Allow/Deny Rule

An allow rule is where you allow users, groups, or devices access to specific items, such as files, folders, or applications, without providing full administrative privileges.

A deny rule is where you deny users, groups, or devices access to specific items, such as files, folders, or applications.

Rule creation workflow:

  1. What rule do you want to create?
  2. What items do you want to allow/deny?
  3. When is the rule to be applied?
  4. Summary and Save

Create an Allow/Deny Rule

  1. On the What do you want to do? page, select I want to allow/deny.
  2. Click Next.
    The Allow/Deny Rule - What do you want to allow/deny? page appears.
  3. In Select a source, use the drop-down to select the source of the items. Select from:
    • Blocked by Trusted Owners (only applicable for an Allow rule): This populates the Source Items section with a list of all items that App Control has logged as being blocked because they are not owned by a trusted owner.
    • App Templates: This populates the Source Items section with a list of all App Templates that have been created in App Control.
    • Alternatively, select Add file manually to display the Rule Item Settings panel, here you can specify which file you want to create the allow rule for.
  4. Select the required items. On selection each item is added to the Selected Items section.
    You can edit the item settings: Properties and Metadata by clicking the ellipsis icon to open the Rule Item Settings panel.
  5. Click Next.
    The Allow/Deny Rule - When is this assigned? page appears.
  6. In Select a source, use the drop-down to select the source of the items, any selected or added sources will display in the Selected Items section. Select from:
    • AD Groups: The AD Display and Group names are listed, you can use the search and filter to refine the list. Alternatively, you can manually add a group, by clicking Add manually.
    • AD Users: Enter domain\username and click Add.
    • App Control Users: The username of users that App Control has recorded an event for.
    • Computer Groups: Enter the computer group, for example: CN=ComputerGroup. If you want to include nested groups select Search nested groups. Click Add.
    • Device Organizational Units: Enter the organizational unit, for example: OU=Corporation. If you want to include sub-OUs select Include sub-OUs. Click Add.
    • Devices: The Device and Host names of all Neurons discovered window devices are listed, you can use the search and filter to refine the list. Alternatively, you can manually add a device, by clicking Add manually.
    • IP Addresses: Enter the IP addresses and select whether you want to match regular expressions against IP addresses. Click Add.
      Example:
      • 192.168.0.1: select the client device with an IP of 192.168.0.1
      • 192.168.0.*: select the client devices with an IP of 192.168.0.<any>
      • 192.168.0.15-25: select all client devices within the IP range of 192.168.0.15 to 192.168.0.25
    • Alternatively, select Everyone to create the rule for the Everyone group, this includes any user that logs on to a device that has the configuration successfully deployed, with the exception of Administrators.
  7. Once you are finished with the Selected Items. Click Next.
    The Save Rule and Rule Summary page appears.
  8. Enter a Name for the rule, and provide an optional description.
  9. The default status for the rule is to be Active, if you do not want to make the rule active yet, toggle the Rule Status to off.
  10. Click Save to save the rule and return to the configuration, where you'll see the new rule listed in the Rules section.
    Alternatively click Save & Add another, to save the rule and return to the What do you want to do? page to create another rule for the configuration.
  11. When you have added all the rules to the configuration, click Save to save the configuration as draft. Or, click Save & Publish to save the version of the configuration.
    Once published, the configuration is available for assignment to a policy.