Getting Started with Ivanti Application Control

To use Ivanti Application Control, all Ivanti Endpoint Security components must be installed, along with the Application Control module. After installing all necessary components, review this chart to understand the Application Control work flow.

Important: While Ivanti Application Control has been designed to minimize the administrative burden, thorough preparation is needed for a successful implementation. It is especially important to have effective trusted change policies in place before endpoints are locked down in the Enforce phase.

Install AC Server Components
Install Server Component: Install the Application Control module server component. This component is installed after initial Ivanti Endpoint Security installation.

If you purchased an Application Control license during your initial Ivanti Endpoint Security purchase, Application Control is installed during the initial Ivanti Endpoint Security installation by default.

For more information, see Installing the Application Control Module Server Component.

Install AC Endpoint Components
Install Endpoint Component: Install the Application Control module endpoint component on agents you want to support Application Control functions.

Each agent you install the endpoint component on consumes an Application Control license.

For more information, see Adding the Application Control Module Endpoint Component.

Clean Endpoints With AntiVirus
Clean: Conduct a thorough virus scan of all endpoints with Ivanti AntiVirus or other antivirus program to ensure that no malware is added to the whitelist of applications allowed to run on the endpoints.

Apply Easy Auditor
Discover: Apply Easy Auditor to selected endpoints. This runs an application scan that creates endpoint whitelists of installed files, adds these files to Application Library, and starts logging application activity. Organize files in Application Library into applications/application groups that reflect software usage. This enables you to deny applications to specified users at any point (even before lockdown).

For more information, see Working with Easy Auditor and Working with Application Library.

Apply Trusted Change Policies
Define: Create the policies needed to support trusted change on endpoints - Trusted Updater, Trusted Publisher, and Trusted Path. Review Application Control logs to determine these policies.

  • Trusted Updater enables administrators to automatically install and authorize patches and applications. This is the only trust policy that updates the endpoint whitelist.
  • Trusted Publisher automatically authorizes software installers, updates or new applications to execute if the files have been signed by a trusted certificate.

    • MSIs that are not Trusted Updaters are blocked automatically.

  • Trusted Path authorizes applications in a specified location to run (optionally with ownership restrictions). Trusted Path should be used with caution as it is less restrictive than the other trust policies.

For more information, see Trusted Change Policies.

Monitor Application Control Behavior
Monitor: Continue reviewing application control logs and, if necessary, update the trusted change policies to prepare for lockdown. This phase should last at least a month. Assign Local Authorization policies to enable selected users to authorize applications that are not suitable for the other trusted change policies.

You may need to refine trusted change policies, monitor the results, and (optionally) reapply Easy Auditor before moving into lockdown. Make the effort to put the optimum policies in place.

For more information, see Working with Application Control Log Queries and Working with Local Authorization.

Apply Easy Lockdown
Enforce: Apply an Easy Lockdown policy to endpoints, creating whitelists of permitted applications and by enforcing application control, blocking new applications from installing or running.

Important: Easy Lockdown is a crucial phase and should only be applied when you are confident it will not adversely affect endpoints or users.

With appropriate Trusted Change policies in place, there will be an easy transition from Easy Auditor to Easy Lockdown. Individual users can be assigned Local Authorization policies, and new applications can be added with Supplemental Easy Lockdown/Auditor policies.

For more information, see Working with Easy Lockdown.

Maintain Application Control Policies
Manage: You now have a stable network of locked-down endpoints. With trusted change, applications update automatically without intervention, and selected users can install required applications themselves.

You still need to plan for maintenance and have a process to handle escalations associated with blocked applications. Continue reviewing logs for trends that will help you manage your software environment. Because of trusted change, however, the administrative burden will be very tolerable.