What's new in Application Control?

2023.1

In addition to code enhancements and bug fixes the following features are included:

Integration with ServiceNow SSO for Policy Change Request

The popular extension of Policy Change Request to integrate with ServiceNow has been further enhanced to support SSO for the end users.

See Policy Change Request - ServiceNow for details.

Addition of a New Condition – AAD Joined

Following on from the 2022.3 release of Application Control where we introduced support for AAD users and groups, in this version, we’ve added a new condition “AAD Joined” for use when creating and editing rules.

See Azure Active Directory for details.

File Menu Alteration

The ‘Unlock without saving’ option has moved to the top level of the file menu to remove the confusion of it being in the ‘Save’ menu.

File Permission Update in AMAgentAssist

To avoid a potential exploit, the file permissions on AMAgentAssist have been altered.

CreateProcess APIs Potential Exploitation Removed

It has been possible to run unexpected or untrusted applications via the CreateProcess native APIs. This is no longer the case.

 

Previous Versions

Support for Azure Active Directory

New rule nodes have been added to represent Azure Active Directory (AAD) groups and users. Like other types of rule, the standard behaviour is available, including:

  • Display of the rule and normal interactions

  • Configuration profiler

  • Snippet import

  • Search

  • Undo/redo

  • Signature rescan

  • Library group in-use checking

  • Cut/copy/paste between rules within this rule type

These rules apply on the agents of both AAD-joined and hybrid-AAD-joined machines. If a device is not connected to the network at logon then the last known Groups apply. User group assignment changes can only apply at logon. Device group assignment changes can only apply at restart.

Further, when creating custom rules in the console, they can be created with conditions for AAD User Name, AAD User Group, AAD Computer Group and AAD Client Computer Group.

Configuration for AAD is via the Global Settings.

Following are details for accessing Azure Active Directory:

Azure Active Directory (AAD) Access

AAD (Azure Active Directory) User Rules

AAD (Azure Active Directory) Group Rules

Updates to Policy Change Request integration with Ivanti Neurons for ITSM

Client name is now included as data that can be added to the request item in Ivanti Neurons for ITSM. It should be noted though that if the policy is updated the update is not limited to the specific device it was requested from but to the user who requested it.

In earlier versions of the integration, once a request was approved it remained at that status indefinitely. Application Control will now update the Request to fulfilled after the policy change has been applied.

See Request Status for further information.

Windows 11 and Server 2022 OS Conditions

2022.1 includes Operating System conditional support for both Windows 11 and Server 2022. Please refer to the following documents for further information on our Windows version support:

UWM Windows 10 and Server OS Support Statement

UWM Windows 11 Support Statement

Extended Policy Change Request feature to integrate with ServiceNow

In addition to the 2021.3 release, including the ability to integrate the Policy Change Request feature with Ivanti Neurons for ITSM, 2022.1 adds extends this capability to integrate with ServiceNow. This means that Administrators can configure the capability for users to create a record in their ServiceNow instance to request alterations to the policy currently affecting the users’ ServiceNow workspace.

Refer to Policy Change Requests for further general information and see Policy Change Requests - ServiceNow Integration for specific information.

Standardize Delimiters for ExProcessName and DriverHookEx Custom Settings

The ExProcessName and DriverHookEx custom settings have, in the past accepted different delimiters for lists of filenames/applications. This release sees them standardised to both accept semi-colons as the delimiter. For backwards-compatability, ExProcessName will continue to accept spaces.

Refer to Advanced Settings - Available Custom Settings for further information.

Privilege Discovery Event for Windows Control Panel Components

A new event ID – 9064 has been added to track executable-based Windows Components specifically, rather than tracking them in the 9062 events. These are visible in the Event Viewer and a new view exists to display these specifically, it is called ‘Privilege Discovery (Windows Components)’. Please note, non-executable-based Windows components cannot be tracked with this event type.

Refer to Event Viewer for further information.

Improved Handling of AC PowerShell with -command

2021.3 Hotfix 1 addressed a defect – 87234 (PowerShell script incorrectly denied). It prevented ps1 files from being executed if they had the -command included as this could be used to circumvent the intended behaviour of Application Control. It has subsequently been noted that when running a ps1 file from Explorer, the -command is used to prompt the user that they are running an unsigned file which might be dangerous. The fix we implemented undermined this behaviour so with the 2022.1 release we have added an additional option in the advanced settings dialogue. This enables the user to toggle strict -command checking. For new configurations, this setting will be on by default. For existing configurations, the setting will be off (to preserve existing behaviour). Customer upgrading from 2021.3 HF1 should check their configuration to ensure everything is as expected.

Refer to Advanced Settings for further information.

