App Control Configurations

An App Control configuration contains the rule settings to manage endpoints. The configuration files are installed on managed endpoints and serve as a policy checklist for the App Control agent to assess how to handle file execution requests. When a file is executed, App Control intercepts the request and performs a check with the configuration to find the appropriate matching rule and the required action to take. Other default policies specified in a configuration are also applied, such as, how message notifications are displayed.

After creating or modifying a configuration you must save and publish the configuration. You can assign the configuration to a policy, once the deployment process has been initiated, the configuration state changes to Active and the rules will take affect on the endpoints when successfully deployed.

Security Levels

The configuration security level determines the level of restriction on the endpoints. The levels available are:

• Unrestricted: There are no restrictions on any applications, All activity is allowed. This can be useful if you want to temporarily disable App Control without uninstalling.
• Audit only: The default setting. There are no restrictions to any applications, but all trusted ownership, and configuration policy and rule matching activity is logged and reported in App Control.
• Restricted: Restrictions are determined by the configuration rules. Activity can be restricted for specific applications, users, groups, and devices.

Configuration Default Settings

App Control is ready to manage your security as soon as you install the agent policy and configuration on managed endpoints. When you create a new configuration, you can use it straight away with no customization. If the configuration security level is set to Restricted, the configuration blocks any file with an untrusted owner and prevents non-administrative users accessing executables on non-secure locations, including network locations and removable media, together with the policy protection default settings.

Policy Protection default settings

• All application and process execution requests are checked against the App Control rules before access is granted.
• Members of the Local Administrators group are granted unrestricted access to applications.
• If CMD has an explicit deny rule, then CMD is blocked except when running allowed batch files.
• MSI, WSH, Java archives and Registry files are validated against the App Control rules.
• Installations that are allowed are permitted to run any exes and dlls that are executed as part of the install process.
• Administrators and non-administrative users are prevented from reading, copying, editing, and deleting an App Control configuration file directly on an endpoint.

Configuration States

• Publishing: The configuration is in the process of being published.
• Published: The configuration has been saved and published. It is available for assignment to an agent policy.
• Failed to Publish: The configuration failed to publish.
• Assigned: The configuration is assigned to an agent policy.
• Active: The configuration is assigned to an agent policy and the deployment process to the endpoints has been initiated.
• Unpublishing: The configuration is being unpublished.
• Unpublished: The configuration has been unpublished.
• Failed to Unpublish: The configuration failed to unpublish.
• Previously Published: The configuration has been superseded.

Alerts

The alerts will be for one of the following warnings:

• The configuration associated with the policy requires a schema update.
• The policy associated with the configuration has the reboot setting incorrectly set. You must select Request reboots when needed in the Agent Policy Settings.

Schemas

If a version of a configuration requires a schema update, an alert displays in the Alerts column. Click the icon, the Edit configuration page appears with a warning banner, informing you that you must update the schema. Click Update schema, the Update schema dialog appears, click Update schema.

You can edit a configuration and save the draft without updating the schema, but you cannot save and publish the configuration until the schema has been updated.

Creating a Configuration

To create an App Control configuration:

1. Navigate to App Control > Configurations.
   The Configurations page appears.
2. Click Create configuration.
   The New configuration page appears.
3. Enter a Name for the configuration. Optionally, enter a description.
4. Set the Security Level to determine what level of restrictions the configuration rules will have on the users, groups, or devices.
   You can choose to leave the configuration set to the default Security level: Audit only, this will enable Trusted Ownership on the endpoints receiving the configuration.
   Alternatively, you can set the Security Level to Restricted and create rules to control application use on the endpoints with the Allow, Deny, Elevate, and Trusted Vendor rules, and optionally customize the App Control Message settings to display to the end user when App Control prevents an application from launching. For more details on creating configuration rules, refer to Configuration Rules.
5. Click Create to save the configuration.
   The Edit configuration page appears.
6. Click Add new rule to start building rules into your configuration to determine if specific items are to be allowed, denied, elevated or belonging to a trusted vendor. For more details on creating rules, see Configuration Rules.
7. Click the Settings tab to configure message settings, advanced settings and auditing settings for the configuration. For more details on the settings, see Configuration Settings
8. Click Save to create a draft of the configuration, alternatively click Save & Publish to save the version of the configuration.
   A configuration must be published to be available for assignment to a policy so that it can be deployed to endpoints.
9. The configuration is listed in the Configurations table.

Actions

The table lists all non-archived configurations. The following actions are available for each configuration:

• View: Select to view the configuration.
• Edit: Select to edit the configuration, the current version is saved as a draft and any versions remain unchanged. If a draft does not exist, a new draft is created from the latest version. Not available for configurations that are in a Publishing state.
• Publish Draft: Select to publish the draft, this will become version 1, for any subsequent draft publishes the version number will be incremented. Only available for configurations that have a draft.
• Unpublish: Select to unpublish the latest configuration version. Only available for configurations that are in a Published state, and not assigned to a policy. Unpublished versions will not be available for selection in Agent Policy.
• Archive: Select to soft delete the configuration. The configuration will no longer be available for use and cannot be retrieved. Only available for draft or when the latest version is Unpublished.

Viewing a Configuration

To view a configuration, go to App Control > Configurations. Click on a configuration Name, or in the Actions column click on the icon, then select View.

You can view the Rules and Settings, you also have the following two additional tabs:

History

View a list of all versions of the configuration, who created the version and the version state.

Policies

View the number of agent policies that the configuration is associated with, and the number of agent endpoints that the configuration has been deployed to.

The name of the associated policies are listed. The icon indicates the policy reboot experience is misconfigured. App Control requires the Agent Automatic Update be set to Request reboots when needed. See Agent Automatic Update

To view the associated policy, select the icon in the Actions column for the required policy, then select View. The Agents > Agent Policies > Agent Policy page appears. From here you can see the App Control capability and edit the associated App Control configuration and the Reboot settings.