Application Termination

In this section:

About Application Terminations

Application Termination allows you to control triggers, behavior, and warning messages for terminating applications on managed endpoints. You can terminate applications gracefully, allowing the user to save work before closing, or force a termination. You can edit notification messages for each type of trigger individually.

Triggers for terminating an application include the following:

  • The agent starts
  • A new configuration is applied
  • The computer IP address changes
  • The connecting device changes

When a trigger is activated, processes are evaluated against the rules to determine if an application requires terminating. Rules with Self-Authorizing and Audit Only security levels are not evaluated because Self-Authorizing rules allow user discretion over application control and Audit Only rules do not apply Application Control control.

You can configure warning and terminate messages, but must abide by the following:

  • The message caption must not be left blank, be a single line, and can contain up to 100 characters.
  • The message body must not be left blank, can contain zero or more line breaks, and can contain up to 10000 characters.
  • A separate message box must be used for each trigger type.

Application terminations can be audited and are associated with audit event 9017.

For further information, see Auditing.

Application Termination is disabled by default. Enable the feature using the Enable Application Termination option on the Application Termination dialog, which you access in the Global Settings ribbon.

Configure Application Termination

  1. Select Application Termination on the Global Settings ribbon.
  2. Select Enable Application Termination.
  3. Select the triggers to use for application termination:
    • Configuration Applied - Select to terminate an application according to the configuration that is applied.
    • Computer IP address changed - Select to terminate an application when the IP address of the computer changes, for example, moving between secure and insecure environments.
    • Connecting device changed - Select to terminate an application when the connecting device has changed, for example, changing from a desktop to a laptop in the same session.
  4. Select the Options tab to define which actions are taken when an Application is terminated:
    • Display an initial warning message - Displays an initial warning message to inform the user that the denied application will be closed and to save any work. The time to close can be specified using the Wait for... option. Use in conjunction with the Close Application and Terminate Application options. If this is not used in conjunction with these options, a message is displayed and the denied application does not close.
    • Close the application - Closes the application following the initial warning message, allowing the user time to save their work.
    • Terminate the application - Terminates the denied application without giving the user a warning message
    • Wait for... - Specifies the time period, in seconds, between actions, and also the time between closing and terminating. The maximum period is 120 seconds.
  5. To change the warning or termination message, select either the Configuration Applied Message, IP Address Changed Message, or Connecting Device Changed Message tabs, depending on the specified triggers. To configure warning and termination messages, use the following fields:
    • Caption - The text to display for the title of the warning or terminate message
    • Message body - The text to display for the body of the message.
    • Note
      Environment variables are supported for both the caption and message body.
    • Width - Specify the width of the Application Termination message dialogs. The width is measured in pixels and applies to all messages. The default value is 0.
    • Height - Specify the height of the Application Termination message dialogs. The height is measured in pixels and applies to all messages. The default value is 0.
  6. Click OK.
  7. Save the configuration.

Application Control also has the ability to terminate applications through the Time Limits feature.

Set Up Application Termination for an IP Address Change

Use Application Termination to terminate an application when the IP address has changed. For example, when the IP address is out of the company range of IPs.

  1. Select Application Termination on the Global Settings ribbon.

    The Application Termination dialog displays.

  2. Select the Enable Application Termination option. This is turned off by default.
  3. Select the Computer IP address changed option on the Triggers tab.
  4. Select the Options tab.
  5. Do one of the following:
    • Select Display an initial warning message and Close application options. This will display an initial warning message, allowing the user to save any work and then close the dialog.
    • Select the Terminate application options. This will terminate the application without any warning. You can display an initial warning if required.
    • Select all three options.
  6. Select the IP Address Changed Message tab.
  7. Change the message if required.
  8. Click OK.
  1. This step is to set up the IP address range that is allowed for the work office.
  2. Select the Rules node in the navigation pane.

  3. Select the Add Rules drop-down arrow on the Rules ribbon and then select Device Rule.

    A new Device rule is created under the Device rule node.

  4. Right-click the new node and select Rename.
  5. Enter an intuitive name, for example, In Office.
  6. Right-click within the work area and select Add Client Device.
  7. The Add a Client Device dialog is displayed.
  8. Enter the IP address range that is allowed and click Add.
  1. This step is to set up the IP address range that is not allowed, for example, when using VPN from another location.
  2. Select the Rules node in the navigation pane.

  3. Select the Add Rules drop-down arrow on the Rules ribbon and select Device Rule.

    A new Device rule is created under the Device rule node.

  4. Right-click the new node and select Rename.
  5. Enter an intuitive name, for example, Out of Office.
  6. Right-click within the work area and select Add Client Device.

  7. The Add a Client Device dialog is displayed.

    Do one of the following:

    • Enter the IP address range that is not allowed.
    • Enter *.*.*.* to imply all other IP addresses.
  8. Click Add.

Step 4 - Save the Configuration

Related topics

Trusted Ownership

Extension Filtering

Message Settings

Archiving

Policy Change Request

Help Desk Portal