What's new in Application Control?
Version 2023.3
Ability to deploy through Ivanti Neurons
Ivanti Neurons is a managed SaaS platform with many capabilities, including discovery, device management, patch management, ITSM and many others. Customers who have both Application Control and Ivanti Neurons are now able to use the Ivanti Neurons agent to deploy the Application Control engine and deploy policies via the Ivanti Neurons agent management feature. Learn more about Integrating Application Control with Ivanti Neurons.
Previous Versions
In addition to code enhancements and bug fixes the following features are included:
Integration with ServiceNow SSO for Policy Change Request
The popular extension of Policy Change Request to integrate with ServiceNow has been further enhanced to support SSO for the end users.
See Policy Change Request - ServiceNow for details.
Addition of a New Condition – AAD Joined
Following on from the 2022.3 release of Application Control where we introduced support for AAD users and groups, in this version, we’ve added a new condition “AAD Joined” for use when creating and editing rules.
See Azure Active Directory for details.
File Menu Alteration
The ‘Unlock without saving’ option has moved to the top level of the file menu to remove the confusion of it being in the ‘Save’ menu.
File Permission Update in AMAgentAssist
To avoid a potential exploit, the file permissions on AMAgentAssist have been altered.
CreateProcess APIs Potential Exploitation Removed
It has been possible to run unexpected or untrusted applications via the CreateProcess native APIs. This is no longer the case.
Support for Azure Active Directory
New rule nodes have been added to represent Azure Active Directory (AAD) groups and users. Like other types of rule, the standard behaviour is available, including:
-
Display of the rule and normal interactions
-
Configuration profiler
-
Snippet import
-
Search
-
Undo/redo
-
Signature rescan
-
Library group in-use checking
-
Cut/copy/paste between rules within this rule type
These rules apply on the agents of both AAD-joined and hybrid-AAD-joined machines. If a device is not connected to the network at logon then the last known Groups apply. User group assignment changes can only apply at logon. Device group assignment changes can only apply at restart.
Further, when creating custom rules in the console, they can be created with conditions for AAD User Name, AAD User Group, AAD Computer Group and AAD Client Computer Group.
Configuration for AAD is via the Global Settings.
Following are details for accessing Azure Active Directory:
Azure Active Directory (AAD) Access
AAD (Azure Active Directory) User Rules
AAD (Azure Active Directory) Group Rules
Updates to Policy Change Request integration with Ivanti Neurons for ITSM
Client name is now included as data that can be added to the request item in Ivanti Neurons for ITSM. It should be noted though that if the policy is updated the update is not limited to the specific device it was requested from but to the user who requested it.
In earlier versions of the integration, once a request was approved it remained at that status indefinitely. Application Control will now update the Request to fulfilled after the policy change has been applied.
See Request Status for further information.
Windows 11 and Server 2022 OS Conditions
2022.1 includes Operating System conditional support for both Windows 11 and Server 2022. Please refer to the following documents for further information on our Windows version support:
UWM Windows 10 and Server OS Support Statement
UWM Windows 11 Support Statement
Extended Policy Change Request feature to integrate with ServiceNow
In addition to the 2021.3 release, including the ability to integrate the Policy Change Request feature with Ivanti Neurons for ITSM, 2022.1 adds extends this capability to integrate with ServiceNow. This means that Administrators can configure the capability for users to create a record in their ServiceNow instance to request alterations to the policy currently affecting the users’ ServiceNow workspace.
Refer to Policy Change Requests for further general information and see Policy Change Requests - ServiceNow Integration for specific information.
Standardize Delimiters for ExProcessName and DriverHookEx Custom Settings
The ExProcessName and DriverHookEx custom settings have, in the past accepted different delimiters for lists of filenames/applications. This release sees them standardised to both accept semi-colons as the delimiter. For backwards-compatability, ExProcessName will continue to accept spaces.
Refer to Advanced Settings - Available Custom Settings for further information.
Privilege Discovery Event for Windows Control Panel Components
A new event ID – 9064 has been added to track executable-based Windows Components specifically, rather than tracking them in the 9062 events. These are visible in the Event Viewer and a new view exists to display these specifically, it is called ‘Privilege Discovery (Windows Components)’. Please note, non-executable-based Windows components cannot be tracked with this event type.
Refer to Event Viewer for further information.
Improved Handling of AC PowerShell with -command
2021.3 Hotfix 1 addressed a defect – 87234 (PowerShell script incorrectly denied). It prevented ps1 files from being executed if they had the -command included as this could be used to circumvent the intended behaviour of Application Control. It has subsequently been noted that when running a ps1 file from Explorer, the -command is used to prompt the user that they are running an unsigned file which might be dangerous. The fix we implemented undermined this behaviour so with the 2022.1 release we have added an additional option in the advanced settings dialogue. This enables the user to toggle strict -command checking. For new configurations, this setting will be on by default. For existing configurations, the setting will be off (to preserve existing behaviour). Customer upgrading from 2021.3 HF1 should check their configuration to ensure everything is as expected.
