Configuration Settings
You can define message settings and advanced settings on a per configuration basis.
Message Settings
Message Settings are used to define how message boxes display to users, and to specify the content of the messages when users attempt to launch applications, in-line with the configuration rules.
You can define the following user messages:
- Access Denied: Define the message that displays when execution of an application is denied.
- Elevation Prompts: Define the messages that display when elevated rights are required to execute an application:- Define the message that displays when elevated rights are required to run an application.
 This message prompt can be enabled per elevate rule item in the Rule Item Settings panel > Properties tab > Policy section.
- Define the message that displays when elevated rights are required and a reason must be provided to run an application.
 This message prompt can be enabled per elevate rule item in the Rule Item Settings panel > Properties tab > Policy section.
 
- Define the message that displays when elevated rights are required to run an application.
- Self-Elevate: Define the message that requests a reason when a user attempts to self-elevate an item.
You can disable this message being displayed to the user on a per deny rule item basis, in Rule Item Settings panel > Properties tab > Options section.
For each type of message, define the following:
- Caption: The text to display at the top of the message. For example, you can change the default caption: App Control, so that the user is not aware that App Control has intervened.
- Banner: Enter the text to display in the colored banner. To remove the colored banner from the message box simple clear this field so it remains empty.
- Message body: Enter the text to display in the body of the message.
- Width: Specify the width of the message dialog. The width is measured in pixels and applies to all messages.
- Height: Specify the height of the message dialog. The height is measured in pixels and applies to all messages.
Message Tips
When configuring messages, consider the following:
- Environment variables are supported for the caption, banner, and the message.
- When using hyperlinks in the message body, the full HREF attribute tag must be entered.
- If less-than or greater-than angle brackets are to be displayed in the message body, use < and > respectively. JavaScript is not supported.
Message Box Environment Variables
Messages support System and User environment variables and the following App Control defined variables:
| Environment Variable | Description | 
|---|---|
| %ExecutableName% | The name of the denied application. | 
| %FullPathName% | The full path of the denied application. | 
| %DirectoryName% | The directory where the denied application is located. | 
| %NetworkLocation% | The resolved IP address of the given host name. | 
| %AC_Hash% | The file hash. | 
| %AC_FileSize% | The size of the file. | 
| %AC_ProductVersion% | The version of the product. | 
| %AC_FileVersion% | The version of the file. | 
| %AC_ProductName% | The name of the product. | 
| %AC_CompanyName% | The name of the company. | 
| %AC_Vendor% | The name of the certificate signer. | 
| %AC_FileDescription% | The description of the file. | 
| %AC_ParentProcess% | The name of the process that started it. | 
| %AC_DecidingRule% | The name of the allow rule in the App Control configuration. | 
| %AC_FileOwner% | The owner of the file. | 
| %AC_ClientName% | The name of the connecting device. | 
| %AC_PortNumber% | The name of the network port, only if applicable. If the port number is not 0, it will be displayed at the end of the blocked IP address. | 
Advanced Settings
Policy Settings
Configure general, validation, and functionality policy settings to apply to all application execution requests.
General Features
- Deny files on network shares: The configuration default for network shares is to deny everything unless it is specified in an Allow rule. When this setting is disabled, everything on the network share is allowed, unless it fails trusted ownership checking, or is specified in a deny rule.
- Ignore restrictions during Active Setup: Enable this option to ignore restrictions during an Active Setup process and delays the implementation of the App Control rules.
- Deny files on removable media: Enable this option to specify which executable files are permitted on removable devices by explicitly adding them to rules, ensuring only authorized applications are allowed to run. When disabled, this will allow admins to create rules specifying which files are allowed to execute.
- Ignore restrictions during logon: Enable this option to ignore restrictions at logon and delay the implementation of App Control rules until logon is complete, preventing disruptions or interruptions to the logon process. This option allows logon scripts to run.
Validation
- Validate MSI (Windows Installer) packages: MSI files are the standard method of installing Windows applications. It is recommended that the user is not allowed to freely install MSI applications. 
 When enabled, the default setting, running msiexec.exe is denied and all MSIs are subject to rule validation.
 When this setting is disabled msiexec.exe is not blocked and MSIs files will be allowed to run, subject to rule validation.
