Managed Policies

Managed Policies are used to authorize applications to run, and block them from running, on endpoints.

Easy Auditor

Easy Auditor scans endpoints and adds the applications it finds to each endpoint’s whitelist. Applications installed later are neither blocked nor added to the whitelist. Logging is enabled so that application usage can be monitored. See Working with Easy Auditor.

Easy Lockdown

Easy Lockdown scans endpoints and adds the applications it finds to each endpoint’s whitelist. Any later attempts to install new applications are blocked. They can only run if added to the whitelist by a Supplemental Easy Lockdown/Auditor policy, or permitted by a trust mechanism. See Working with Easy Lockdown.

Supplemental Easy Lockdown/Auditor Policy

A Supplemental Easy Lockdown/Auditor policy adds an application to an endpoint's existing whitelist of permitted applications. See Working with Supplemental Easy Lockdown/Auditor Policy.

Denied Applications Policy

A Denied Applications policy adds an application to a centralized blacklist which stops the application from running with specified endpoints or users. See Working with Denied Applications Policy.

Implementing application control usually begins with Easy Auditor followed by an evaluation period. Other Managed Policies can then be applied, along with Trusted Change policies. For more information, see Trusted Change Policies.

Ivanti Application Control and Windows 8

Ivanti Application Control policies can be applied to most applications that run on Windows 8, but some Windows 8 applications are script-based and can not be controlled by Application Control.

Windows 8 can run both conventional Windows applications and Windows Store (formerly Metro) apps, which are developed specifically for Windows 8.

Most Windows Store apps are written in programming languages such as C# or VB.NET, and comprise executable files such as .exes and .dlls. Ivanti Application Control can scan such files, enabling an administrator to apply Application Control policies to them, just like conventional Windows applications.

Some Windows Store apps are created with combination of JavaScript and HTML. These script-based applications are not scanned by Ivanti Application Control, so it is not possible to apply Application Control policies to them.

Blocking Windows Store Apps

When Ivanti Application Control blocks a Windows Store app, Windows 8 displays the app's splash screen before the blocking dialog opens.

When you click an app tile to launch a Windows Store app, you see the application’s splash screen. This is a graphic that Windows 8 uses to indicate that the application is being activated, and it is displayed before the application loads into memory.

If Ivanti Application Control blocks the app from running, the splash screen will display briefly before the Non-Authorized Application Detected dialog is displayed. This is normal Windows 8 behavior, and does not mean that any part of the application was loaded into memory.

Excluding Files from Application Scanning

Easy Auditor and Easy Lockdown carry out application scanning on endpoints. Excluding certain file types from the scan can improve its performance.

Both Easy Auditor and Easy Lockdown run an application scan on the endpoint to create a list of all executable files to add to the whitelist. The scan time varies, depending on the number and size of files found. In particular, processing files that contain large numbers of other files (for example, archive files such as .zip and virtual machine files) can prolong scan times.

Ivanti Application Control can exclude specific file types from the scan so that it completes in a reasonable time and does not impact the endpoint’s performance. There are three mechanisms for excluding files from the scan:

The built-in exclusion list

This predefined list contains many common non-executable file types such as graphics, documents, and virtual machine files. See File Types Excluded from Application Scan for more information.

Archive files

Most types of archive files are excluded from application scanning. CAB and MSI archive files are an exception in some cases. For more information of archive file exclusions and exceptions, see Excluding Archive Files for more information.

The ACAPPSCANEXCLUDE variable

You can set a Windows environment variable (ACAPPSCANEXCLUDE) on the endpoint, which specifies paths and/or file extensions to exclude from the scan. See Excluding Files with ACAPPSCANEXCLUDE on page 72 for more information.

File Types Excluded from Application Scan

A number of file types are automatically excluded from the application scan carried out during Easy Auditor and Easy Lockdown.

Excluded file types

.bmp, .cfg, .config, .cur, .db, .dmp, .doc, .docx, .gif, .gpd, .htm, .html, .ico, .idx, .inf, .ini, .ISO, .jpg, .lnk, .log, .manifest, .mp3, .msg, .nls, .pdf, .pls, .pm, .pnf, .png, .rtf, .svg, .txt, .vmdk, .vmem, .wav, .wmf, .xls, .xlsx, .xml, .xsd, .xsl, .xslx.

These are not executable files, so excluding them from the scan simply decreases the scan time without changing what files end up on the endpoint’s whitelist.

Excluding Archive Files

Most types of archive file are excluded from application scanning.

By default, when Easy Lockdown or Easy Auditor performs an application scan, archive files such as ZIPs and RARs are not scanned. Archive files must be expanded and stored in a temporary location before their contents can be scanned. This process takes time and consumes large amounts of disk space.

Note: As an exception, CAB and MSI archive files are scanned only when all of the following conditions are met:

  • The file resides in the %SystemRoot% folder. If the file is in any other folder or disk, it is excluded.
  • The file has extracted.
  • The file has been added to the whitelist and report to the Application Library.

Excluding Files with ACAPPSCANEXCLUDE

You can use the Windows variable ACAPPSCANEXCLUDE to exclude specific file types or locations from an application scan.

Certain non-executable file types are automatically excluded from an application scan to reduce scan time. If you have large numbers of files that are not excluded by default, you can exclude them using the ACAPPSCANEXCLUDE variable.

Compare the list of automatically excluded files with the types of file that are prevalent on the endpoint. For example, the common graphics files .gif, .png, and .jpg are excluded from the scan. If your endpoint has large numbers of other graphic file types (such as Photoshop .psd files) you can reduce the scan time by explicitly excluding these files.