Improvements to Advanced/ Removable Media handling

Customers have reported that the option under Advanced Settings regarding removable media is not clear. To clarify this, the setting that was known as ‘Deny files on removable media’ has been renamed to ‘Use Signature Rules only to allow files on removable media’. In addition, when this option is disabled, the owner of the file being executed on removable media will be ignored and the request will not be trusted. An explicit rule allowing an untrusted file is required in the configuration to execute from removable media. See the documentation for more details.

Refer to Advanced Settings

 

(This is the Drop-down text)

In addition to code enhancements and bug fixes the following features are included:

Policy Change Request integration with Ivanti Neurons for ITSM

The existing Policy Change Request feature enables end users to request specific policy changes from their system service desk or administrators using email or telephone communication. Application Control 2021.3 extends that capability to integrate with Ivanti Neurons for ITSM. The integration enables the request to be logged directly with the Service Desk and managed through optimized service desk workflows automatically. It ensures that policy change requests are processed according to best practice in your organization and all requests are audited enabling future review of the policy alterations. Once the request has been confirmed, the policy can be actioned, approved and deployed to the appropriate device via automation.

Refer to Policy Change Requests for further information.

Event Viewer enhancements

The Event Viewer feature was introduced in Application Control 2021.1 and provides a powerful query tool for audited event data. The 2021.3 release delivers a number of enhancements ranging from minor changes to pre-configured views; to the ability to specify a Deployment Group as part of the query and the ability to save the results of a query for working offline.

Refer to Event Viewer for further information.

UAC Replacement enhancement

The UAC user message box can now be configured to prompt users to provide a reason for their elevated privilege requirement. In addition, the value of the reason supplied is saved as an audit event enabling further analysis of user actions. Refer to UAC Replacement.

Advanced Settings updates

In response to feedback and to improve usability, the following advanced settings changes are included:

The DisableSESecondDesktop custom setting is now off by default. Refer to Advanced Settings

BrowserInPrivatePolicyManage custom setting has been added to disable the management of private browsing policy setting in Application Control. The use of this setting enables private browsing policy to be manged by an external source. Refer to Advanced Settings.

Telemetry

Telemetry data can help us measure the quality, scalability, reliability, and capabilities of our products. It can provide us with a wide view of deployment and adoption data and so enable us to make the best-informed decisions on future developments of our products.

Application Control 2021.3 introduces telemetry for license data. Information supplied by the agent is in-line with our existing EULA agreement and does not include any sensitive or personally-identifiable data.

Refer to Telemetry for further information.

In addition to code enhancements and bug fixes the following features are included:

Event Viewer feature

The Event Viewer is a powerful new query tool that allows you to view, filter, search and group events based upon their event type. The query results can be used to modify or create configuration rules instantly using simple drag or copy gestures.

Query results are available in a summary view which include user count and frequency totals, or as a simple grid listing each event separately. The summary view provides immediate visibility of any specific issues impacting your users.

All queries can be easily customized to focus on specific time periods, users or machines and then filtered or searched to identify specific event attributes.

Refer to Event Viewer for more information.

The following videos provide an introduction to Event Viewer feature:

Event Viewer - Overview (6m)

Example use-case: Privilege Discovery (4m)

Quick access toolbar

Additional buttons are now included in the Quick Access toolbar. These enable you to:

  • Open Configuration from the Management Center

  • Save the current configuration to an alternative destination.

In addition to code enhancements and bug fixes the following features are included:

Allow custom tokens for self-elevation

Application Control now offers even greater control over the access token used when self elevating. Administrators can define custom tokens and these are available for selection from the Self-Elevation Options dialog. Refer to Self-Elevation for further information.

Configurable prompt when elevating applications

Rule items for files, folders, signatures, and groups can now be configured to prompt the user before elevating application privilege. This allows the user to choose whether to run the application (or item) elevated or normally. Refer to Rules Items for further information.

For auditing purposes, it is recommended the user is prompted to supply a reason for the elevation. Monitoring auditing events enables administrators to easily distinguish between automatic elevations and those initiated by a user.

Medium integrity level custom token

Administrators can now configure custom tokens to run at medium integrity. Refer to User Privileges for further information.

Rules Analyzer enhancements

The Application Control Rules Analyzer now includes a checkbox that allows the filtering out of file overwrite and rename requests. The Rules Analyzer request summary view includes the rules Type field value. This shows at-a-glance the type (or category) of request type made, and prevents the analyst having to open and review individual requests to view the result. Refer to Rules Analyzer for further information.

