Working with Denied Applications Policy

Administrators can use a Denied Applications policy to add applications to a blacklist of applications that are not authorized to run. It can be used to block applications that are considered dangerous, unnecessary, or unproductive in the enterprise.

The Denied Applications feature is implemented through the Denied Applications Wizard. The administrator can specify what is to be blocked at file, application, and application group level.

The file, application, and application group structure is configured in the Application Library. See Working with Application Library for more information.

The policy is then applied to specified endpoints or endpoint groups, and users. Whenever a user attempts to run a blacklisted application, a warning dialog is displayed, explaining that the application can not run on that endpoint (or for that user).

Denied Applications in Practice

A Denied Applications policy that blocks an application from running can be applied at any time and always overrides any permission the application has to run.

Denied Applications policies are often applied after an administrator reviews application usage on the network. The process usually begins with Easy Auditor and continues through Easy Lockdown. Easy Auditor allows new applications to run even though it does not add them to the whitelist. If an administrator decides that an application is undesirable, it can be added to a Denied Applications policy so that attempts to run it will be blocked.

You can also use Denied Applications policies to block undesirable applications (such as hacking tools, music streaming software, or unapproved messaging programs) even if they are not currently on the network. To do this, you install the unwanted software on a test endpoint, scan with Easy Auditor, group it in Application Library, and apply a Denied Applications policy.

Important: A Denied Applications policy always overrides any permission to run granted by any other Application Control policy.

Some Windows 8 applications are developed with JavaScript/HTML. It is not possible to block these script-based applications.

Creating a Denied Applications Policy

You can create a Denied Applications policy that blocks execution of specific applications on endpoints and groups, for specified users.

  1. Select Manage > Application Control Policies.
  2. Select Create > Denied Applications Policies.
    The Denied Applications Wizard opens to the Deny execution for the listed applications page.
  3. Type a name for the new Denied Applications policy.

    4. Give the policy a descriptive name. For example, if this Denied Applications policy relates to unauthorized browsers, you could name it Unauthorized Browsers Policy.

  4. Build a list of denied applications (based on application groups, applications, or individual files):

    5. Method

    Steps

    To add application groups:

    1. Click Add > Application Groups.
    2. Enter an application group name in the search field.
    3. Click Search.
    4. Select one or more of the results.
    5. Click Add Application Groups.
    6. Click OK.

    To add applications:

    1. Click Add > Applications.
    2. Enter an application name in the search field.
    3. Click Search.
    4. Select one or more of the results.
    5. Click Add Applications.
    6. Click OK.

    To add files:

    1. Click Add > Files.
    2. Enter a file name in the search field.
    3. Click Search.
    4. Select one or more of the results.
    5. Click Add Files.
    6. Click OK.

    The application groups, applications, and files available through this dialog are based on the contents of the Application Library. See Working with Application Library for more information.

    One or more application groups, applications or files are displayed in the Assigned List.

  5. Select Log executions denied by this policy if you want a record of the attempts to run the denied application(s).

    6. Even if this control is not selected, logging may occur when other policy types (such as Easy Auditor or Easy Lockdown) have logging enabled.

  6. Select an option under Activation.

    7. Option

    Description

    Enable

    The policy will be enabled once it is created, as long as you assign it to at least one endpoint or group and one user.

    Disable

    The policy will be disabled once created, even if it is assigned to an endpoint/group and user. You can enable it at a later time.
  7. Click Next.

    8. If you click Finish at this point, the policy will be created but not assigned to any endpoints or users. You can assign the policy at a later time.

    The Denied Applications Wizard opens to the Assign the Denied Applications to groups, endpoints, and/or users page.

  8. The policy must be assigned to at least one endpoint or endpoint group. Assign the policy to endpoints:

    9. Method

    Steps

    To add groups of endpoints:

    1. Select a group or groups from the Groups list.
    2. Click Add >.

    To add individual endpoints:

    1. Select an endpoint or endpoints from the Endpoints list.
    2. Click Add >.

    To remove groups of endpoints:

    1. Select a group or groups from the Assigned List.
    2. Click < Remove.

    To remove individual endpoints:

    1. Select an endpoint or endpoints from the Assigned List.
    2. Click < Remove.

    Use the double-arrows ( ) to switch between groups and endpoints.

    The selected groups and/or endpoints are displayed in the Assigned List.

