App Control

Ivanti Neurons App Control prevents the spread of malware through unauthorized application execution and reduces the need for administrative rights through the trusted ownership model and user privileges, without the need for complex allow lists and deny lists.
App Control keeps IT security requirements in balance with user productivity needs, providing zero-day malware protection for endpoint security through privilege and application control. Corporate compliance, improved platform stability and consistency, and significant reductions in both IT support and software licensing costs can be achieved.
You have the option to run App Control in audit only mode to allow monitoring of your estate and see what is happening before deciding on which policy changes to implement.

Watch a related video on trusted ownership (4:39)

Watch a related video on elevated privileges (2:00)

Getting Started with App Control

The first step in getting started with App Control is to create a configuration. Once created you can then assign the configuration to a Neurons Agent Policy and deploy it to managed endpoints. After a 24 hour period App Control will have received some data from the endpoint. This data is then used to populate the charts on the Overview page to give you an insight into application activity on your managed endpoints. You can use the data to build and edit your configurations. Configuration rules can be built with varying levels of control to suit your needs, namely: Trusted Ownership, Allow Rules, Deny Rules, and Elevate Rules. Configurations can be as simple or as complex as you need them to be to control and manage your endpoints. Configurations are assigned a security level: Unrestricted, Audit only, Restricted. The security level determines the level of restriction the configuration rules have on users, groups, and devices.

Administrators are exempt from rules and are therefore always unrestricted. Rules apply to standard users only as per the configuration rule definitions.

Trusted Ownership comes as a default setting for App Control configurations, protecting your endpoints without the need to set up white lists, or allow rules. Anything installed on the users device by a trusted owner will be allowed to run, and anything installed by the user will be blocked, for example, downloaded games, emails with malicious attachments, or unlicensed software. Trusted Ownership checks the file ownership when attempting to run an application, if the owner does not match one of the trusted owners, running the application is denied. The file owner is the user responsible for the file being created, this could be installing from an msi, downloading from the internet, copying from a USB stick or receiving as an email attachment. App Control will only 'trust' and therefore allow to run, files owned by a trusted owner.

App Control trusted owners are as follows:

  • SYSTEM
  • BUILTIN/Administrators
  • %ComputerName%\Administrator
  • NT Service\TrustedInstaller

Network folders and shares are denied by default, to grant access they will require an Allow Rule.

Create a Configuration

  1. To get started with App Control, you first need to create a configuration, go to App Control > Configurations > Create configuration.
  2. Give the configuration a Name.
  3. Click Create.
    For more details on configurations refer to App Control Configurations.
  4. You can now choose to leave the configuration set to the default Security level: Audit only, this will enable Trusted Ownership on the endpoints receiving the configuration.
    Alternatively, you can set the Security Level to Restricted and create rules to control application use on the endpoints with the Allow, Deny, Elevate, and Trusted Vendor rules, and optionally customize the App Control Message settings to display to the end user when App Control intercepts an application. For more details on creating configuration rules, refer to Configuration Rules.
  5. If the configuration is ready for assignment to an Agent Policy for deployment to endpoints, select Save & Publish, this creates a configuration version. If you want to save the configuration as a draft, select Save.
    Configurations must be published before they can be assigned to policy.

Deploy a Configuration

Configurations are deployed via a Neurons Agent Policy. Policies can be deployed to any endpoint that has an Ivanti Neurons Agent installed.

  1. Once you have created a configuration you must Save & Publish it. The configuration must be in an Published state.
  2. Go to Agents > Agent Policies.
    The Agent Policies page appears. For more details on policies refer to Agent Policies.
  3. Select Create Policy, or select an existing Policy from the table, and select to Edit it.
  4. On the Capabilities tab, select the App Control tile.

    The App Control capability will only be visible if an App Control configuration exists.

  5. Once the App Control capability is selected, the Configuration drop-down becomes active. From the drop-down select the required App Control configuration.
  6. You can now deploy the configuration. Once the deployment process has been initiated, the configuration state updates to Active. For more details on deployment refer to Agent Deployment.

Review the App Control data

Once the target devices have the Neurons Agent, Policy and App Control configuration installed, App Control will start capturing application activity. You can review the data using the App Control Overview page, to gain an insight into the user and application behavior. From there, you can further analyze the data to create and update rules to in your configurations to manage and control applications in the required way.