Application Boundary Configuration tool

Application Boundary (Cloud Drive Management) helps you to log and control cloud drive applications. The functionality is part of the Ivanti Device and Application Control Command and Control service (known also as scomc) and by default it is not used. To configure it, see the section below.

This technology uses a new policy format for controlling applications’ access to different parts of the disk and registry. (Describing policy’s format is not part of this document.)

Installing the Application Boundary Configuration tool

The Application Boundary Configuration tool is part of the SMC installation kit. When you run this installer, the following files are installed in the Ivanti\Device and Application Control\Console\admin folder:

  • Smc.AppBoundary.Config.exe
  • Smc.AppBoundary.Config.exe.config
  • Newtonsoft.Json.dll
  • SXS.SDK.Net.dll
  • SXS.SDK32.dll
  • SXS.SDK64.dll
  • policies\OneDrive.policy

To have the configuration tool running you also need to:

  1. Create a license folder at the same level.
  2. Copy the license (*.lic) file there.
    This is the license file you have already in your environment.

If you do not place a copy of the license file here, a notification appears in the console if you start Cloud Drive Management. The console will respond slowly until the notification is acknowledged.

Configuring Application Boundary using the Configuration Tool

When you have installed the Application Boundary Configuration tool, you can configure its usage.

To configure Application Boundary:

  1. Either on the Tools panel or on the Tools menu, click AppBoundary Configuration.
    The Application Boundary Configuration tool appears.
    Graphical user interface, application

Description automatically generated
  2. To activate OneDrive configuration for the Application Boundary, select the On check-box.
  3. Under Authorize, select the required file access authorization:
    • Read – allow OneDrive to read files from the application’s home folder
    • Write – allow OneDrive to write files into the application’s home folder
  4. Under Logging, select the required file access logging:
    • Read – file shadowing for OneDrive read operations
    • Write – log OneDrive write operations
  5. Under Shadowing, select the required file access logging. For Read and Write, select from:
    • none – no file shadowing
    • filename – file name shadowing
    • file content – file content shadowing
  6. Click Apply.
    An information message box appears and all endpoints receive the OneDrive policy file.

To deactivate OneDrive configuration for the Application Boundary, clear the On check-box then click Apply.
An information message box appears and the OneDrive policy file is removed from all endpoints.

Configuring Application Boundary manually using the SDK

To configure Application Boundary without SMC, you can use the IDAC SDK tools found in the C:\Program Files\Ivanti\Device and Application Control\SXTools folder. Depending on your OS version, use either the SXS.SDK64.Cmd.exe application or the SXS.SDK32.Cmd.exe application from the Command Prompt.

  1. To set a policy file use: -SetAppBoundaryProfile
    • You need your license file
    • Specify the name of the profile you want to set
    • Specify the policy file path
    • Example:

      SXS.SDK64.Cmd.exe

      -License Your_license_file.lic

      -SetAppBoundaryProfile OneDrive.policy

      C:\Temp\OneDrive.policy

  2. To get a policy file use: -GetAppBoundaryProfile
    • You need your license file
    • Specify the name of the profile you want to get
    • Specify the policy file path
    • Example:

      SXS.SDK64.Cmd.exe

      -License Your_license_file.lic

      -GetAppBoundaryProfile OneDrive.policy

      C:\Temp\OneDrive.policy

  3. To get all policies use: -GetAppBoundaryProfiles
    • You need your license file
    • Specify the name of the profile you want to get
    • Specify the results file path
    • Example:

      SXS.SDK64.Cmd.exe

      -License Your_license_file.lic

      -GetAppBoundaryProfiles

      C:\Temp\policies.json

  4. To remove a policy file use: -ClearAppBoundaryProfile
    • You need your license file
    • Specify the name of the profile you want to remove
    • Example:

      SXS.SDK64.Cmd.exe

      -License Your_license_file.lic

      -ClearAppBoundaryProfile OneDrive.policy

Check the results

Depending on the configuration you’ve used, and the operations performed with the OneDrive application, corresponding log events are generated in the C:\Windows\sxdata\shadow folder, in the sdcevent.log file. Events log processing was not changed, and it will perform as usual. In the log file, you will see events for READ-DENIED, READ-GRANTED, WRITE-DENIED, and WRITE-GRANTED. When the logs are fetched on the server, you can also analyze them using Logs Explorer.