System Controls

Use System Controls to control the removal or modification of applications and processes, manage specific services, and clear named event logs. These controls can be applied to elevate or restrict access to the specified item.

System Controls are available when you create user privilege rules for each rule group. For more information about creating user privileges, refer to Manage User Privilege Rule.

Alternatively, you can automatically pre-populate the uninstall, service, and event log control rule configurations when you add a new rule. To add rule configurations automatically, refer to Configuration Rules.

System Controls rule are available for allow/deny, manage user privilege, and self-elevate rule types. This topic uses the manage user privilege options as an example, but the workflow is similar for the other options.

Adding System Controls

To add a system control, follow these steps:

On the What do you want to do? page, select I want to manage user privileges.
Click Next.
The Manage User Privileges Rule - What do you want to manage? page appears.
Select System Controls, and click Next.
From the Select a source option, select the following based on your requirement:
Elevation Rules under Functionality Toggles in Advanced Settings must be enabled for System Control rules to apply.
Uninstall Controls
Select this option to allow or restrict admin and non-admin users from uninstalling installed applications. Uninstall Control Items are configured by defining which applications are controlled. Further validation can be applied to target a named publisher and specific application versions. To allow or restrict all applications from a publisher, enter a * in the Application field combined with the publisher name.
To create uninstall controls, follow these steps:
1. Under the Uninstall Controls section, enter Application Name, Publisher Name, and Version of the application.
2. Select the Policy Type based on the following:
  - Elevate: Select this option to grant the component the privileges to complete a specific action that would otherwise need to be performed by an Administrator.
  - Restrict: Select this option to restrict the application or component from being uninstalled from a device.
3. Click Add.
  The uninstall control items are added to a specific application and displayed under the Selected Items section.
Service Controls
Select this option to choose which services can be modified, stopped, started, and restarted. Service Control Items are configured by specifying the service name or the name by which the service is known. The service display name may differ between different Operating Systems.
The Ivanti Application Control Agent Service is the only service that cannot be restarted once stopped.
To create service controls:
1. Under the Service Controls section, enter Display Name and Service Name.
2. Select the Policy Type based on the following:
  - Elevate: Select this option to grant privileges to start or stop the services that would otherwise need to be performed by an Administrator.
  - Restrict: Select this option to prevent the services from being stopped.
3. Click Add.
  The service control items are added to a specific application and displayed under the Selected Items section.
Event Log Controls
Select this option to choose which event logs can or cannot be cleared.
To create event log controls:
1. Under the Event Log Controls section, enter Event Log Name.
2. Select the Policy Type based on the following:
  - Elevate: Select this option to grant the privilege to clear event logs.
  - Restrict: Select this option to restrict administrative actions such as clearing event logs.
3. Click Add.
  The event log control items are added to a specific application and displayed under the Selected Items section.
To assign the system controls to user or device groups, click Next.
For more information about assigning user or device groups, refer to Manage User Privilege Rule.