  9. The policy must be assigned to at least one user or user group. Assign the policy to users:

    10. Method

    Steps

    To add users:

    1. Select one or more users from the Users list.
    2. Click Add >.

      3. If you cannot locate a specific user, click the Add Individual User button. See Adding an Individual User to a Policy for more information.

    To remove users:

    1. Select one or more users from the Assigned list.
    2. Click < Remove.

    Important: Both a user/user group AND an endpoint/endpoint group must be assigned.

    The selected users are displayed in the Assigned list.

  10. Click Finish.
    The Denied Applications policy is created and assigned to the selected user(s) and endpoint(s).

    The new policy is displayed on the Managed Policies tab.

When endpoint users get multiple blocked application notifications, they can close them all at once by right-clicking on the task bar icon for the notifications and selecting Close all windows.

Adding Application Groups to a Policy

You can add application groups to a Denied Applications policy or a Supplemental Easy Lockdown/ Auditor policy using the Add Application Groups dialog.

This dialog is accessed by clicking the Add button on the Denied Applications dialog or the Authorize button on the Supplemental Easy Lockdown/Auditor wizard, then selecting Application Groups from the drop-down.

The application groups available through this dialog are based on the contents of the Application Library. See Working with Application Library for more information.

  1. Type the name of an application group in the search field.

    2. Sub-string matching is supported, so you do not have to type the application group's full name. Typing a partial name may result in multiple matches.

  2. Click Search.
  3. Select the required application group(s).
  4. Click Add Application Groups.
    The selected application groups are added to the list.

    5. You can remove an application group from the list if required by selecting it and clicking Unassign.

  5. Click OK.
    Application groups are added to the policy. The dialog closes and you return to the wizard.

Adding Applications to a Policy

You can add applications to a Denied Applications policy or a Supplemental Easy Lockdown/Auditor policy using the Add Applications dialog.

This dialog is accessed by clicking the Add button on the Denied Applications dialog or the Authorize button on the Supplemental Easy Lockdown/Auditor wizard, then selecting Applications from the drop-down.

The applications available through this dialog are based on the contents of the Application Library. See Working with Application Library for more information.

  1. Type the name of an application in the search field.

    2. Sub-string matching is supported, so you do not have to type the application's full name. Typing a partial name may result in multiple matches.

  2. Click Search.
  3. Select the required application(s).
  4. Click Add Applications.
    The selected applications are added to the list.

    5. You can remove an application from the list if required by selecting it and clicking Unassign.

  5. Click OK.
    Applications are added to the policy. The dialog closes and you return to the wizard.

Adding Files to a Policy

You can add files to a Denied Applications policy or a Supplemental Easy Lockdown/Auditor policy using the Add Files dialog.

This dialog is accessed by clicking the Add button on the Denied Applications dialog or the Authorize button on the Supplemental Easy Lockdown/Auditor wizard, then selecting Files from the drop-down.

The files available through this dialog are based on the contents of the Application Library. See Working with Application Library for more information.

  1. Type the name of a file in the search field.

    2. Sub-string matching is supported, so you do not have to type the file's full name. Typing a partial name may result in multiple matches.

  2. Click Search.
  3. Select the required file(s).
  4. Click Add Files.
    The selected files are added to the list.

    5. You can remove a file from the list if required by selecting it and clicking Unassign.

  5. Click OK.
    Files are added to the policy. The dialog closes and you return to the wizard.

Removing Applications from a Denied Applications Policy

You can remove applications from a Denied Applications policy.

  1. Select Manage > Application Control Policies.
    A list of policies is displayed.
  2. Select a Denied Applications policy.
    The selected policy is highlighted.
  3. Click Edit.
    The Denied Applications Wizard opens.
  4. Select the application(s) you want to remove from the Denied Applications policy.

    5. Applications can be defined at file, application, and application group level in the Application Library.

    The Remove button is enabled.

  5. Click Remove.
    A confirmation dialog is displayed.
  6. Click Yes.
  7. Click Finish.
    The specified application groups, applications or files are removed from the Denied Applications policy.

Adding an Individual User to a Policy

You can add one or more individual users to a policy using the Add Individual Users dialog.

This dialog is accessed by clicking the Add Individual User button on a User pane. This feature is available on wizards that support user assignment.

  1. Search for users using either of the following methods:

    2. Option

    Steps

    Search for all users

    Leave the Username field blank and click Search. This returns all existing users in the current domain.

