Execution Blocking Precedence Options

Application Control establishes precedence rules for execution blocking default option settings.

The Execution Blocking option follows a special rule pattern. When Ivanti Device and Application Control is installed, the LocalSystem account and Administrators group are automatically set up in Non-blocking mode to simplify routine administration, allowing you to install, scan, and authorize files. After you create a central file authorization list, you must manually change the option back to Blocking mode.

The Execution Blocking order of precedence is: User > Group (including Everyone) > Global User Options > Machine > Global Machine. The first explicit (no asterisk, *) in the order is the one that is used. Default settings with an asterisk (*) do not have an effect on the order.

The following flowchart outlines the execution blocking precedence rules process.

Important: When the Local Authorization option is disabled, user access to all unauthorized applications is blocked, regardless of the Execution Blocking option value setting.

Apply options in the order: execution blocking option set for the user, user is member of group with "Ask user always" option, user is member of group with "Ask for exe only" option, user is member of group with "Non-blocking mode" option, user is member of group with "Blocking Mode" option, default execution blocking option is set for a specific computer, default execution blocking option is set for the computer, default execution blocking option set for the user, use installation default

Related Information