Understand the application control learn mode

Application control can run in one of the following protection modes: Disabled, Learning, Logging, or Blocking.

Using the application control learn mode

Below is a description of the application control learn mode process:

  • In learning mode, application control learns what kind of applications are installed on the device, how they behave, and their rights (privileges).
  • Application control monitors activity on the device and records information in an action history file.
  • Action history data is sent from the device to the core server.
  • Administrators read the action history to see which applications are doing what on the device. (The files/applications and associated rights listed in the action history file (XML) are displayed in the File certifications page of the Application control settings dialog box.)
  • Administrators can customize application control settings to allow and deny privileges for relevant applications.

Learning mode can be applied to managed devices generally allowing application control violations to occur until a new application control setting is deployed, or learn mode can be applied initially for a specified period of time in order to discover what applications are run and their behavior and to create an allowed list (applications allowed to execute on devices). If the general protection mode is automatic blocking, you can still use learn mode to discover application behavior and then re-enforce automatic blocking mode once the learning period has expired.

IMPORTANT: Keep in mind that both the core server and managed device must be operating in learn mode in order for the action history communication to take place.