CPA Compliance Mode Configuration Window
Use this window to configure all endpoints assigned Application Control policies to meet the UK CESG's Computer Product Assurance (CPA) compliance requirements for Endpoint Lockdown and Control.
A fully CPA compliant configuration blocks and logs the execution attempts of executables, macros, and scripts that are not centrally authorized. The File Authorization Setup Process
Statuses
Your environment's CPA compliance status is displayed at the top of the dialog:
|
CPA Compliance mode enabled |
All options required to achieve CPA compliance are set for Computers and Users/Groups in your environment. |
|
Partial CPA Compliance mode enabled |
At least one option required to achieve CPA compliance is not set for Computers or Users/Groups in your environment. You will be in this mode when preparing to enable full compliance (for example, ensuring that settings do not disrupt the functioning of endpoints). |
|
CPA Compliance mode is disabled |
You are not enforcing CPA compliance requirements in your environment. |
|
Enable CPA Compliance mode settings |
Select to start enforcing the option settings required for CPA compliance in your environment. You will be unable to change option settings required for compliance in ToolsDefault Options, with the exception of Client Hardening (to Extended) and Execution Log (to Log Access Denied). Important: Test the required option settings in your environment before applying CPA compliance mode. |
Computer Options
These options apply the settings required for CPA compliance to all endpoints protected by Application Control.
|
Execution Blocking is set to Blocking mode |
Select to block the execution of unauthorized executable files. |
|
Local Authorization is set to Disabled |
Select to prevent users from locally authorizing files to execute. |
|
Client Hardening is set to Basic as a default |
Select to prevent users with administrative privileges from uninstalling the Ivanti Device and Application Control agent, as well as deleting local shadow files and log entries. You can remain CPA compliant by setting the more restrictive Extended option (valid salt value required to deactivate the agent) in Tools > Default Options > Computer tab. |
|
Execution Log is set to Log Everything as a default |
Select to log every application-related execution event. The volume of logged events produced by this CPA Software Execution Control characteristic can overwhelm your database in very large deployments. You can, with the approval of your company’s certification authority, change this logging option to the less detailed Log Access Denied in Tools > Default Options > Computer tab. You will remain CPA compliant and reduce the logged events to only those applications which are blocked; please be aware you are no longer capturing the allowed application executions. |
User/Group Options
These options apply the settings required for CPA compliance to all users and groups protected by Application Control.
|
Execution Blocking is set to Blocking mode |
Select to block the execution of all unauthorized executable files. |
|
Execution Log is set to Log Everything as a default |
Select to log every application-related execution event. The volume of logged events produced by this CPA Software Execution Control characteristic can overwhelm your database in very large deployments. You can, with the approval of your company’s certification authority, change this logging option to the less detailed Log Access Denied in Tools > Default Options > Computer tab. You will remain CPA compliant and reduce the logged events to only those applications which are blocked; please be aware you are no longer capturing the allowed application executions. |
|
Macro and Script protection is set to Deny All |
Select to prevent all VBScripts, JScript, or macros not centrally authorized from running. |
|
Macro and Script log is set to Log Access Denied |
Select to log every denied macro and script execution access event. |
|
Relaxed Logon is set to No relaxed logon |
Select to block without delay the running of unauthorized logon scripts. |