You can set the ACAPPSCANEXCLUDE variable using location, file type, or a combination of the two. Examples:

Location: C:\Windows\Temp\; C:\Custom\

File type: *.vmsd;*.vmxf;*.psd

Combination: C:\OldPrograms\*.zip

Important: Be careful about specifying archive file types such as .zip or .rar. When you exclude a file from the application scan, it is not added to the endpoint’s whitelist. When application control is enforced (after Easy Lockdown, for example) that file will be blocked from running. This will cause problems if the operating system or another application needs the file at any stage.

Setting the ACAPPSCANEXCLUDE Environment Variable

The ACAPPSCANEXCLUDE environment variable can be set to exclude specific paths and file types from the application control scan. This can have the benefit of speeding up the scan and reducing impact on the endpoint.

The following steps describe how to set the ACAPPSCANEXCLUDE environment variable on an individual endpoint running Windows 7 or Windows 8. The procedure is slightly different on other versions of Windows; check the Windows documentation for details on how to set the variable.

With large numbers of endpoints, setting the variable individually on each endpoint is time- consuming. A better approach is to use a mechanism such as Group Policy Objects (GPO), which enable administrators to control the working environments.

  1. Open Windows Control Panel.
  2. From the View by list, ensure Category is selected.
  3. Click System and Security.
    The System and Security options open.
  4. Click System.
    The System options open.
  5. Click Advanced system settings.
    The System Properties dialog opens to the Advanced tab.
  6. Click Environment Variables.
    The Environment Variables dialog opens.
  7. In the System Variables section click New.
    The New System Variable dialog opens.
  8. In the Variable name field, type ACAPPSCANEXCLUDE and press ENTER.
  9. In the Variable value field, type all file path(s) and/or file type(s) to be excluded from the scan. Press ENTER after you finish typing variables.

    10. When defining multiple entries, use a semicolon (;) to separate them.

  10. Click OK to close the New System Variable dialog.
  11. Close the Environment Variables dialog, System Properties dialog, and Control Panel.
  12. Reboot the endpoint to enable the new system environment variables.
    The ACAPPSCANEXCLUDE environment variable has been set to exclude specific paths and/or file types from the application control scan.

Logging Managed Policies

Managed Policies include Easy Auditor and Easy Lockdown, which have logging options that help monitor application usage. The logging options also influence logging of other policies (including Trusted Change policies).

Easy Auditor and Easy Lockdown logging options are based on authorized and non-authorized applications. An authorized application is one that was whitelisted during Easy Auditor or Easy Lockdown, or authorized through a trust mechanism. A non-authorized application is not on the whitelist, nor authorized through a trust mechanism, or has been added to the blacklist.

Easy Auditor and Easy Lockdown have the following logging options:

Log non-authorized applications (all executable files)

All non-authorized applications the user attempts to run are logged. All executable file types are logged, not just .exe files. This is the default option for Easy Auditor.

Log authorized applications (*.exe only)

All authorized applications the user runs are logged. Only the initial executable is logged by default, subsequent files or dependent libraries loaded are not logged. Use the Include all details option below to log those events as well.

Include all details on authorized applications (e.g. *.dll, *.cpl, etc.)

Detailed information on every executable file and library loaded will be logged (only available if the Log authorized applications option is selected). This should be treated with caution as it can generate very large log files.

These options can also affect the other Application Control policies. Trusted Updater and Trusted Publisher do not have their own logging options, but events associated with these policies can be logged. Denied Applications and Trusted Path do have their own logging options, but they can be affected by the Easy Auditor/Easy Lockdown options selected.

The Easy Lockdown and Easy Auditor logging options have the following effects on the other Application Control policies:

Log non-authorized applications (all executable files)

Denied Applications

Logs attempts to run applications blocked by Denied Applications policies. This overrides the setting in the Denied Applications policy.

Trusted Updater

Logs when applications are added to the whitelist by Trusted Updater.

Trusted Publisher

No effect

Trusted Path

No effect

Log authorized applications (*.exe only)

Denied Applications

No effect

Trusted Updater

Logs when applications are added to the whitelist by Trusted Updater.

Logs when applications whitelisted by Trusted Updater are allowed to run.

Trusted Publisher

Logs when applications are allowed to run by Trusted Publisher policies.

Trusted Path

Logs when applications are allowed to run by Trusted Path policies. This overrides the setting in the Trusted Path policy.

Include all details on authorized applications (e.g. *.dll, *.cpl, etc.)

Denied Applications

No effect

Trusted Updater

No effect

Trusted Publisher

No effect

Trusted Path

Detailed information on applications allowed to run by the Trusted Path policy is logged (every executable file and library loaded will be logged). This overrides the setting in the Trusted Path policy.

Unassigning Multiple Policies

You can unassign multiple application control policies at the same time, removing the association between them and their assigned endpoints and users. Policies that are no longer assigned to an endpoint remain in the system as unassigned policies, which you can re-assign at a later time.

  1. Select Manage > Application Control Policies.
  2. Click either the Managed Policies tab or the Trusted Change tab.
  3. Select all the policies you want to unassign on that page.

    4. You can select any combination of the policy types available on the page.

    The selected policies are highlighted.

  4. Click Unassign.
    The Unassign Policy confirmation dialog is displayed.
  5. Review the policies to be unassigned. If necessary, click a chevron (>) to expand the display of the endpoints and users that a policy is assigned to.
  6. Click Yes.
    The application control policies are unassigned.