Rule Sets

Overview

A Rule Set is used to group rule items. The following types of rule sets are available in the Application Control configuration:

Match rules with specific user groups within the enterprise. The two predefined groups are:

BUILTIN\Administrators - This group is for local administrators. Users in the BUILTIN\Administrators group are assigned the Unrestricted security level.

  • Everyone - This group is for all users, including administrators. Users in the Everyone group rule have a security level of Restricted, unless a user matches other group or user rules with higher priority settings. This means administrators are part of two group rules; the BUILTIN\Administrators group, which is unrestricted, and the Everyone group, which is restricted. Application Control uses the least restrictive rules, meaning all administrator requests are unrestricted.

Match rules with specific users.

Match rules with specific devices. Device rules can apply the rule settings either to the device hosting the Application Control agent and configuration, or to connecting devices. For example, a configuration rule can allow certain applications to run on a server but prohibit others from running when launched from a device listed in the rule. Device rules also provide the ability to perform per-device license management in a server-based computing environment.

Match custom rules created using Windows PowerShell or VB Scripts. The success or failure of the Script determines whether the security level, allowed Items, and denied Items that are part of the rule apply to the user. Each script is evaluated under the following circumstances:

  • When a new configuration is deployed to the computer.
  • When a user logs on.

Match rules with specific requesting processes. Process rule sets allow you to manage access for an application to run child processes which might otherwise be managed differently in other rules. You can add allowed and denied items and Privilege Management.

For more details on Rule Set Validation visit the Rule Sets section in the main Ivanti Security Controls Help.

Try it yourself

In this example we will deny access to Office applications for everyone. Then we'll create a new group; Office Apps who will be given access to a specific Office applications; Onenote and Outlook.

Step 1

Deny access to Office applications for the Everyone group.

  1. Navigate to Rule Sets > Group > Everyone > Executable Control.
  2. To restrict access to an item, select the Denied tab.
  3. Right-Click in the work area and select File.
  4. In the File field enter Excel.exe and click Add, repeat this for Onenote.exe, Outlook.exe, Powerpoint.exe and Winword.exe.
  5. All the items will appear in the Denied Items list.

    6. The Restricted radio button is selected (enforcing Executable Control) for the rule.

    Excel.exe, Onenote.exe, Outlook.exe, Powerpoint.exe and Winword.exe are denied

Step 2

Create a new Group Rule Set and Allow specific Office apps

  1. Navigate to Rule Sets > Group.
  2. Right-click and select Add Group Rule Set.
  3. Enter the name of the group, for example Office Apps.
  4. To allow access to specific Office apps, select the Allowed tab.
  5. Right-Click in the work area and select File.
  6. In the File field enter Onenote.exe and click Add, repeat this for Outlook.exe.
  7. The items will appear in the Allowed Items list.

    8. OneNote.exe and Outlook.exe are allowed

Test it

  1. Save and deploy the configuration.
  2. When a user logs on who is not a member of the Office Apps group, they will not be able to run any of the Office apps.
  3. When a user logs on who is member of the Office Apps group they will be able to run OneNote and Outlook, but Excel, Powerpoint, and Word will still be blocked.

Your next step

Executable Control

Privilege Management

Browser Control