Restricting applications on Windows devices

Ivanti EPMM allows administrators to restrict specified applications on Windows devices using one of the following two approaches:

  • Exclude (blacklist) - specifying applications to block, allowing all other applications on devices.
  • Include (whitelist) - specifying applications and system to allow on devices, blocking all other applications not on the list.

The following topics describe how to restrict applications on Windows devices:

The figure below is an example of setting up a Whitelist App Control rule for Windows 10 Desktop, Windows 10 Mobile, and Windows Phone 8.1 devices.

Figure 1. Setting up a Whitelist for Windows devices

Restricting applications on Windows 10 Desktop devices

The following procedures create a rule (called Whitelist) that allow device users to use only the specified applications, and no other applications. To include or exclude apps to security policies for windows 10 Desktop devices, you can select:

  • Publisher/PFN Equals to use the dynamic lookup feature

    PFN is the Product Family Name of the application.

  • EXE/Win32 Equals to use the application name

This section provides information on:

Using the dynamic lookup tool to restrict applications on devices

Procedure 

  1. In the Ivanti EPMM Admin Portal, select Apps > App Control > Add.
  2. Enter Whitelist in the Name field as the name of the rule.

  3. Select Allowed for the Type option.

    Select Disallowed to block an application (blacklist).

  4. Select Publisher/PFN Equals from the App drop-down.

    PFN is the Product Family Name of the application.

  5. Leave the App Identifier/Name field blank.
  6. Select Windows from the Device Platform drop-down.

  7. Click the Windows icon to open the Windows Store Search window.

    The Windows icon is next to the red minus (-) icon to the right of the Rule Entries list.

  8. Click the Windows 10 option at the top of the search window.

    • The Windows 10 option searches applications from the Windows 10 store, which supports both Windows 10 Phone and Windows 10 Desktops devices.
    • The Windows Phone option searches applications from the Windows Phone 8.1 store.
  9. Enter an application name and click Search.
  10. Locate the application and click the Select button to automatically insert the PFN into the App Identifier/Name field in the Add App Control Rule window.
  11. (Optional) Click the green plus (+) icon to add more apps to the rule, as necessary.
  12. Click Save.

Using the application name to restrict applications on devices

Procedure 

  1. In the Ivanti EPMM Admin Portal, select Apps > App Control > Add.
  2. Enter Whitelist in the Name field as the name of the rule.

  3. Select Allowed for the Type option.

    Select Disallowed to block an application (blacklist).

  4. Select EXE/Win32 Equals from the App drop-down.
  5. Enter the name of the application (Notepad+, for instance) in the App Identifier/Name field.
  6. Select Windows from the Device Platform drop-down.
  7. (Optional) Click the green plus (+) icon to add more applications to the rule, as necessary.
  8. Click Save.

Blocking applications from Windows 10 Desktop devices

When you block an application after it is already in use and installed from the Microsoft Store, the application will continue to run until users close it. When users open a blocked application, Windows displays a message on the device informing users that the application has been blocked by their system administrator. Ivanti EPMM sends instructions to the OS to block the specified application(s).

When users try to install a blocked application from the Microsoft Store, they see a message that the application has been blocked due to company policy.

Procedure 

To apply an App Control rule to a security policy:

  1. Go to Policies & Configs > Policies.
  2. Select Default Security Policy and in the Policy Details pane, click Edit.
  3. In the Modify Security Policy dialog box, scroll to the For Windows Devices section in the Access Control group.
  4. Select the check box next to Application Restrictions and select Blacklist from the drop-down.
  5. Click Save.

Restricting applications on Windows 10 Mobile devices

Procedure 

  1. Go to Apps > App Control.
  2. Click Add. The Add App Control Rule dialog box opens.
  3. In the Name field, Enter Whitelist as the name of the rule.
  4. In the Type field, select Allowed. Select Disallowed to create a Blacklist and block an application.
  5. In the App drop-down, select MS Store GUID Equals .
  6. Leave the App Identifier/Name field blank.
  7. In the Device Platform drop-down, select Windows.
  8. Click the Windows icon to open the Windows Store Search dialog box. (The Windows icon is next to the red minus (-) icon to the right of the Rule Entries list.)

  9. Click the Windows 10 option.

    • The Windows Phone option searches applications from the Windows Phone 8.1 store.
    • The Windows 10 option searches applications from the Windows 10 store, which supports both Windows 10 Phone and Windows 10 Desktops devices.
  10. Enter an application name (Notepad+, for example) and click Search.
  11. Locate the application and click the Select button to automatically insert the GUID into the App Identifier/Name field in the Add App Control Rule dialog box.
  12. (Optional) Click the green plus (+) icon to add more apps to the rule, as necessary.
  13. Click Save.

Restricting applications on Windows Phone 8.1 devices

Procedure 

  1. Go to Apps > App Control.
  2. Click Add. The Add App Control Rule dialog box opens.
  3. In the Name field, Enter Whitelist as the name of the rule.
  4. In the Type field, select Allowed. Select Disallowed to create a Blacklist and block an application.
  5. In the App drop-down, select MS Store GUID Equals .
  6. Leave the App Identifier/Name field blank.
  7. Select Windows Phone from the Device Platform drop-down.
  8. Click the Windows icon to open the Windows Store Search dialog box. (The Windows icon is next to the red minus (-) icon to the right of the Rule Entries list.)
  9. Click the Windows Phone option.
  10. Enter an application name and click Search.
  11. Locate the application and click the Select button to automatically insert the PFN into the App Identifier/Name field in the Add App Control Rule dialog box.
  12. (Optional) Click the green plus (+) icon to add more apps to the rule, as necessary.
  13. Click Save.

Upgrading from Windows Phone 8.1 devices to Windows 10 Mobile devices

When using the newer API, not all applications will appear in the store. The applications called Settings Apps and Inbox or those applications that default applications on the device, will not display in the store. To look up those applications, visit https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp#inboxappsandcomponents .

In the link the tool Microsoft provides for golden device reviewing, not all of the GUID’s in the Microsoft store point to the actual application on the device. Ivanti, Inc and Microsoft recommend you create a golden device and use that tool to review the actual GUID’s needed.

For customers who are upgrading from Windows 8.1 to Windows 10, it is important to add both the Windows 10 and Windows 8.1 rules before upgrading. Failing to do so could cause the device to become unresponsive.

IMPORTANT: Take the following precautions, if you upgrade from Windows Phone 8.1 devices to Windows 10 Mobile devices and you use an application restriction rule on your Windows Phone 8.1 devices:

  1. Prior to upgrading, remove your 8.1 based restriction rule.
  2. After upgrading, apply an application restriction rule to the device using the new Windows 10 Mobile Rules.
  3. After upgrading, manually create rules for all applications that used PFN to use GUIDs

If you want to whitelist the Apps@Work application, you can find its GUID under the App Catalog detail page.