Understand the application control learn mode

Application control can run in one of the following protection modes: Disabled, Learning, Logging, or Blocking.

Using the application control learn mode

Below is a description of the application control learn mode process:

  • In learning mode, application control learns what kind of applications are installed on the device, how they behave, and their rights (privileges).
  • Application control monitors activity on the device and records information in an action history file.
  • Action history data is sent from the device to the core server.
  • Administrators read the action history to see which applications are doing what on the device. (The files/applications and associated rights listed in the action history file (XML) are displayed in the File certifications page of the Application control settings dialog box.)
  • Administrators can customize application control settings to allow and deny privileges for relevant applications.

Learning mode can be applied to managed devices generally allowing application control violations to occur until a new application control setting is deployed, or learn mode can be applied initially for a specified period of time in order to discover what applications are run and their behavior and to create a whitelist (applications allowed to execute on devices). If the general protection mode is automatic blocking, you can still use learn mode to discover application behavior and then re-enforce automatic blocking mode once the learning period has expired.

IMPORTANT: Keep in mind that both the core server and managed device must be operating in learn mode in order for the action history communication to take place.