Configure Authorized Owners to block Microsoft Visio

The following configuration example shows how to block Microsoft Visio from being launched by unauthorized users. By default, Microsoft Visio is installed under the Program Files directory whose NTFS owner is the Administrators user group.

The Administrators user group is configured as an authorized owner by default. Since the NTFS owner of the Visio executable is the Administrators group, anyone is allowed to start the application.

This configuration example is a common scenario where applications with expensive licenses can be configured to be started only by authorized users. Such applications include:

  • Microsoft Project

  • Autodesk AutoCAD

  • Adobe Suite

Microsoft Visio is started from the Visio executable located in the Visio installation folder. To be able to block a specific user group from starting the Visio application while still using the Authorized Owners feature, Ivanti recommends to allow the executable to run based on Access Control rules for Workspace Control managed applications.

To allow Microsoft Visio to run in Workspace Control managed user sessions only if started by authorized users, follow these steps:

  1. In your Workspace Control environment, create a new user group whose members are going to have access to Microsoft Visio. In this configuration example, this is the AppVisio group.

  2. Enable the Authorized Owners feature.

    Open the Workspace Control Console and navigate to Security > Authorized Owners > Settings tab or Workspace Container. Set the Authorized Owners option to Enabled.

  3. Enable Managed Application security. This is prerequisite for the Authorized Certificates feature to function.

    Navigate to Security > Applications > Managed Applications > Settings tab. Set the Managed Application security option to Enabled.

  4. Configure Microsoft Visio as a managed application.

    For more details on how to configure a Workspace Control managed application, see Create and edit Applications.

  5. Configure Access Control for the Visio managed application.

    1. Open the Visio managed application.

    2. In the Edit application window, navigate to Access Control > Identity.

    3. From the Type drop-down menu, select Users and Groups.

    4. Select Add and in the Search Directory Services window select the AppVisio group.

      Select OK to add the group.

    5. Select OK to close the Edit application window and save your changes.

Microsoft Visio is now configured to run only if launched by users that are members of the AppVisio group. Members that are not part of this group are blocked from starting Microsoft Visio.