Refer to Advanced Settings for further information.
Improvements to Advanced/ Removable Media handling
Customers have reported that the option under Advanced Settings regarding removable media is not clear. To clarify this, the setting that was known as ‘Deny files on removable media’ has been renamed to ‘Use Signature Rules only to allow files on removable media’. In addition, when this option is disabled, the owner of the file being executed on removable media will be ignored and the request will not be trusted. An explicit rule allowing an untrusted file is required in the configuration to execute from removable media. See the documentation for more details.
Refer to Advanced Settings
(This is the Drop-down text)
In addition to code enhancements and bug fixes the following features are included:
Policy Change Request integration with Ivanti Neurons for ITSM
The existing Policy Change Request feature enables end users to request specific policy changes from their system service desk or administrators using email or telephone communication. Application Control 2021.3 extends that capability to integrate with Ivanti Neurons for ITSM. The integration enables the request to be logged directly with the Service Desk and managed through optimized service desk workflows automatically. It ensures that policy change requests are processed according to best practice in your organization and all requests are audited enabling future review of the policy alterations. Once the request has been confirmed, the policy can be actioned, approved and deployed to the appropriate device via automation.
Refer to Policy Change Requests for further information.
Event Viewer enhancements
The Event Viewer feature was introduced in Application Control 2021.1 and provides a powerful query tool for audited event data. The 2021.3 release delivers a number of enhancements ranging from minor changes to pre-configured views; to the ability to specify a Deployment Group as part of the query and the ability to save the results of a query for working offline.
Refer to Event Viewer for further information.
UAC Replacement enhancement
The UAC user message box can now be configured to prompt users to provide a reason for their elevated privilege requirement. In addition, the value of the reason supplied is saved as an audit event enabling further analysis of user actions. Refer to UAC Replacement.
Advanced Settings updates
In response to feedback and to improve usability, the following advanced settings changes are included:
The DisableSESecondDesktop custom setting is now off by default. Refer to Advanced Settings
BrowserInPrivatePolicyManage custom setting has been added to disable the management of private browsing policy setting in Application Control. The use of this setting enables private browsing policy to be manged by an external source. Refer to Advanced Settings.
Telemetry
Telemetry data can help us measure the quality, scalability, reliability, and capabilities of our products. It can provide us with a wide view of deployment and adoption data and so enable us to make the best-informed decisions on future developments of our products.
Application Control 2021.3 introduces telemetry for license data. Information supplied by the agent is in-line with our existing EULA agreement and does not include any sensitive or personally-identifiable data.
Refer to Telemetry for further information.
In addition to code enhancements and bug fixes the following features are included:
Event Viewer feature
The Event Viewer is a powerful new query tool that allows you to view, filter, search and group events based upon their event type. The query results can be used to modify or create configuration rules instantly using simple drag or copy gestures.
Query results are available in a summary view which include user count and frequency totals, or as a simple grid listing each event separately. The summary view provides immediate visibility of any specific issues impacting your users.
All queries can be easily customized to focus on specific time periods, users or machines and then filtered or searched to identify specific event attributes.
Refer to Event Viewer for more information.
The following videos provide an introduction to Event Viewer feature:
Example use-case: Privilege Discovery (4m)
Quick access toolbar
Additional buttons are now included in the Quick Access toolbar. These enable you to:
-
Open Configuration from the Management Center
-
Save the current configuration to an alternative destination.
In addition to code enhancements and bug fixes the following features are included:
Allow custom tokens for self-elevation
Application Control now offers even greater control over the access token used when self elevating. Administrators can define custom tokens and these are available for selection from the Self-Elevation Options dialog. Refer to Self-Elevation for further information.
Configurable prompt when elevating applications
Rule items for files, folders, signatures, and groups can now be configured to prompt the user before elevating application privilege. This allows the user to choose whether to run the application (or item) elevated or normally. Refer to Rules Items for further information.
For auditing purposes, it is recommended the user is prompted to supply a reason for the elevation. Monitoring auditing events enables administrators to easily distinguish between automatic elevations and those initiated by a user.
Medium integrity level custom token
Administrators can now configure custom tokens to run at medium integrity. Refer to User Privileges for further information.
Rules Analyzer enhancements
The Application Control Rules Analyzer now includes a checkbox that allows the filtering out of file overwrite and rename requests. The Rules Analyzer request summary view includes the rules Type field value. This shows at-a-glance the type (or category) of request type made, and prevents the analyst having to open and review individual requests to view the result. Refer to Rules Analyzer for further information.
