, this event will be raised for this rule regardless of the event filtering settings. So even if no file types have been selected, the event will still be raised for this rule.
For more information see Allowed Items and Denied Items
BitLocker Component Support for Suspend/Resume
A new option had been added to User Privileges > Components so that you can now Disable or Suspend BitLocker, and the Enable option has been extended to include Resume. This gives more granular control over the BitLocker component.
For more information see User Privileges Controlled Components
URL Redirection Whitelist
The URL Redirection feature is used to automatically redirect users when they attempt to access a specified URL. By defining a list of prohibited URLs you redirect any user attempting to access a listed URL to a default warning page or a custom web page.
This feature has been enhanced in 10.1 FR3 with the ability to whitelist specific URLs to address the following use cases:
- Control access within a single domain - access to a domain can be prohibited whilst access to certain of its sub-domains is permitted. For example, you could deny access to www.company.com whilst allowing access to www.company.com/resources.
- Implement a whitelist approach to controlling internet access for your organization. By creating a redirection that prohibits access to all internet sites, you can add items to allow access to the web sites you want to be available for your staff.
For more information about this feature, see URL Redirection.
255-character message limit removed
The 255-character message limit for messages that get displayed to end users has been removed.
In the Message Settings & Application Termination dialogs within the Application Control Console, the administrator can configure the text that gets displayed to end users for the different message types. With 10.1 FR2 and earlier releases, this text was limited to 255 characters. For this release, the limit has been removed so more information can be included.
For more information, see Message Settings.
Support for additional environment variables in the Application Denied message box
Additional environment variables can be displayed in the Application Denied message box. From 10.1 FR3, all of the information that is included in the Application Denied log can be used.
For more information, see Access Denied.
PowerShell scripts in Custom Conditions
In addition to VBScript and JScript, PowerShell scripts can now be created and used within Custom Conditions.
For more information, see Scripted Conditions.
Auditing of elevated child processes for User Privilege Management
Audit logs now capture details for elevated child processes. If the Apply to child processes option is selected in the configuration, once the primary process has been elevated, this elevation also applies to any child processes. However, in 10.1 FR2 and earlier releases, there was no auditing of those child processes so there was a lack of visibility to the associated activity. 10.1 FR3 audit logs now capture the details for both the primary process as well as any child processes to provide increased audit visibility.
For more information about where the Apply to child processes option is used, see Rules Items and Self-Elevation.
There are no new features in this release.
Console Rebrand and Renaming
The Application Manager Console has been updated to reflect the new company name of Ivanti - see here for more details. As well as the change of branding from AppSense to Ivanti, Application Manager is now known as Application Control as of this release.
The Application Control console, as well as components on the endpoint have been updated to reflect these changes.
You may still see the AppSense Application Manager name used in certain areas, such as the registry or services. This is to make the transition as least disruptive as possible for existing users of Application Control.
Icon Refresh
Having made significant changes to the design of the User Workspace Manager consoles in version 10, we have listened to feedback and added a splash of color back into the consoles by refreshing and updating some of the icons used in the Application Control console.
Extended Audit Logging
Application Control Event Logging has been extended to include the following:
- New event for stopped and started services by a user
- Parent process name now included in 9000 events
- File owner now included in 9000 events
- Determining rule now included in events
For further information about Application Control Auditing, see Auditing.
Windows Operating System Condition
The Microsoft update model now uses build numbers to identify feature releases and service packs. When you are creating a computer operating system rule, the target build number can be specified and configured to match the specific build number entered or to use it as the maximum or minimum build release.
For more information, see Computer Conditions.
Extended Metadata with Digital Certificate checking
When verifying a file using metadata, administrators can compare the entire certificate to determine the authenticity of the file and whether the metadata can be trusted. The feature also includes real-time certificate verification that helps you diagnose any issues by selecting different combinations or verification settings. As you configure the settings, the certificate status is updated.
For more information, see Metadata and Verify Options.
Self-Elevation Enhancements
Self-Elevation has been extended to support all file types. Administrators can also specify that certain file extensions can be elevated only when open with certain applications. For example, you can specify that VBS files can be elevated only with wscript.exe.
For more information, see Self-Elevation.
Command Line Matching
Application Control can now apply rules based not just on the application being launched, but also any command line arguments. This is useful if full access to an application is not required but specific users need to launch certain files or run applications under certain conditions. Command line arguments can be added for File and Signature rule items.
This feature also includes two new advanced settings - Validate PowerShell scripts and Validate Java archives. When these settings are turned on, powershell.exe, powershell_ise.exe, and java(w).exe are blocked and PS1 and JAR files are subject to trusted ownership checking. Specific files can then be added to rules which do not require a trusted owner. Add powershell.exe or java(w).exe to a rule to allow them for specific users, while blocking them for all other users. For example, you may want to allow powershell.exe for your developers so they can launch any PowerShell script.
For further information, see Rule Items and Advanced Settings.
Process Protection
The System Controls feature of Application Control has been extended to include the protection of processes. Using this enhancement, a specified process - such as antivirus software - can be protected from termination by all users, including administrators.
For further information, see System Controls.
Enhanced Windows Store App Support
Further support has been added to the control of Windows Store Applications. Applications can be blocked or allowed based on the application's publisher. Using the publisher for sideloaded apps means multiple apps can be controlled. This makes it possible to configure a restriction for all Store Apps while allowing those sideloaded by an organization or IT department.
For further information, see Rule Items.
Policy Change Request per Rule
Administrators can enable the Policy Change Request feature on a per-rule basis. This allows the type of change request and the available request methods to be configured differently for different users or groups of users. Some aspects of the feature, such as specifying the email address and shared key, remain global.
For further information, see Policy Change Requests.