- Validate PowerShell scripts: When enabled, running powershell.exe and powershell_ise.exe is denied. However, if a PowerShell script (PS1 file) is found on the command line, then it is subjected to a rule validation.
 When disabled, the default setting, powershell.exe and powershell.ise.exe is no longer blocked, and the PS1 files are no longer subjected to rule validation.- Block -Command: When enabled, the default setting, any PowerShell command lines that include -Command will be blocked. 
 To change the security level you may want to deselect this option, to disable the blocking of -Command.
 Example: In File Explorer, right-click a PS1 file then select Run with PowerShell. Explorer adds -Command automatically to query the current execution policy and prompt the user to ask them if they want to change it. For App Control to evaluate PS1 files run this way, and not just block them, disable the Block -Command option.Be aware that when disabled, any PS1 trusted file can be modified with malicious code inserted via a -Command argument and will run because the file itself, is trusted. 
 
- Block -Command: When enabled, the default setting, any PowerShell command lines that include -Command will be blocked. 
- Allow CMD for batch files:  It is expected that administrators will explicitly prohibit cmd.exe in their App Control configuration. 
 When enabled, the default setting, cmd.exe will be allowed to run. If a rule explicitly denies cmd.exe, then cmd.exe will not be allowed to run on its own, however, batch files will run subject to rule validation.
 When this setting is disabled, cmd.exe is not allowed to run and all batch files will be allowed to run. If a rule explicitly denies cmd.exe all batch files are blocked, they are not even evaluated.
- Validate WSH (Windows Script Host) script: Scripts can introduce viruses and malicious code, therefore it is recommended to validate WSH scripts. 
 When enabled, the default setting, cscript.exe and wscript.exe are denied. However, running js or vb scripts are subject to rule validation.
 When this setting is disabled, cscript.exe and wscript.exe, are no longer blocked by default and the js or vb scripts are no longer subjected to rule validation.
- Validate Registry files: When enabled, the default setting, regedit.exe and regini.exe are denied. Running a .reg script is subject to rule validation. 
 When this setting is disabled, regedit.exe and regini.exe, are no longer blocked by default. Additionally, the .reg scripts are no longer subjected to rule validation.
- Validate Java archives: When enabled, the default setting, java.exe and javaw.exe are denied. However, if a Java archive (JAR file) is found on the command line, it is subject to rule validation.
 When this setting is disabled, java.exe and javaw.exe, are no longer blocked by default, and the JAR files are no longer subjected to rule validation.
Functionality
- Allow and Deny Rules: When enabled, access control is enforced by the configuration deny rules. 
 When this setting is disabled, all deny rules are ignored, no application access is denied, so everything is allowed.
- Elevation Rules: When enabled, user privileges are determined by the configuration elevate rules.
 When this setting is disabled, all elevate rules are ignored and no application elevation is allowed.
- Network Connection Rules: When enabled, the allow and deny rules for Network Connection function effectively.
 When disabled, the rules do not function and events do not get generated in App Control > Overview.
- URL Rules: When enabled, the allow and deny rules for URL functions effectively.
 When disabled, the rules do not function and events do not get generated in App Control > Overview.
Custom Settings
Configure additional settings to apply to managed endpoints:
- Driver Hook Exclusions: Select to exclude driver hooks when running App Control.   App Control injects a DLL into all running processes to help it intercept and modify a processes behavior, such as to allow or elevate.  This exclusion means the App Control DLL will not injected.
 Enter the file names to create the driver hook exclusion list, use a semicolon to separate the file names.
This custom setting should only be used under the guidance of Ivanti Technical Support.
- App Control Driver Exclusions: Select to exclude the App Control driver from intercepting the process start request for the specific processes listed. App Control has a driver that prevents a process from starting until checks have been run, such as rule matching or trusted ownership. This exclusion prevents the driver from intercepting the start request.
 Enter the file names to create the filter driver exclusion list, use a semicolon or a space delimiter to separate the file names.This setting requires an agent restart to take effect. 
- Show Message For Blocked DLLs: Select to display the App Control access denied message when a DLL is blocked.
- Config File Protection: Select to prevent users and administrators from reading, copying, editing, and deleting the App Control configuration file on the endpoint.