In addition to code enhancements and bug fixes the following features are included:
UAC Replacement
The UAC Replacement feature complements existing Self-Elevation functionality within Application Control. With UAC Replacement turned on, the standard Windows UAC elevation prompt is replaced with a configurable Application Control consent dialog. This applies if the application is launched from the Start Menu, Explorer, the Desktop, or the command prompt.
See UAC Replacement for further information.
2020.2 Global Style update
The 2020.2 release introduces a design update for default global styles. The new style uses a larger message box format to accommodate more detailed information; and the default messages no longer use a logo, instead they feature a color-coded banner.
The update is backwards-compatible, enabling you to continue using the previous classic styling, or to apply the style update to your existing configurations as required.
See Message Settings for further information.
New Trusted Owner blocked event
Two additional event IDs have been added: 9060 and 9061. By default, both events are disabled. If required, they can enable organizations to differentiate execution requests blocked by Trusted Ownership from those blocked explicitly by a Rule Policy.
See Auditing for further information.
New Admin process started event
A further event has been added to identify processes started using full admin rights. ID 9062 can be valuable in identifying (and then assessing) the elevated rights required.
See Auditing for further information.
Edge support in URL Redirection
The new Microsoft Edge (Chromium) browser is now supported.
See for Browser Control for further information.
Launch Windows 10 Apps and Features
Assigned permissions apply within the Windows 10 Settings Apps and Features view.
See System Controls for further information.
Easier Access to Further Information
In addition to this online help system, Ivanti provides a wealth of supporting information in the form of online documents, help videos and curated community articles. In the 2020.2 release we have collated these resources into a summary table and made this available via the Release Notes and from the online Help landing page.
In addition to code enhancements and bug fixes the following features are included:
Localization
Application Control 2020.1 release has been localized and now supports the following 5 languages:
-
English
-
German
-
Japanese
-
Chinese (Simplified)
-
Chinese (Traditional)
Selection of the language setting required is described in the Language Settings help topic within User Workspace Manager.
Search Configuration
Configurations can grow quite large as groups and rule sets are added. To help you navigate you can carry out a text search to locate where in the configuration a required item is configured.
For more information see Maintain Configurations
Microsoft Windows Server 2019 support
Management Server, Console, Licensing Console and Agent components are all compatible with Microsoft Windows Server 2019.
For more information on supported software see the Maintained Platforms Matrix.
Add Groups to Process Rules
You can now select to add Folders and Groups to Process Rules. This provides the added benefit of being able to update all rules within the one group rather than having to go through each one individually.
For more information see Process Rules
Per Item Auditing Support to Library
New option to ignore event filtering for Groups. This now provides the ability to log events for each group item instance, so if a group is used in multiple places each instance has its own setting. This setting overrides any event filtering that has been set.
For more information see Allowed Items and Denied Items
Make Network Share Accessible
New default setting to deny files on a network share. To allow files, you can either deselect this option, or add specific items to an Allowed list.
For more information see Advanced Settings
Rules Analyzer Command Line Information
Command line arguments included in the Rules Analyzer results for allowed, denied and elevated executables. This is useful for troubleshooting and to create targeted rules.
Policy Change Requests
Changes to Policy Change Requests compatibility now mean that the Application Control Agent and the Application Control Web Services must be at the same version.
Silently Block Executables
New option Do not show access denied message when denied on rule creation. This allows administrators to intentionally block certain executables and perform a 'silent deny' so that the end user does not receive a denied access message.
For more information see Denied Items
Disable Rule Items in a Group
New right-click option to Disable a rule, useful for troubleshooting issues and prevents the administrator from having to remove the rule. The option toggles between Disable and Enable so the rule can easily be re-enabled.
For more information see Allowed ItemsDenied Items, Rules Items
Trusted dlls for Self Authorized Items
When you self-authorize an application exe all subsequent child dlls are now automatically authorized. Whereas in previous versions of Application Control each child dll would need self-authorizing, often causing the application to crash, now self-authorization can be completed in one click.
For more information see Rules
Message Box Network Port Variable
The network port number is now shown in the Blocked Port message box, if applicable. This helps with troubleshooting issues.
For more information see Message Settings
Ignore Event Filtering per Rule Item
A new option has been added to Ignore Event Filtering. When this option is selected for a specific rule, it means that if an event ID is selected on the Auditing dialog, this event will be raised for this rule regardless of the event filtering settings. So even if no file types have been selected, the event will still be raised for this rule.
For more information see Allowed Items and Denied Items
BitLocker Component Support for Suspend/Resume
A new option had been added to User Privileges > Components so that you can now Disable or Suspend BitLocker, and the Enable option has been extended to include Resume. This gives more granular control over the BitLocker component.
For more information see User Privileges Controlled Components