The File Authorization Setup Process
After successfully installing Application Control, an administrator uses the Management Console to configure and define user access permissions and file authorization rules required in an Ivanti Device and Application Control environment that specify which executable files, scripts, and macros each user can use, as described by the following process flow.
- Import Standard File Definitions.
You can use standard Microsoft file definitions to quickly build a central file authorization list for executable files, macros, and scripts.
- Define Console Administrators.
You can assign administrator access rights using the User Access tool. An Administrator has restricted access to the Management Console and can be assigned various administrative roles by an Enterprise Administrator.
- Define User Access.
After defining Administrator roles, you can use the User Access tool to assign the defined roles to Administrators.
- Create custom file groups.
File groups simplify the process of administering large numbers of executable, script, and macro files for users. Instead of individually authorizing files, you can group files together logically by creating file groups.
- Assign users to standard Windows or custom file groups.
Ivanti Device and Application Control verifies which file group is associated with an executable, script, or macro and whether the user has access permission for the file group. You can assign specific permissions to local users and user groups. Only authorized applications and scripts assigned to a user or a user group can run on the client.
- Assign file groups to users.
After creating the file groups and parent-child relationships you want to use, you can assign file groups to users or user groups.
- Scan computers for applications.
You can create a template and scan a target computer running the client. You can scan all files on a computer, or you can create a template to scan selected directories or specific file types for example, *.exe, *.com, *.dll, *.ocx, *.sys, *.drv, *.cpl, *.vbs, *.js, to reduce the scan time required.
- Assign scanned files to groups.
After you create the necessary file groups and required parent-child relationships, you can assign executable files, scripts, and macros to file groups.
- Activate Execution Blocking Mode.
Activating Execution blocking prohibits user access to unauthorized files. Local authorization is permitted only for the administrators and LocalSystem account.
Once you identify all your files, categorize them into file groups, and assign the file groups to users or user groups, these files are centrally authorized and immediately available to be run by all allowed users.
When a user wants to run an executable, script, or macro, the following actions take place automatically:
- A file that is identified as an executable, script, or macro, by the operating system is stored in the Ivanti Device and Application Control database ready for execution (but not actually executed).
- A file is identified by Ivanti Device and Application Control as an executable, script, or macro, has the entire file content checked to determine its digital signature (hash) before being allowed to execute by the operating system.
- The digital signature is compared to the digital signatures (stored in a central file authorization list) for files that are authorized to run.
- If, and only if, the file signature corresponds exactly to a file signature in the central file authorization list, in other words, the digital signatures are identical and the file is authorized for execution for the user or computer requesting authorization, can the file run.
When an executable file is launched by the user, Application Control will identify and determine the digital signature (hash) of that executable regardless of the current mode (blocking or non-blocking). Although rarely detected by the user, this process of identifying the executable and determining the hash could result in a noticeable delay on some systems.