Product Overview
In this section:
Functionality
Application Control main feature set includes:
- Application Access Control
- Application Network Access Control
- Privilege Management
You can turn off any of these parts of functionality if they are not required. For example, you may not want to use Application Network Access Control.
To enable or disable certain Application Control functionality:
-
In the Manage ribbon, Click Advanced Settings.
The Policy Settings tab is displayed.
- In the Functionality
region, select to enable or deselect to disable one or more of the following
Application Control functionalities:
- Application Access Control
- Application Network Access Control
Privilege Management
All the functionality options are selected by default.
- Click OK.
Features
Application Control provides the following key features for application control:

Privilege Management allows you to create reusable user privilege policies which can be associated with any rules and can elevate or restrict access to files, folders, drives, signatures, application groups, and Control Panel components. A more granular level of control allows you to assign specific privileges for debugging or installing software, or to set integrity levels for managing interoperability between different products, such as Microsoft Outlook and Microsoft Word.
Privileges Management contains four primary functions:
- Elevating user privileges for applications.
- Elevating user privileges for Control Panel components and Management Snapins.
- Reducing user privileges for applications.
- Reducing user privileges for Control Panel components and Management Snapins.

By default, only application files owned by an administrator or the Local System are allowed to execute. Trusted Ownership is determined by reading the NTFS permissions of each file which attempts to run. Application Manager automatically blocks any file where ownership cannot be established, such as files located on non-NTFS drives, removable storage devices, or network locations. These files can optionally be allowed to run either by specifying them as Allowed Items or by configuring a Self-Authorizing User rule. The Trusted Owner list can be configured to suit each environment.

Extend application accessibility by applying rules based on username, group membership, computer or connecting device, scripts and parent processes, or combinations of these. Allowed Items and Denied Items, Trusted Vendors, and Privilege Management can be specified in each rule, and are applied to a user session based on the environment in which the user operates.

Scripted rules allow administrators to apply Allowed Items, Denied Items, Trusted Vendors, and Privilege Management policies based on the outcome of a Windows PowerShell or VBScript. Scripts can be run for each individual user session or run once per computer.

Process rules apply to parent processes to manage access to child processes at the next level below the parent processes. Process rules include Allowed Items, Denied Items, Trusted Vendors and Privilege Management. The rule does not manage access to the parent process.

Allow authentic applications to run when they have digital certificates signed by trusted sources, and are otherwise prohibited by Trusted Ownership checking. Define a list of Trusted Vendor certificates for each User, Group, Device, Custom, Scripted, and Process rule in the configuration.

Application Termination allows you to control triggers, behavior, and warning messages for terminating applications on managed computers. You can also control the manner in which applications are terminated and how the user is notified.

Block access to certain applications accessed via IP, Universal Naming Convention (UNC) or host name. Application Control can manage access based on the location of the requester, for example if they are connecting via a virtual private network (VPN) or directly to the network.

SHA-1, SHA-256 and Adler-32 signature checks may be applied to any number of application control rules, providing enhanced security where NTFS permissions are weak or non-existent, or for applications on non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance of large digital signature lists.

Access to Windows Store apps can be controlled by Application Control. Grant or restrict access by applying group rules to one or more Windows Store apps. Application snippets can also be imported and rules configured if the machine being used to create the configuration is not compatible with Windows Store apps.

Allows an administrator to browse to any endpoint and retrieve a list of applications that have been installed on that endpoint. Search for any executable files and add them to the configuration. Application Control records which applications are started and by whom. The recording of data is started and stopped by the administrator. Organize the files into authorized and unauthorized groups to quickly create a policy. The configurations can be deployed to a user, a group of users, a machine, or a group of machines. Endpoint Analysis is on demand and inactive by default.

Users are increasingly mobile. So it is important that entitlement rules are enforced when the user is not connected to the corporate network. Application Control ensures users only access the applications and resources to which they have permission when offline by using entitlement rules on the endpoint device.

Application Control can monitor application use without preventing users running applications. Passive monitoring can be enabled or disabled on a per user, device, or group basis and provides a tool to track user behavior prior to full implementation, or to understand application use for software license management.

Provides the option for users to execute applications that they have introduced into the system. Applications can be added to a secure machine while outside of the office without relying on IT support. A comprehensive audit can detail information such as the application name and the time and date of execution and device. Additionally, a copy of the application can be taken and stored centrally for examination.

Apply a policy to control the number of application instances a user can run, along with the times when it can run. You can create a policy to control or enforce licensing models by controlling application limits on a per user basis, but not per device.

Best practice configuration templates are provided that can be imported into Application Control. Application Control can import a number of configuration files and use these in combination.

Allows you to monitor endpoints to identify applications that use administrative rights. A web service is used to collect the data and relays that data to the Privilege Discovery Mode work area in the Application Control Console.

Events are raised by Application Control according to the default Event Filtering configuration and audited directly to a local file log or the Windows Event Log. Alternatively, events can be forwarded for auditing to the Management Center via the Deployment Agent (CCA). The Application Control audit event reports available in the Management Center can also be used to provide details of current application usage across the enterprise.

The default configuration in Application Control validates all Windows Scripting Host (WSH) scripts, such as VBS, against configuration rules. This ensures that uses can only invoke authorized scripts, eliminating the risk of introducing WSH scripts that contain viruses or malicious code.
The Validation settings can be disabled in the Application Control Options dialog, along with validation of cmd.exe, self-extracting ZIP files, registry files, and Windows installer (MSI) files.
Only self-extracting EXEs formatted using the ZIP specification are supported. For additional information, see ZIP Specifications.

Enable and disable certain features in Application Control either when not in use or when troubleshooting issues in your configurations. The functionality that you can manage in this way includes:
- Application Access Control
- Application Network Access Control
- Privilege Management
Benefits
The key benefits of using Application Control are:
-
Reduces risk and helps achieve compliance by protecting against ransomware, targeted attacks, zero-day exploits, advanced persistent threats and malicious code that tries to execute in your environment.
-
Provides granular privilege management enabling you to implement 'least privilege' access and eliminate local admin accounts while still giving users the privileges that they need to do their job. The privilege level of a user, group or role can be elevated or reduced on a per application and Windows component basis.
-
Allows you to manage application access and user privileges across your desktop and server estate with low administration overhead through the use of an extensive and flexible rules engine. Ivanti, Inc. Application Control can protect systems without the need for complex lists or constant management.
-
Delivers security without impacting productivity with minimal performance impact to end users. On-Demand change requests enables end users to ask for emergency privilege elevation or application access in situations where productivity is affected.
-
Enforces Microsoft per-device licensing. By controlling which users or devices have permission to run named applications, limits can be placed on the number of application instances, which devices or users can run the application, the timing of when users run a program and for how long.
-
Provides the ability to control outbound network connections by IP Address, Host Name, URL, UNC or Port, based on the outcome of the rules processing, to prevent access to insecure network resources.
- Control network access from within applications, based on location.