In addition to code enhancements and bug fixes the following features are included:

UAC Replacement

The UAC Replacement feature complements existing Self-Elevation functionality within Application Control. With UAC Replacement turned on, the standard Windows UAC elevation prompt is replaced with a configurable Application Control consent dialog. This applies if the application is launched from the Start Menu, Explorer, the Desktop, or the command prompt.

See UAC Replacement for further information.

2020.2 Global Style update

The 2020.2 release introduces a design update for default global styles. The new style uses a larger message box format to accommodate more detailed information; and the default messages no longer use a logo, instead they feature a color-coded banner.

The update is backwards-compatible, enabling you to continue using the previous classic styling, or to apply the style update to your existing configurations as required.

See Message Settings for further information.

New Trusted Owner blocked event

Two additional event IDs have been added: 9060 and 9061. By default, both events are disabled. If required, they can enable organizations to differentiate execution requests blocked by Trusted Ownership from those blocked explicitly by a Rule Policy.

See Auditing for further information.

New Admin process started event

A further event has been added to identify processes started using full admin rights. ID 9062 can be valuable in identifying (and then assessing) the elevated rights required.

See Auditing for further information.

Edge support in URL Redirection

The new Microsoft Edge (Chromium) browser is now supported.

See for Browser Control for further information.

Launch Windows 10 Apps and Features

Assigned permissions apply within the Windows 10 Settings Apps and Features view.

See System Controls for further information.

Easier Access to Further Information

In addition to this online help system, Ivanti provides a wealth of supporting information in the form of online documents, help videos and curated community articles. In the 2020.2 release we have collated these resources into a summary table and made this available via the Release Notes and from the online Help landing page.

In addition to code enhancements and bug fixes the following features are included:

Localization

Application Control 2020.1 release has been localized and now supports the following 5 languages:

  • English

  • German

  • Japanese

  • Chinese (Simplified)

  • Chinese (Traditional)

Selection of the language setting required is described in the Language Settings help topic within User Workspace Manager.

Search Configuration

Configurations can grow quite large as groups and rule sets are added. To help you navigate you can carry out a text search to locate where in the configuration a required item is configured.

For more information see Maintain Configurations

Microsoft Windows Server 2019 support

Management Server, Console, Licensing Console and Agent components are all compatible with Microsoft Windows Server 2019.

For more information on supported software see the Maintained Platforms Matrix.

Add Groups to Process Rules

You can now select to add Folders and Groups to Process Rules. This provides the added benefit of being able to update all rules within the one group rather than having to go through each one individually.

For more information see Process Rules

Per Item Auditing Support to Library

New option to ignore event filtering for Groups. This now provides the ability to log events for each group item instance, so if a group is used in multiple places each instance has its own setting. This setting overrides any event filtering that has been set.

For more information see Allowed Items and Denied Items

Make Network Share Accessible

New default setting to deny files on a network share. To allow files, you can either deselect this option, or add specific items to an Allowed list.

For more information see Advanced Settings

Rules Analyzer Command Line Information

Command line arguments included in the Rules Analyzer results for allowed, denied and elevated executables. This is useful for troubleshooting and to create targeted rules.

Policy Change Requests

Changes to Policy Change Requests compatibility now mean that the Application Control Agent and the Application Control Web Services must be at the same version.

Silently Block Executables

New option Do not show access denied message when denied on rule creation. This allows administrators to intentionally block certain executables and perform a 'silent deny' so that the end user does not receive a denied access message.

For more information see Denied Items

Disable Rule Items in a Group

New right-click option to Disable a rule, useful for troubleshooting issues and prevents the administrator from having to remove the rule. The option toggles between Disable and Enable so the rule can easily be re-enabled.

For more information see Allowed ItemsDenied Items, Rules Items

Trusted dlls for Self Authorized Items

When you self-authorize an application exe all subsequent child dlls are now automatically authorized. Whereas in previous versions of Application Control each child dll would need self-authorizing, often causing the application to crash, now self-authorization can be completed in one click.

For more information see Rules

Message Box Network Port Variable

The network port number is now shown in the Blocked Port message box, if applicable. This helps with troubleshooting issues.

For more information see Message Settings

Ignore Event Filtering per Rule Item

A new option has been added to Ignore Event Filtering. When this option is selected for a specific rule, it means that if an event ID is selected on the Auditing dialog, this event will be raised for this rule regardless of the event filtering settings. So even if no file types have been selected, the event will still be raised for this rule.

For more information see Allowed Items and Denied Items

BitLocker Component Support for Suspend/Resume

A new option had been added to User Privileges > Components so that you can now Disable or Suspend BitLocker, and the Enable option has been extended to include Resume. This gives more granular control over the BitLocker component.

For more information see User Privileges Controlled Components