    Search for one or more selected users

    1. Type a user name in the Username field.

      2. Sub-string matching is supported, so you do not have to type the full name. Typing a partial name may result in multiple matches

    2. Click Search.

    One or more users appear in the results list.

    If you cannot find the user(s) you want, try searching other available domains. Select a searchable domain controller from the Domain drop-down list.

  2. Select one or more users.
  3. Click Add Users.
    The users are added to the selection list.
  4. Click OK.
    The Add Individual Users dialog closes and you return to the Users pane of the policy wizard, with the new user(s) added to the Users list.

Assigning a Denied Applications Policy

You can select an existing Denied Applications policy and assign it to endpoints/endpoint groups and users/user groups.

A Denied Applications policy requires both an endpoint/endpoint group and a user/user group assignment.

  1. Select Manage > Application Control Policies.
    The Managed Policies tab on the Application Control Policies page is displayed.
  2. Select a Denied Applications policy.

    3. Filter the Policy Name and Policy Type columns to locate the required Denied Application policy.

    The selected policy is highlighted.

  3. Click Assign.
    The Denied Applications dialog is displayed.
  4. The policy must be assigned to at least one endpoint or endpoint group. Assign the policy to endpoints:

    5. Method

    Steps

    To add groups of endpoints:

    1. Select a group or groups from the Groups list.
    2. Click Add >.

    To add individual endpoints:

    1. Select an endpoint or endpoints from the Endpoints list.
    2. Click Add >.

    To remove groups of endpoints:

    1. Select a group or groups from the Assigned List.
    2. Click < Remove.

    To remove individual endpoints:

    1. Select an endpoint or endpoints from the Assigned List.
    2. Click < Remove.

    Use the double-arrows ( ) to switch between groups and endpoints.

    The selected groups and/or endpoints are displayed in the Assigned List.

  5. The policy must be assigned to at least one user or user group. Assign the policy to users:

    6. Method

    Steps

    To add users:

    1. Select one or more users from the Users list.
    2. Click Add >.

      3. If you cannot locate a specific user, click the Add Individual User button. See Adding an Individual User to a Policy for more information.

    To remove users:

    1. Select one or more users from the Assigned list.
    2. Click < Remove.

    Important: Both a user/user group AND an endpoint/endpoint group must be assigned.

    The selected users are displayed in the Assigned list.

  6. Click OK.
    The Denied Application policy is assigned to selected endpoints/endpoint groups and users/ user groups.

Unassigning a Denied Applications Policy

You can unassign a Denied Applications policy, removing the link to the endpoints and users it was assigned to. Policies that are no longer assigned remain in the system as unassigned policies, which you can re-assign to endpoints and users at a later time.

  1. Select Manage > Application Control Policies.
    A list of policies is displayed.
  2. Select one or more Denied Applications policies.

    3. Filter the Policy Name and Policy Type columns to locate the required policies.

    The selected policies are highlighted.

  3. Click Unassign.
    One of two confirmation dialogs is displayed, depending on whether you selected a single policy or multiple policies.

  4. Click Yes.
    One or more Denied Applications policies are unassigned.

Editing a Denied Applications Policy

You can edit a Denied Application policy and, for example, change the logging option or the endpoints to which it is assigned.

  1. Select Manage > Application Control Policies.
    A list of policies is displayed.
  2. Select a Denied Applications policy.

    3. You can only edit one policy at a time.

    The selected policy is highlighted.

  3. Click Edit.
    The Denied Applications Wizard opens.
  4. [Optional] Edit the Policy Name.
  5. [Optional] Add one or more applications to the blacklist of denied applications (based on application groups, applications, or individual files):

    6. Method

    Steps

    To add application groups:

    1. Click Add > Application Groups.
      The Add Application Groups dialog opens.
    2. Enter an application group name in the search field.
    3. Click Search.
    4. Select one or more of the results.
    5. Click Add Application Groups.
    6. Click OK.

    To add applications:

    1. Click Add > Applications.
      The Add Applications dialog opens.
    2. Enter an application name in the search field.
    3. Click Search.
    4. Select one or more of the results.
    5. Click Add Applications.
    6. Click OK.

    To add files:

    1. Click Add > Files.
      The Add Files dialog opens.
    2. Enter a file name in the search field.
    3. Click Search.
    4. Select one or more of the results.
    5. Click Add Files.
    6. Click OK.