- App Hook Delay Load: Select this setting to load the AmAppHook Dll after a configured delay in milliseconds (ms). This setting is configured on a per filename basis. The format is <filename+extension>,<delay>. The file name can contain wildcards.
- DFS Link Matching: Select this setting to enable DFS Link matching. DFS Link paths can be added to the rules. DFS Links are treated as independent items to be matched. DFS Targets are also treated as independent items. There is no conversion from Link to Target before applying the rules.
- Disable DNS Lookup: Select this option to prevent App Control from performing DNS lookups, reducing unexpected slowdowns, and errors where a proxy DNS server is used. The Application Network Access Control component is not compatible with all forms of proxy DNS servers.
- Image Hijack Detection: Specifies a list of process names against which all child processes are verified to ensure the child image is running without corruption or modification and matches the one initially requested. This is a semi-colon delimited list of full paths or file names. If the child process is not verified, Application Control terminates the process and raises an event (ID 9065).
- Apply Security Level for URL Rules: Select this option to ignore the URL rules based on the configured security level. 
 Deselecting this option applies the URL rules regardless of the configuration security level.
- Browser App Store Port: Select this option to enter the port used to allow the Chrome browser extensions to be installed.
- Browser Comms Port: Select this option to enter the port used for communication between browser extensions and the Application Control agent.
- Browser Extension Install Hive: Select this option to allow administrators to choose which registry hive the Application Control Chrome browser extension will be installed in.
Self-Elevate Settings
Configure the settings to apply to the self-elevate functionality.
- Make items allowed: Make the rule items allowed and overwrite any associated allowed items.- Allow items to run even if not owned by a trusted owner: This option is only available if you select Make items allowed. Select to execute all rule items regardless if the owner is trusted or not.
 
- Apply to child processes: The self-elevation policy applied to rules items in not inherited by child processes by default. Select this option to apply the policy to the direct children of the parent process.
- Apply to common dialogs: Select to elevate access to the Open File and Save File Windows menu options when a file or folder has been elevated. Caution should be taken with this setting, if selected users could modify the filesystem with administrative privileges.
- Install as trusted owner: Select to make the local administrator the owner of all files created by the defined application. This option is not applied to regular applications, only installer packages.
- Hide the 'Run as administrator' Windows option for Self-Elevated items: Select to hide the Run as Administrator option from the Windows context menu.
- Display a message box requiring a reason for Self-Elevation from the user: Select to display a message to the end user requesting a reason for the self-elevation. 
 Configure the message settings in Configuration > Settings > Message Settings > Self-Elevate.
- Set the name of the Self-Elevate context menu item: Enter the name of the App Control self-elevate option to display in the Windows context menu.
Trusted Owners Settings
Configure the settings to apply to the trusted owner functionality.
- Enable Trusted Ownership checking: Select to enable trusted ownership checks on files to match the list of approved trusted owners.
- Change a file's ownership when it is overwritten or renamed: Select to change the owner of a file to that of the user who initiated the overwrite or rename.
Policy Change Request Settings
Configure the settings to apply to the policy change request functionality. To configure policy change request setting, refer to Configuring ServiceNow.
Entra ID Settings
Configure the Entra ID setting to establish a connection between Ivanti Neuron and Microsoft Entra. To configure the Entra ID with Ivanti Neurons, refer to Configuring Entra ID.
Auditing Settings
Configure the general settings for auditing.
Raise App Control events to the local Application Event Log: Select to enable App Control auditing and capture all the events locally. You can either select the Ivanti event log or the Application event log option to capture all App Control events based on your requirements.
| Event ID | Name | Description | 
|---|---|---|
| 9013 | Network item denied | Denied network item request | 
| 9018 | Application user privileges changed | The application's user privileges have changed. | 
| 9023 | Self-Elevation allowed | Self-Elevation request | 
| 9024 | URL Redirection | Url Redirection has occurred | 
| 9053 | User requested allow | An allowed Policy Change Request application has started | 
| 9054 | User requested elevate | An elevated Policy Change Request has started | 
| 9060 | Denied execution (Trusted Ownership) | Denied execution request (Trusted Ownership) | 
| 9061 | Denied execution (Rule Policy) | Denied execution request (Rule Policy) | 
| 9062 | Application started elevated | An application started with elevated (full admin) rights |