You can combine Application Control's security methods - such as Trusted Ownership Checking - with rules in a configuration to control which users can install and run applications.
Application Control uses a method known as Trusted Ownership checking to prevent the execution of any user-introduced executable. Only applications installed by Trusted Owner - for example, administrators - are allowed to run by default. In the case of Microsoft applications such as Project and Visio that have been installed in a multi user environment, you can use Application Control to allow access only to these applications by specified licensed device.
The Application Control configuration contains two Group rules. These are BuiltIn\Administrators, who are unrestricted and can run any executable, and Everyone, who can only run executables owned by Trusted Owners. Each rule created has an Allowed Items and Denied Items list.
The Allowed Items list allows administrators to give access to executables that would normally be blocked by default rules, for example Trusted Ownership failure or Network Executables.
The Denied Items list allows administrators to deny access to executables that would normally be allowed by default rules.
Because Microsoft applications will often be licensed to run on only a few devices, it is best practice to use Application Control to initially deny access to the application for everyone, then allow access to the few, based on the allowed device.
- Expand the Group > Everyone node.
- Right-click the Denied Items node and select Add Item > Denied > File. The Add a File dialog displays.
- Browse to and select the application to restrict access to, or enter the name in the File field, and click Add. All standard users are now denied from using the specified application.
The above configuration denies access to everyone, therefore you must create an exception rule to allow named licensed devices to run the application. The devices can be specified using an IP address range or NetBIOS name. These devices are the connecting client machine in a terminal server/Citrix environment.
Application Control rules operate differently to Microsoft Group Policies in that an Allowed Item rule overrides any Denied Item rule.
In the Rules ribbon, select Add Rule > Device Rule.
A new rule is created.
- Right-click the new rule and select Rename.
- Type an intuitive name such as Visio Licensed Devices.
- Expand the new rule.
- Select the Allowed Items node.
In the Rule Items ribbon, select Add Item > Allowed > File.
The Add a File dialog displays.
- Browse to and select the application to make allowed to authorized devices, or enter the name in the File field, and click Add.
This is the same application that you have restricted in Step 1.
- Select the new Device rule.
Select Add Client Device on the Rules ribbon.
The Add a Client Device dialog displays
Browse to and select the devices to authorize for the specified application and click Add.
You can also specify the devices by directly typing:
- IP Address (for example, 192.168.1.80)
- IP Address Range (for example, 192.168.1.10-20)
NetBIOS name (for example, Ivanti, Inc.-PC1)
You can include any combination of the above.
- To specify that the devices are the connecting devices and not the physical devices that are running the application, select Connecting Device in the Device Type column for each device.
Save the Configuration. When the configuration is deployed to a Citrix/Terminal Server only the specified devices are allowed to launch the Microsoft 'per device' licensed application