    The application groups, applications, and files available through this dialog are based on the contents of the Application Library. See Working with Application Library for more information.

    One or more application groups, applications or files are added to the blacklist.

  6. [Optional] Remove one or more applications from the blacklist of denied applications:
    1. Select one or more applications from the list.
    2. Click Remove.
  7. [Optional] Change the Logging option.

    8. Even if this control is not selected, logging may occur when other policy types (such as Easy Auditor or Easy Lockdown) have logging enabled.

  8. [Optional] Change the Activation option.

    9. Option

    Description

    Enable

    The policy will be enabled once it is created, as long as you assign it to a group or endpoint.

    Disable

    The policy will be disabled once created, even if it is assigned to a group or endpoint. You can enable it at a later time.
  9. Click Next.
    The Denied Application Wizard opens to the Assign the Denied Applications to groups, endpoints and/or users page.
  10. The policy must be assigned to at least one endpoint or endpoint group. Assign the policy to endpoints:

    11. Method

    Steps

    To add groups of endpoints:

    1. Select a group or groups from the Groups list.
    2. Click Add >.

    To add individual endpoints:

    1. Select an endpoint or endpoints from the Endpoints list.
    2. Click Add >.

    To remove groups of endpoints:

    1. Select a group or groups from the Assigned List.
    2. Click < Remove.

    To remove individual endpoints:

    1. Select an endpoint or endpoints from the Assigned List.
    2. Click < Remove.

    Use the double-arrows ( ) to switch between groups and endpoints.

    The selected groups and/or endpoints are displayed in the Assigned List.

  11. The policy must be assigned to at least one user or user group. Assign the policy to users:

    12. Method

    Steps

    To add users:

    1. Select one or more users from the Users list.
    2. Click Add >.

      3. If you cannot locate a specific user, click the Add Individual User button. See Adding an Individual User to a Policy for more information.

    To remove users:

    1. Select one or more users from the Assigned list.
    2. Click < Remove.

    Important: Both a user/user group AND an endpoint/endpoint group must be assigned.

    The selected users are displayed in the Assigned list.

  12. Click Finish.
    The Denied Applications policy is edited.

Disabling a Denied Applications Policy

You can disable a Denied Applications policy without deleting it. The details of the policy are retained and you can enable it again at a later time.

  1. Select Manage > Application Control Policies.
    A list of policies is displayed.
  2. Select the enabled policies that you want to disable.

    3. Filter the Policy Name and Policy Type columns to locate the policy.

    The selected policies are highlighted.

  3. Click Disable.
    The selected Denied Applications policy or policies are disabled.

Enabling a Denied Applications Policy

You can enable a Denied Applications policy that is currently disabled.

  1. Select Manage > Application Control Policies.
    A list of Application Control policies is displayed.
  2. Select the check box(es) for the disabled Denied Applications policies that you want to enable.

    3. Filter the Policy Name and Policy Type columns to locate the policy.

    The selected policies are highlighted.

  3. Click Enable.
    The selected Denied Applications policy or policies are enabled.

Deleting a Denied Application Policy

You can delete a Denied Application policy, as long as it is not assigned to any endpoint.

  1. Select Manage > Application Control Policies.
    A list of Application Control policies is displayed.
  2. Select the required Denied Applications policy.

    3. The policy must not be assigned to an endpoint (Assigned column value of Not Assigned). If it is assigned, you must first unassign it to continue.

    The selected policy is highlighted.

  3. Click Delete.
    A confirmation dialog is displayed.

    4. If the policy is currently in use, a message is displayed telling you that the policy can not be deleted until it has been unassigned.

  4. Click Yes.
    The Denied Applications policy is deleted.

Exporting Denied Applications Policies

You can export a list of Denied Applications Policies to a CSV (Comma Separated Value) file. To export data, refer to Exporting Data.

The list of policies is saved as a CSV file with the following columns:

Name

Description

Status

Enabled or Disabled

Policy Name

The name of the policy

Assigned

Assigned/Not Assigned (if assigned, export includes the groups and endpoints that the policy is assigned to)

Policy Type

The type of policy (Denied Applications, Trusted Updater, and so on)

Blocking

Off, On, Authorized, Non-authorized, or (Authorized, Non-authorized)

Logging

Authorized, Non-authorized, or Off

Last Updated Date

The date the policy was last changed